Archive Formats Kill Antivirus Products

nemiloc sends us to the F-Secure blog for breaking news about widespread vulnerabilities in programs that process archive files: "The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors... including us." Here is test material from OUSPG and a joint advisory from Finnish and English security organizations. It isn't news that security products can have have security vulnerabilities. What makes this advisory important is that antivirus software is a perfect target. It is run in critical places with high privileges and auto-updates to keep versions coherent.

Re:Secure Platform without Anti-virus

[fred fleenblat]

Also, this isn't a FOSS vs. Microsoft thing even though many people make it out to be. For maximum protection against malware I'd actually go for Oracle on Solaris or AIX, all of which are closed source.

Re:There's breakage and there's breakage

[mea37]

Really smart AV software wouldn't make assumptions about the contents of the file (eliminating #3), would always check for exceptions (eliminating #2), and would treat a processing exception pretty much like a virus (neutralizing #1).

Very little software in practice is that smart. But with AV, you know you're at war with the file you're scanning. Any AV vendor caught by this should be embarrased.

Bad programming

[dabadab]

You DO test your product with malformed archives, don't you? I know I do. And our product - if possible at all - ignores the problems and extracts the archive anyway or if it's borked beyond recovery then report it as such. But crashing?... Please.

Re:Secure Platform without Anti-virus

[bryce4president]

Last time I checked we don't run anti-virus on our IBM midrange servers...hmmmm... but IBM is so old that its not even cool to try to hack it right?

That's been going on for ages!!!

[mrmeval]

My favorite is using pkzip to zip up a ~200meg+ file to kill automated virus checkers. ;) The harddrives in the hey day of command line pkzip were small and this would kill some twits BBS because the virus checker would blindly unzip the file then check it without checking that it would fill the drive. The next version of the software just looked at what the zip file said..but you could edit the zip to say anything and it would still decompress the whole file.
The next version did fix that finally...for pkzip. ;)

Using social engineering that is rather inept by todays standards I convinced several people on usenet to not read the text telling that it could cause problems but to just blindly open the doubly zipped file (it gets smaller when doubly zipped a certain way so I made it 2G to start).

I did the same thing with PGP which could allow one to kill an encrypted anonymous remailer and I also nailed several people by posting the PGP message with a passphrase. PGP compresses files prior to encryption. I didn't mess with the remailer without asking permission. The person running it was a bit surprised.

Linux commands:
dd if=/dev/zero of=hi bs=1024 count=200512
zip hi.zip hi
Result -rw-r--r-- 1 bogus bogus 199411 2008-13-48 18:04 hi.zip

zip -9 ho.zip hi.zip
Result -rw-r--r-- 1 bogus bogus 846 2008-30-81 18:13 ho.zip
I'm not sure why but using -9 to start does not make the original super small it only works the second time.

If you want to assault a fractal compressor, just insert a non-finite automata and have at them. You get points if it's video and draws frame after frame of something inappropriate.