Multiple AV vendor vulns - archived

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2010/05...tch_av_bypass/
7th May 2010 - "... the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using. "Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot." A user without administrative rights could also use the attack to kill an installed and running AV..."
- http://www.matousec.com/info/article...rable-software
Published: 2010/05/05
Last update: 2010/05/07 - paragraph about which platforms are affected added to Final observations and notes...

- http://www.f-secure.com/weblog/archives/00001949.html
May 10, 2010 - "... this attack does not "break" all antivirus systems forever. Far from it. First of all, any malware that we detect by our antivirus will still be blocked, just like it always was. So the issue only affects new, unknown malware that we do not have signature detection for... We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique. And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild. In a nutshell: We believe in defense in depth."

- http://www.darkreading.com/blog/arch...be_an_ear.html
May 11, 2010 Graham Cluley, Sophos - "... describes a way in which the tamper protection implemented by some anti-malware products might be potentially bypassed. That's assuming, of course, you can get your malicious code past the anti-malware product in the first place. Hang on a minute. That means KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec is describing is a way of "doing something extra" if the malicious code manages to get past your antivirus software in the first place. In other words, KHOBE is only an issue if antivirus products miss the malware. And that's one of the reasons, of course, why vendors offer a layered approach using a variety of protection technologies..."

[AplusWebMaster]

FYI...

Symantec - false positive - W.o.W....
- http://forums.wow-europe.com/thread....25762488&sid=1
* 14. Re: Infostealer in scan.dll and scan.dll.new 15/05/2010 03:20:48 PDT
"Looks like Norton is giving a false positive* ... "
* http://www.virustotal.com/analisis/2...b5e-1273917649
File Scan.dll received on 2010.05.15 10:00:49 (UTC)
Result: 1/40 (2.50%)

- http://www.theregister.co.uk/2010/05...w_false_alarm/

- http://isc.sans.org/diary.html?storyid=8803

[AplusWebMaster]

FYI...

ClamAV v0.96.1 released
- http://secunia.com/advisories/39895/
Last Update: 2010-05-24
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution: Update to version 0.96.1...

- http://www.clamav.net/lang/en/download/sources/
"... Latest stable release: ClamAV 0.96.1..."

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1639

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1640

[AplusWebMaster]

FYI...

AV detection evasion...
- http://isc.sans.org/diary.html?storyid=8857
Last Updated: 2010-05-26 05:41:55 UTC - "... Authors of malware often build various modules that allow them to extend functionality of malware but also to make analysis more difficult. The rationale behind this is pretty simple – if this particular infected machine does not need the module that, for example, attacks a certain bank it will not be downloaded and installed. This makes it more difficult for the AV vendors to collect all samples of various modules as the attackers can target them. One example of such highly modular (and heavily protected) malware is certainly Clampi – you can see a series of articles about this malware family posted on Symantec's web site*. The attackers can also use modularization to rapidly change fingerprints of malware – if only one module is detected by an AV vendor, the attacker only has to modify that particular module... One very simple malicious file was submitted to us couple of days... found the file in the /Windows/SysWOW64 directory on his Windows 7 machine. The file was named netset.exe and it wasn't signed, so it immediately looked suspicious... However, online malware scanners all happily declared the file safe – when it was initially submitted to VirusTotal it resulted in 0 detections (yes – 0 out of 40 AV programs on VirusTotal, see the report here**)... attackers are using those simple tricks to make automated analysis more difficult. Since even emulators such as Anubis, which execute the malware in an isolated environment, will not know which argument it needs, the file will appear to be benign. And judging by the VirusTotal results they have no problems with evading signature based scanning..."

* http://www.symantec.com/connect/blog...s-trojanclampi

** http://www.virustotal.com/analisis/6...c7c-1272595124
File netset.exe received on 2010.04.30 02:38:44 (UTC)
Result: 0/40 (0.00%)
There is a more up-to-date report (30/43) for this file.
- http://www.virustotal.com/file-scan/...c7c-1291654154
File name: netset.exe
Submission date: 2010-12-06 16:49:14 (UTC)
Result: 30/43 (69.8%)

[AplusWebMaster]

FYI...

AV struggles against exploits
- http://krebsonsecurity.com/2010/08/a...inst-exploits/
August 23, 2010 - "... a series of reports released earlier this month by anti-virus testing lab AV-Test* comes to similar conclusions as NSS report about the exploit-blocking abilities of the major anti-virus products. According to AV-Test, the industry average in protecting against exploits (both known and unknown) was 75 percent."

* http://www.av-test.org/certifications
AV-Test Product Review and Certification Report - 2010/Q3

(More detail available at both URLs above.)

[AplusWebMaster]

FYI...

Trend Micro Internet Security Pro 2010 vuln - Hotfix available
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3189
Last revised: 09/01/2010
CVSS v2 Base Score: 9.3 (HIGH)
Patch Information
Hyperlink: http://esupport.trendmicro.com/pages...attackers.aspx

- http://securitytracker.com/alerts/2010/Aug/1024364.html

- http://xforce.iss.net/xforce/xfdb/61397
High Risk

[AplusWebMaster]

FYI...

avast! Antivirus v5.0.677 released
- http://secunia.com/advisories/41109/
Last Update: 2010-09-13
Impact: System access
Where: From remote
... The vulnerability is confirmed in avast! Free Antivirus version 5.0.594 for Windows. Other versions may also be affected.
Solution: Update to version 5.0.677 ...
Original Advisory: Avast!:

http://www.avast.com/en-eu/release-history
Version 5.1.889
2011-01-13

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3126
Last revised: 08/26/2010
CVSS v2 Base Score: 9.3 (HIGH)

[AplusWebMaster]

FYI...

ClamAV v0.96.3 released
- http://secunia.com/advisories/41503/
Release Date: 2010-09-21
Criticality level: Moderately critical
Impact: DoS, System access
Where: From remote
CVE Reference: CVE-2010-0405
Solution: Update to version 0.96.3.

- http://www.clamav.net/lang/en/download/sources/

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3434
Last revised: 10/01/2010
CVSS v2 Base Score: 9.3 (HIGH)
___

- http://www.h-online.com/security/new...e-1139430.html
19 November 2010

[AplusWebMaster]

FYI...

Sophos/Mac AV - Top malware seen
- http://sophosnews.files.wordpress.co...-mac.jpg?w=640
Nov. 2 - Nov. 16, 2010 [150K users]

> http://www.sophos.com/freemacav

- http://nakedsecurity.sophos.com/2010...malware-found/
November 18, 2010 - "... 50,000 malware reports from the Mac users during the time period... We don't see as much Mac malware as Windows malware... unfortunately, so long as Mac users don't properly defend themselves they will increasingly be perceived as a soft target by cybercriminals..."

[AplusWebMaster]

FYI...

McAfee SB10013...
- http://isc.sans.edu/diary.html?storyid=10012
Last Updated: 2010-12-01 15:55:08 UTC - "McAfee Released Security Bulletin SB10013 this morning. The bulletin pertains to a potential code execution vulnerability for VirusScan Enterprise 8.5i and earlier versions. According to the information from McAfee they are investigating the publicly disclosed security issue and will publish a hotfix as soon as the investigation is complete. They have listed this as a Severity Rating of Medium. For more information and to check for the hotfix* ..."
* https://kc.mcafee.com/corporate/inde...ent&id=SB10013
December 01, 2010 - "... McAfee is aware of a publicly disclosed security issue that may affect VirusScan Enterprise version 8.5 and prior. We are investigating the claims and will update this KB with additional details when they are available. We will be publishing a hotfix for this issue as soon as we are certain the fix closes all avenues of attack. This hotfix will mitigate the issue in affected configurations. .. VSE 8.7i and beyond are not affected by this issue and are readily available immediately. Upgrading to the newest version effectively closes this issue completely... Remediation: Upgrade to or install VSE 8.7..."

- http://secunia.com/advisories/41482/
Release Date: 2010-11-29
Last Update: 2010-12-03
Criticality level: Highly critical
Impact: System access
Where: From remote
...The vulnerability is confirmed in version 8.5.0i (patch 8, 32bit scanmodule version 5400.1158, DAT version 6107.0000). Other versions may also be affected.
Solution: Fixed in McAfee VirusScan version 8.7i or later...

- https://kc.mcafee.com/corporate/inde...ent&id=SB10013
Last Modified: December 14, 2010