The Magic of magic byte.

     The Magic of magic byte.

                                                    by Andrey Bayora

                                                    www.securityelf.org

INTRODUCTION

by Wayne Langlois (www.diamondcs.com.au)

When an antivirus (or similar) scanner opens a file to scan it must first

determine the type of file ("is it an executable? is it an audio file?",

etc). This is important as it increases scan speed - certain irrelevant

files can be skipped, and only appropriate signatures then need to be

tested. It also greatly reduces the chance of false positives.

To accomplish filetype detection some early antivirus scanners simply looked

at the file extension (so a file named hello.exe was assumed to be an

executable), however it was quickly realised that this was insufficient. All

modern antivirus scanners now look at the file contents to determine the

filetype. For example, executable files (.EXE) start with "MZ" (0x4D5A).

However, not all filetypes have headers (consider a text file for example),

and even some that do have headers actually support what we've called

floating headers where the header can begin almost anywhere in the file (as

the program which executes or renders the file scans the file contents for

the headers). In other words, unrelated data can be prepended without

preventing or adversely affecting the execution/rendering of the file.

This throws a real spanner in the works when it comes to filetype detection,

because that unrelated prepended data can be in the guise of another

filetype, even though it will still execute or render as its original

filetype. Another problem is that because prepended data can be of variable

length it is extremely difficult (sometimes impossible) to locate the

original start offset. Yet another problem is that some floating headers

such as HTML are case insensitive, so "<html>", "<HTML>", "<HtMl>" and so on

all must be scanned for.

Earlier this year my path crossed with Andrey as we were both independently

researching the MS04-028 JPEG vulnerability. I developed a simple free

scanner to detect affected files (JPEGScan), and Andrey developed a clever

alteration of the existing vulnerability, which thwarted most scanners at

the time, even those which were able to deal with the original MS04-028

vulnerability. JPEG is one of these formats which supports floating headers,

so it was at this time that I shared my thoughts and findings with him in

regards to filetype detection and false header insertions. Assuming it would

only be a matter of time before such an exploit was created, I was not

surprised when a few months later Andrey came back to me with successful

exploits, which he presents here.

This is one of the most significant antivirus vulnerabilities of recent

times as it affects the majority of scanner software and will probably force

antivirus developers to change the way they detect filetypes. This may even

require scanning the entire file for floating headers, in which case scan

speed will be significantly reduced, although it may also be possible to

develop more intelligent header analysis algorithms.

DESCRIPTION AND EXAMPLES:

The list of 15 vulnerable antivirus software vendors is presented in my advisory "Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte" here.

Here is the example of simple .BAT file with EXE headers that will execute dir command

Testing environment:

Windows XP Professional SP2 with all patches at June 23, 2005.

Here is the description of the "testing kit":

I took some (old) existing viruses in .bat and .html files, they are:

Virus.BAT.Sakura.bat

Virus.BAT.IBBM.ClsV.bat

Virus.JS.Fortnight.f.html

Virus.HTML.NoWarn.a.html

Virus.HTML.Internal.html

Then I change them to create the “test kit” in the following way:

1.  Original virus file – to be sure the virus is detected.

2.  Files with MZ_ prefix – viruses with EXE header (the first 120 bytes until 0x0078 of the calc.exe). Here is the example:

3.  Files with TXT_ prefix – with EXE header, but the first 2 bytes are ZZ (meaningless magic byte). Here is the example:

4.  The .eml file consists of original viruses as attachments, but has forged headers like in 2) and 3). Here I prepended the first 115 bytes of calc.exe to the .eml file. Here is the example:

5.  Files with mcMZ_ and mcTXT_ prefixes have only 2 bytes – the magic byte itself, MZ and ZZ relatively (These files were created because of the “weak” virus signatures in the McAfee and UNA products, that did not detect viruses if I prepend "too many" bytes). Here is the example:

The test logic is – if the antivirus program detect virus in the TXT_ file and didn’t detect in the MZ_ file, then the scanning flow was broken and the antivirus “thought” that the file is the executable type instead of determining the file type by the extension (.bat, .eml or .html).

NOTE, that this is NOT the case where the change of existing virus file resulted in the "broken" detection signature because of the fact that after prepending 120 bytes with ZZ (meaningless) magic byte – the virus is still detected by antivirus program.

At the end of the test – many antivirus programs failed to detect known viruses.

Here is the screenshots of the results of scanning by some antivirus programs (note that this page about 1.6 MB with many pictures).

Here is the updated scanning results for October 26, 2005 (based on the www.virustotal.com scan results) - 3 more products added to the vulnerable list of affected software.

Here is the Triple Headed program which has 3 different 'execution entry points', depending on the extension of the file (exe, html or eml) – just change the extension and the SAME file will be executed by (at least) THREE DIFFERENT programs! (Thanks to contributing author Wayne Langlois from www.diamondcs.com.au for providing this very nice program).

The source (asm):

; EXE-HTM Hybrid

; by Wayne Langlois (www.diamondcs.com.au)

 

include 'e:\dev\asm\fasm162\include\win32ax.inc'

 

_HTML db 'Reply-To: <wayne@local>',0Dh,0Ah,'From: <wayne@local>',0Dh,0Ah,'To: <wayne@local>',0Dh,0Ah,'Subject: My subject',0Dh,0Ah,\

     'Content-Type: multipart/alternative; boundary="--Boundary"',0Dh,0Ah,\

     0Dh,0Ah,\

     '----Boundary',0Dh,0Ah,\

     0Dh,0Ah,\

     '<html><body>',0Dh,0Ah,\

     '<script language="vbscript">Msgbox "Hello from the HTML component!"</script>',0Dh,0Ah,\

     '</body></html>',0Dh,0Ah,\

     '----Boundary',0Dh,0Ah,\

     'Content-Type: text/html',0Dh,0Ah,\

     0Dh,0Ah,\

     'This is the text that will be seen when viewed as a .EML',0Dh,0Ah,\

     0Dh,0Ah,0Dh,0Ah,\

     '----Boundary--',0Dh,0Ah,0

 

.code

  start:

    invoke  MessageBox,HWND_DESKTOP,"Hello from the EXE component!","EXE",MB_OK

    invoke  ExitProcess,0

.end start

Here is a compiled version of this program. Unpack and run, each time change extension to: exe, html or eml. (For html test open file in IE).

The original description of this program by Wayne Langlois:

It's essentially a three-way hybrid: some HTML inside an EML which is inside an EXE. I used a

HTML email rather than plaintext so that I could hide the HTML.

Run it as a .EXE file and you get a msgbox "Hello from the EXE component!"

Run it as a .EML file and you get a normal looking email with the message

text "This is the text that will be seen when viewed as a .EML"

Run it as a .HTM file and you'll get a vbscript msgbox coming from the HTML

that says "Hello from the HTML component!".  Youll also see a lot of other

garbage from the file being displayed on-screen but it's not really an issue

because by that time the VBScript has already executed.

So essentially we have 1 file which has 3 different 'execution entrypoints',

depending on the extension of the file.