Anti-virus software falls victim to hackers
Anti-virus software falls victim to hackers
Some of the biggest anti-virus software supplied by well-known vendors can be hacked into and exploited, according to iDEFENSE, a security, and vulnerability intelligence firm based in the U.S.
These vendors include McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.
The problem specifically exists with hackers who create .zip files with WinZIP and Windows' own Compressed Folders feature. The hacker users headed data in .zip file to pass malicious payloads past the anti-virus engines.
Computer Associates responded to this notice by providing a website for support:"With the assistance of iDEFENSE, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .ZIP file to bypass virus detection. A number of CA products embed this technology including solutions from eTrust, Brightstor and others.
"Customers are encouraged to visit the CA support website below for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures.
Sophos said: "A vulnerability has been discovered in Sophos' handling of Zip archive files, whereby a Zip file can be deliberately altered to prevent accurate scanning by Sophos anti-virus products of its contents.
"Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability. Furthermore, the vulnerability does not prevent Sophos' desktop on-access scanner from correctly detecting viruses (and preventing actual infection) which manage to bypass the email gateway software, so the risks of infection are very small."
Eset made the following comments: "The vulnerability was caused by the fact that some archive compression/decompression software (including Winzip) incorrectly handles compressed files with deliberately damaged header fields, thus, in-fact, allowing creation of the damaged archive files, that could be automatically repaired on the victims computer without notifying the users."
"Eset has made appropriate modifications to archive-scanning code to handle such kind of archives immediately after receiving notification from iDEFENSE. These changes are contained in archive-support module version 1.020, released on 16th September 2004 at 21:00 CET. The update was available for all clients with Automatic Virus-Signatures Update set."
Related Article: