Friday, July 06, 2007

Security: How to bypass antivirus detection

Megasecurity.org is a MEGA archive of malware information. Click here to find out the possible ways of bypassing an antivirus detection. I hope that this an old post and not applicable anymore, but to some new antivirus programmers "in town" this would be a great way to increase their program's protection level.

I'll quote just the contents:

I. Bypassing attachment detection or invalid detection of attachment
type.


1. Encoded filename or boundary in Content-Type/Content-Disposition
2. Multiple filename or boundary fields in Content-Type /
Content-Disposition
3. Exploitation of poisoned NULL byte
4. Exploitation of unsafe fgets() problem
5. MIME part inside MIME part
6. UUENCODE problems
7. Additional space symbol
8. CR without LF
9. Prohibited characters in the filename
10.Skipped file name
11.Endless UUEncoded messages
12.Different filenames for Content-Type and Content-Disposition
13.Case sensitivity of Content-Type and Content-Disposition

II. Bypassing detection of potentially dangerous content

1. Inability to check Unicode (UCT-2) content
2. Inability to check UTF-7 content
3. Inability to check file marked as UTF-7 Content
4. Inability to check content with short Content-Length

III. What should be done?


1. What client software vendor should do.
2. What server software vendors should do.
3. What system administrators should do.

It contains a lot of info of how users as well as software vendors should act against these incidents.

My suggestion? Gmail; it can be used to forward emails to another email address, hence used as a spam-blocking layer. Spam detection in Gmail is mostly user-guided, so if users set something as spam, it's done for others as well!

No comments: