Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Defeating A/V by inserting forged data SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Defeating A/V by inserting forged data
Andrey Bayora (GCIH, dontja know) has released an advisory regarding an insertion-style attack to slide certain malicious content past many antivirus products. http://www.securityelf.org/magicbyteadv.html and the accompanying white paper http://www.securityelf.org/magicbyte.html describe fooling text-parsing routines by prepending executeable-looking file headers. The additional data is ignored by the victim's system, while the A/V sees it and stops evaluating the file before encountering the malicious script, code, etc. Andrey has let us know he has been contacted by some vendors, and that he is aware that Trend has issued a letter to their customers on this issue. I will be teaching next: Intrusion Detection In-Depth - SANS Rocky Mountain Summer 2020

Johannes

3880 Posts
ISC Handler
Oct 29th 2005

Sign Up for Free or Log In to start participating in the conversation!