Abstract: Some Windows antivirus software fails to detect, block and/or disinfect/move/delete malware if the malware EXE file has only execution permission and no read, write or other permissions. The worst cases are NOD32 and Avast antivirus, which allow the malware to run unimpeded. Avast has fixed the flaw while NOD32 is still vulnerable as of this writing. Vulnerable applications: (OS is Windows XP Professional SP3 with all current updates, unless otherwise noted) ESET NOD32 Antivirus 5.0.93.0, 5.0.94.0 and earlier 4.2.71.2 and earlier 4.0.x AVAST 6.0.1289 Internet Security , engine 111011-2 and earlier F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2 G-Data AntiVirus 2012 22.0.2.38, 22.0.9.1 Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine version 6.07.11 and earlier Non-vulnerable applications: AVAST 6.0.1289 Internet Security , engine 111022-1 and later Sophos Endpoint Security and Control, version 9.5 Sophos Anti-Virus 9.5.5, Detection engine 3.23.2 MSE 2.1.1116.0 AVG Anti-Virus 2012.0.1831 Avira Antivirus Premium 2012 (12.0.0.867) BitDefender Antivirus Plus 2012 Build 15.0.31.1282 F-Secure Anti-Virus 2011 10.51 build 106 Kaspersky Anti-Virus 2012 12.0.0.374 McAfee AbtiVirus Plus 11.0 build 11.0.623 Panda Antivirus Pro 2012 Trend Micro Titanium 2012 5.0.1280 Vulnerability details: The Windows operating system supports a range of file permissions for files stored on volumes formatted in the NTFS file system format. For executing EXE files, the acting user account only needs the "Execute File" permission, while all others might be missing or denied, allthough there are cases when this is not true. The exact rule is unknown to the author. In the system used to test and verify the vulnerability the Execute File was enough to run programs. On another system running Windows 7 that was not true. Start of EXE files succeeded only if other permissions were enabled, including the Read Data permission. On another older system (XP or Windows 2003) the "Read Attributes" permission was required for program execution. The vulnerability discussed here is that some antivirus software fail to perform their functions if the malware file is missing read, write or delete permissions. They might not scan the file contents due to missing read permission, not delete it due to missing Delete permission or not desinfect it due to missing Write Data permission or not move to quarantine. For test Windows XP Professional SP3 (running in a virtual machine provided by Virtualbox v4.1.4) and the Back Orifice 2000 server file (bo2k.exe) ( http://www.bo2k.com/ ) as a test file were used (with file permissions set to only allow execution). ESET NOD32 Eset NOD32 does nothing when a sample of the Back Orifice 2000 server EXE file with only the Execute File permission is executed. The bo2k.exe file is executed, the process works unrestrained and there is no action from by NOD32. If the same file with full permissions is started, NOD32 report it as malware, blocks the execution and deletes the file. AVAST AVAST 6.0.1289 Internet Security Trial version, engine 111011-2 On start of the test file it claims the file was blocked and moved to chest (quarantine), but actually it is executed and works (and not moved). A malware file with full permissions is prevented execution and is moved to chest. The problem is resolved in the AVAST engine version 111022-1 and later. F-Prot F-Prot Antivirus 6.0.9.5 , Scanning Engine 4.6.2 Prevents execution of the test file, but can not delete it. (tries, but fails - regular malware file is deleted) On demand scan completelly ignores test files (does not report them as malware). G-Data G-Data AntiVirus 2012 22.0.9.1 Prevents execution of the test file, tries to move it to quarantine, but fails with no error message. If the user selects the non-default option to delete the file, that works. Norman Norman Security Suite, Antivirus version 8.00, Norman Scanner Engine version 6.07.11 Does not seem to recognize BO2k server as a threat. Tested with the bo2k GUI executable: Prevents execution, claims to move to quarantine, but file stays where it was. The Engine version 6.07.13 does not recognize neither the BO2K GUI or server as malware, so it was not tested. Attack scenarios Possible attack scenarios are (for NOD32 and unfixed AVAST): - malware infects the system before antivirus software is installed After the infection the malware removes all permissions except "Execute File" from its EXE file, making itself undetectable by vulnerable antivirus software that is installed later. - malware spreads on NTFS formatted USB flash drives Malware infects or creates EXE files on USB flash drives and sets the permissions to execute-only. Plugging such a USB flash drive into other computers, the EXE files can be executed by the user or possibly automatically (Windows AutoPlay functionality) undetected by vulnerable antivirus software installed on the target system. It is also possible to infect further USB flash drives and other media in the presence of vulnerable antivirus software (see next item). - download of malware Even in presence of vulnerable antivirus software, it is possible to download and save an EXE file to the system that would otherwise be detected as malware and blocked. A successfully tested scenario (with NOD32) is: - create an empty target file - remove all permission from it, except to write/append data - download a ZIP file containg an EXE file that is detected as malware (the bo2k.exe from the download package on the BO2K home page); the ZIP file triggers no warnings from NOD32 - using standard command line tools, like unzip, split and cat, extract the bo2k.exe file from the ZIP archive in small parts (like 100 bytes), then append the parts in correct order to the target file in separate write operations Not using an .EXE ending in the created file names might heighten the probability of success. The result is a fully functioning copy of the bo2k.exe file. In the above scenario NOD32 complained about detected malware, but the file was not (re)moved and could be executed without any interference from NOD32. Solution/workaround Use software listed as not vulnerable above. Vendor communication ESET 2011 Aug 7 - ESET is informed about the issue 2011 Aug 8 - ESET replies the information was passed on 2011 Oct 18 - ESET confirms the issue is under investigation (forum post, see http://www.wilderssecurity.com/showthread.php?t=308955 ) 2011 Nov 5 - Issue published on Bugtraq AVAST 2011 Oct 11-17 - vendor was informed 2011 Oct 23 - fixed version of software is released F-Prot, G-Data, Norman They were informed about the issues in October 11th or 12th. As the issue with their products is minor, I did not wait for a solution from their side. Regards, reset557