[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TZO-22-2009] Bitdefender generic evasion of heuristics (for PDF)


                 From the low-hanging-fruit-department
             Bitdefender generic evasion of heuristics (for PDF)

CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
WWW         : http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html
Vendor      : http://www.bitdefender.com
Status      : Patched (with sig update after 13.05.2009)
CVE         : none provided
Credit      : none 
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 5 days

Disclosure Policy : 

Affected products : 
- Bitdefender Antivirus 2009 
- Bitdefender Internet Security 2009 
- Bitdefender Total Security 2009 
- Bitdefender Small Office Security 
- Bitdefender for Fileservers 
- Bitdefender for Samba
- Bitdefender for Sharepoint 
- Bitdefender Security for Exchange 
- Bitdefender Security for Mailservers 
- Bitdefender for ISA Servers 
- Bitdefender Client security 

- BitDefender Business Security 
- Bitdefender Antivirus for Unices 
- Bitdefender Corporate Security 
- Bitdefender SBS Security 

I. Background
Quote: "BitDefender™ provides security solutions to satisfy the protection requirements 
of today's computing environment, delivering effective threat management for 
over 41 million home and corporate users in more than 100 countries. BitDefender, 
a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in 
Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and 
Fort Lauderdale (FL), USA."

II. Description
The heuristics can be bypassed by a special formatted PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a 
bypass that relies on archive structures but relies on evading certain 
code paths in the AV engine "through various means".

III. Impact
To know more about the impact and type of "evasion", I updated the 
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Interestingly this opens the possibility to evade at scan time and

IV. Disclosure timeline
08/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
13/05/2009 : Bitdefender notifies my that the patch was deployed.

Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.