Abstract:

Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.




Vulnerable applications:

  (OS is Windows XP Professional SP3 with all current updates, unless
otherwise noted)


  ESET NOD32 Antivirus 5.0.93.0, 5.0.94.0 and earlier
    4.2.71.2 and earlier
    4.0.x

  AVAST 6.0.1289 Internet Security , engine 111011-2 and earlier

  F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2

  G-Data AntiVirus 2012 22.0.2.38, 22.0.9.1

  Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine
version 6.07.11 and earlier




Non-vulnerable applications:


  AVAST 6.0.1289 Internet Security , engine  111022-1 and later

  Sophos Endpoint Security and Control, version 9.5
     Sophos Anti-Virus 9.5.5, Detection engine 3.23.2

  MSE 2.1.1116.0

  AVG Anti-Virus 2012.0.1831

  Avira Antivirus Premium 2012 (12.0.0.867)

  BitDefender Antivirus Plus 2012 Build 15.0.31.1282

  F-Secure Anti-Virus 2011  10.51 build 106

  Kaspersky Anti-Virus 2012 12.0.0.374

  McAfee AbtiVirus Plus 11.0 build 11.0.623

  Panda Antivirus Pro 2012

  Trend Micro Titanium 2012 5.0.1280




Vulnerability details:


The Windows operating system supports a range of file permissions
for files stored on volumes formatted in the NTFS file system format.
For executing EXE files, the acting user account only needs the
"Execute File" permission, while all others might be missing or denied,
allthough there are cases when this is not true. The exact rule is unknown
to the author. In the system used to test and verify the vulnerability
the Execute File was enough to run programs. On another system running
Windows 7 that was not true. Start of EXE files succeeded only if other
permissions were enabled, including the Read Data permission. On another
older system (XP or Windows 2003) the "Read Attributes" permission was
required for program execution.

The vulnerability discussed here is that some antivirus software fail
to perform their functions if the malware file is missing read, write or
delete permissions. They might not scan the file contents due to missing
read permission, not delete it due to missing Delete permission or not
desinfect it due to missing Write Data permission or not move to quarantine.

For test Windows XP Professional SP3 (running in a virtual machine
provided by Virtualbox v4.1.4) and the Back Orifice 2000 server file
(bo2k.exe) ( http://www.bo2k.com/ ) as a test file were used (with file
permissions set to only allow execution).


ESET NOD32

Eset NOD32 does nothing when a sample of the Back Orifice 2000 server EXE
file with only the Execute File permission is executed. The bo2k.exe file
is executed, the process works unrestrained and there is no action from
by NOD32. If the same file with full permissions is started, NOD32 report
it as malware, blocks the execution and deletes the file.


AVAST

AVAST 6.0.1289 Internet Security Trial version, engine 111011-2
On start of the test file it claims the file was blocked and moved to
chest (quarantine), but actually it is executed and works (and not moved).
A malware file with full permissions is prevented execution and is
moved to chest.

The problem is resolved in the AVAST engine version 111022-1 and later.


F-Prot

F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2
Prevents execution of the test file, but can not delete it.
(tries, but fails - regular malware file is deleted)

On demand scan completelly ignores test files (does not report them as malware).


G-Data

G-Data AntiVirus 2012 22.0.9.1
Prevents execution of the test file, tries to move it to quarantine, but fails
with no error message.

If the user selects the non-default option to delete the file, that works.


Norman

Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine
version 6.07.11
Does not seem to recognize BO2k server as a threat.
Tested with the bo2k GUI executable: Prevents execution, claims to
move to quarantine,
but file stays where it was.

The Engine version 6.07.13 does not recognize neither the BO2K GUI or
server as malware,
so it was not tested.



Attack scenarios


Possible attack scenarios are (for NOD32 and unfixed AVAST):


 - malware infects the system before antivirus software is installed

After the infection the malware removes all permissions except "Execute File"
from its EXE file, making itself undetectable by vulnerable antivirus software
that is installed later.


 - malware spreads on NTFS formatted USB flash drives

Malware infects or creates EXE files on USB flash drives and sets the
permissions
to execute-only. Plugging such a USB flash drive into other computers,
the EXE files
can be executed by the user or possibly automatically (Windows
AutoPlay functionality)
undetected by vulnerable antivirus software installed on the target
system. It is
also possible to infect further USB flash drives and other media in the presence
of vulnerable antivirus software (see next item).


 - download of malware

Even in presence of vulnerable antivirus software, it is possible to download
and save an EXE file to the system that would otherwise be detected as malware
and blocked. A successfully tested scenario (with NOD32) is:
 - create an empty target file
 - remove all permission from it, except to write/append data
 - download a ZIP file containg an EXE file that is detected as
malware (the bo2k.exe
from the download package on the BO2K home page); the ZIP file triggers no
warnings from NOD32
 - using standard command line tools, like unzip, split and cat,
extract the bo2k.exe
file from the ZIP archive in small parts (like 100 bytes), then append
the parts in
correct order to the target file in separate write operations

Not using an .EXE ending in the created file names might heighten the
probability of success.

The result is a fully functioning copy of the bo2k.exe file. In the
above scenario
NOD32 complained about detected malware, but the file was not
(re)moved and could
be executed without any interference from NOD32.




Solution/workaround


Use software listed as not vulnerable above.




Vendor communication


ESET

2011 Aug 7   - ESET is informed about the issue
2011 Aug 8   - ESET replies the information was passed on
2011 Oct 18  - ESET confirms the issue is under investigation (forum post, see
http://www.wilderssecurity.com/showthread.php?t=308955 )
2011 Nov 5   - Issue published on Bugtraq

AVAST

2011 Oct 11-17 - vendor was informed
2011 Oct 23    - fixed version of software is released

F-Prot, G-Data, Norman


They were informed about the issues in October 11th or 12th.
As the issue with their products is minor, I did not wait for
a solution from their side.


Regards,
reset557