Virus total with origami?
Par Fred, vendredi 19 juin 2009 à 16:48 :: General :: #67 :: rss
While writing the previous article, I decided to run a simple test: hide a well-known virus in a PDF file, and let's see what happens. Results are beyond expectation!
The test I made was really simple:
- Take the EICAR test file
- Take an innocent PDF file (it has been submitted to virus total and is considered as clean by all AV).
- Add the EICAR file to the innocent PDF file, applying from none to multiple filters, including ciphering.
Raw EICAR in PDF
Embedding EICAR in a PDF is really easy with origami:
pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
:Filter => []
)
pdf.saveas("eicar-none.pdf")
You can use a nice anti-virus to spot the EICAR file: your eyes!
9 0 obj
<<
/Length 68
/Filter [ ]
>>stream
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
endstream
endobj
However, while it is obvious the test file is here, only 5/41 anti-virus detect it!
# eicar-none.pdf: no filter 5/41 # AntiVir 7.9.0.191 2009.06.19 HEUR/PDF.Obfuscated # Authentium 5.1.2.4 2009.06.19 Trivial # ClamAV 0.94.1 2009.06.19 Eicar-Test-Signature # McAfee-GW-Edition 6.7.6 2009.06.19 Heuristic.PDF.Obfuscated # Panda 10.0.0.16 2009.06.19 Eicar.Mod
Using a single filer: FlateDecode
A very common filter is FlateDecode. It is the well known deflate from zlib. It is the default filter applied to attachment.
pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com")
pdf.saveas("eicar-flate.pdf")
Results are as good as the previous ones: 5/41!
# eicar-flate.pdf flate decode : 5/41 # AntiVir 7.9.0.191 2009.06.19 HEUR/PDF.Obfuscated # ClamAV 0.94.1 2009.06.19 Eicar-Test-Signature # McAfee-GW-Edition 6.7.6 2009.06.19 Heuristic.PDF.Obfuscated # Panda 10.0.0.16 2009.06.19 EICAR-AV-TEST-FILE # VirusBuster 4.6.5.0 2009.06.18 EICAR_test_file
However, you can notice Authentium fails now, whereas VirusBuster detects it (meaning it can not detect raw EICAR but compressed EICAR ... weird).
Multiple filters
Now, we chain several filters:
pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
:Filter => [:ASCIIHexDecode, :LZWDecode, :ASCII85Decode]
)
pdf.saveas("eicar-multi.pdf")
And ... 2/41 detections!
#eicar-multi.pdf: :ASCIIHexDecode, :LZWDecode, :ASCII85Decode # AntiVir 7.9.0.191 2009.06.19 HEUR/PDF.Obfuscated # McAfee-GW-Edition 6.7.6 2009.06.19 Heuristic.PDF.Obfuscated
One can wonder what is really detected here with such messages ...
Encryption
Last, we encrypt the file with empty passwords:
pdf = PDF.read( "base.pdf" )
pdf.attach_file("eicar.com",
:Filter => [:ASCIIHexDecode, :LZWDecode, :ASCII85Decode]
)
pdf.encrypt("", "", :Algorithm => :AES)
pdf.saveas("eicar-multi-enc.pdf")
Not very surprisingly, the results are the same as previously: 2/41 detections!
#eicar-multi-enc.pdf: :ASCIIHexDecode, :LZWDecode, :ASCII85Decode + encryption # AntiVir 7.9.0.191 2009.06.19 HEUR/PDF.Obfuscated # McAfee-GW-Edition 6.7.6 2009.06.19 Heuristic.PDF.Obfuscated
Anti-virus fail?
Commentaires
1. Le mardi 23 juin 2009 à 08:53, par Cédric Pernet
Ajouter un commentaire