Author Topic: Avast susceptible to archive bombing. =(  (Read 6191 times)

0 Members and 1 Guest are viewing this topic.

Kobra

  • Guest
Avast susceptible to archive bombing. =(
« on: June 17, 2004, 01:34:55 AM »
Just tested this tonight, and since this actually does have the ability to shut down an AV product, it could preceed an actual threat to turn off an AV, then launch the payload behind the archive i'd imagine. Anyway, I believe the file is recursive zip file containing Eicar at its core, but set to unpack unlimited amounts of a single character, which puts AV products in an endless loop, effectively locking them up.  

Now Avast does not lock up, but it endless tries to open the file and scan it, and seems to loop into nothingness.  

Since this isn't a real virus, and is merely a packed Eicar file, i've placed this up for download so everyone can test it for themselves if they wish.  In addition, hopefully the Avast folks will find a way to deal with this.

http://home.comcast.net/~prolawn00/test.zip

Regards.
« Last Edit: June 17, 2004, 01:37:02 AM by Kobra »

Kobra

  • Guest
Re:Avast susceptible to archive bombing. =(
« Reply #1 on: June 17, 2004, 02:08:29 AM »
Self reply.. Possible solution found that Avast can implement?

I've found only one AV so far that this archive can't bring down, and thats that little Polish gem I found last night.  They seem to use a pretty simple method to eliminate this type of problem - or at least control it.

http://home.comcast.net/~prolawn00/mksa.JPG
(This is it finding the Eicar file, no other AV so far found it, they all hung)

http://home.comcast.net/~prolawn00/mksb.JPG
(This is how I believe they control it, you set the archive scanning scanning level)

I'll run the file through more AV's, but its taken down KAV and DrWeb's online scanners, thats for sure.
« Last Edit: June 17, 2004, 02:09:01 AM by Kobra »

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2248
Re:Avast susceptible to archive bombing. =(
« Reply #2 on: June 17, 2004, 03:33:20 AM »
Just in case anyone else tried this (my system clogged too, I manually aborted before any hint of warnings about the Eicar) and is going crazy trying to find the many gigs of temp files so they can be dumped ...

On my XP-Home, they wound up under Documents & Settings/Michael/ ....etc.  I originally did a search in Explorer for extra-large files but, oddly, that turned up nothing.  I finally tried re-scanning with avast with archive-checking turned off (still a thorough scan) and made a note of where it was spending an unusual amount of time due to the file sizes, and that's where they were.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Kobra

  • Guest
Re:Avast susceptible to archive bombing. =(
« Reply #3 on: June 17, 2004, 03:55:47 AM »
The problem is actually that there is over 100GB of data to unpack
before it can scan.  If you look very carefully it is a rar file with
a 13.5GB file in it, then there is 5 copies of that, as well as other
large files as well, I think it is around 100GB total.

Most mail servers don't even have that space to unpack it.

The resulting file is actually only 125KB though.

That's what really causes the problem.

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Avast susceptible to archive bombing. =(
« Reply #4 on: June 17, 2004, 06:30:53 AM »
i already commented this in other thread http://forum.avast.com/index.php?board=2;action=display;threadid=5254

my Avast find eicar file there at 1st try, but trying to "RESCAN" that file = bye bye scanner
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9407
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Avast susceptible to archive bombing. =(
« Reply #5 on: June 17, 2004, 07:55:36 PM »
You don't really need much knowledge to make a decompression bomb. Right now i'm making two bombs. One is a Nuclear Cypher Bomb and second one is Bit2BitBomb. Testing will be done soon. I love this stuff. Its so damn simple and it has a killing effect.

PS: Kids don't do this at home and don't use it for nasty things ;)
Visit my webpage Angry Sheep Blog

EVdB

  • Guest
Re:Avast susceptible to archive bombing. =(
« Reply #6 on: June 18, 2004, 12:54:15 AM »
Quote
I've found only one AV so far that this archive can't bring down, and thats that little Polish gem I found last night.  They seem to use a pretty simple method to eliminate this type of problem - or at least control it.
Sorry to disappoint you, guys, but BitDefender has no problem whatsoever with this zip-file. It doesn't even consider it a virus, but an Eicar testfile. Time to scan it was almost instant.
This was done on my PC for work. Avast Pro is installed on my personal PC.  ;)

Kobra

  • Guest
Re:Avast susceptible to archive bombing. =(
« Reply #7 on: June 18, 2004, 02:02:30 AM »
KAV based engine products recognize it as a mail bomb, apparently with Signatures. But other products just limit the depth of archive scanning.

Bit defender surprises me that it picks it up, but it could be because bit defender hardly even unpacks stuff, probably just a limit of its engine, picking up the first Eicar, and stopping its scan automagically.  My testing showed very little ability to scan within archives/packed files with BitDefender.

Max M.Wachtel III

  • Guest
Re:Avast susceptible to archive bombing. =(
« Reply #8 on: June 18, 2004, 02:50:07 AM »
Where can I find info on"mail bombs"?
I never heard of it.
-max

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2084
Re:Avast susceptible to archive bombing. =(
« Reply #9 on: June 18, 2004, 02:56:13 AM »

Max M.Wachtel III

  • Guest
Re:Avast susceptible to archive bombing. =(
« Reply #10 on: June 18, 2004, 03:07:36 AM »
Thanks pk, there is so much I have to learn :)
-max