No name

1

• Attacking Antiviruses
• ????? ??????????? ? ???????????

2
???? ???????

• ???? ???????????
• ?????? ?????? ???????????, ??????????? ????????
• ????? ????????
• ?????? ????????? ??????
• ??? ???????? ??????? ??????
• ??????????? ????
• ??????????
• ????????

3
????????

• ????? 90 ???? ??????????? ?????????? ??????????
• ????????????? ?? ??????? ???????, ????????,
  ??????? - ???, ??????, ftp, ? ??.
• ????? ????????? ???????????? ????????????
  ?????????? ???????? ???????? ?????? (RAR, ZIP,
  LHA .. ? ??). ?????????? ??? ?????????????? ?????
  ?????? ???????????? ?????????? ????? ????? ????.
• ?? ???? ????????? ????? ??????????? ???????????,
  ? ?????? ??????? ??? ????? ???????????? ??????
  ???????????? ???????? ???????? ??????.

4
???? ??????????? (1)

• 1. ???????????? (buffer overflows)?
• int readFileEntryName(unsigned char filePtr)
• char name256
• int namelen
• /?? ???????????? 'namelen'/
• namelen READ_UINT32(filePtr)
• filePtr 4
• /????????????!/
• memcpy(name, filePtr, namelen)
• return namelen

5
???? ??????????? (2)?

• 2. ???????????? ????????? ????????????? ????????
• int readFileEntryName(unsigned char filePtr)
• char name256
• int namelen
• namelen READ_UINT32(filePtr)
• filePtr 4
• if (namelen 256)
• printf(Invalid name length\n)
• return -1
• memcpy(name, filePtr, namelen)
• return namelen

6
???? ??????????? (3)?

• 3. ????????????? ???????????? (integer
  overflows)?
• char readFileEntryName(unsigned char filePtr)
• char name
• int i
• unsigned int namelen
• namelen READ_UINT32(filePtr)
• filePtr 4
• name malloc(namelen sizeof(unsigned int))
• for (i0 i
• namei READ_UINT32(filePtr)
• filePtr 4
• return name

7
???? ??????????? (4)?

• 4. ?????????? ????????? ??????
• void readFileEntryName(unsigned char filePtr)
• char name
• name READ_STRING(filePtr)
• printf(name)

8
???? ??????????? (5)?

• ? ????? ????? ?????????? ?????? ??????? (Denial
  of Service vulnerabilities)
• ????????????? ???????? ?????????
• ??????????? ?????
• ????????? ???????? ?????????? ?????? ? ??.

9
?????? ?????? ???????????

• ????????? ?? ?????? ? ???????????, ?? ? ? ??????
  ??????? ??.
• ?????? ? ???????????? ???????, ??? ?????-??
  ?????? ??????
• ??????????? ????? ??? ??????.
• ????????????? ???? ??? ????? ???????, ??????? ??
  ???? ??????
• ????????? ?? ????????.
• ?????? ??????? ????? (???????)?
• ?????????????? ?????? ????
• ?????? ???????????? ????
• ??????? (fuzzing) - ????? ?????? ???????????
  ?????????? ?? ???????? ?????????? ???????????
  (????????????) ?????? ? ?????????? ?? ?????????
  ?????????? ??????????.

10
????? ????????

• 1. ??????????? ????
• (?????? ??????? RAR ??????-?? ???????????
  ??????????)
• 2. ????????? ??????????? ??????
• (??????????? ????? ??????? RAR, ??.
  ?????)
• 3. ?????????? ?????????? ? ??????????????
  ??????????? ??????(?????? ?????????? ?
  ???????????? ??????????? RAR ??????)
• 4. ?????????? ?? ????????? ?????????? ??????????
• (? ????? ?????? ???????? ??????????
  ???????? OllyDbg)
• 5. ?????? ????? ?????????. ? ?????? ??????? ??
  ???????????????.

11
?????? ????????? ??????

• ????????? ??????
• ???????????? ?????
• ??????? ??????? ??????????? ???? ???? ?? ?????
  ??????????? ??????? ????????? ??????.????? ??
  ?????? ????????, ????????????? ?????? ????? ???
  SPIKE, ?????????? ? 2002 ??????? ???????.

12
??? ???????? ??????? ??????

• ?????? ??????? ????, ??? ?????? ????????
  ?????????? ??????????
• ? ??????? ????? ? ?????? ???????????? ??????.
• s_block_size_ascii_char(somefiledata)
• s_block_start(somefiledata)
• s_binary(41 42 43 44)
• s_block_end(somefiledata)
• ??????? ?????? ????????? 1 ??????? ???? ?
  ???????? ?????. ?????
• ??????????? ??? 4 ????? (0x41,0x42,0x43,0x44).
  ????? ??????????
• ?????,?????? ??????? ???? ?????????? ????????
  ????? ? ascii
• ???????. ?? ?????? ?????????? ????????? ??????
  4ABCD

13
??? ???????? ??????? ??????

• s_block_size_ascii_char_variable(somefiledata)
  // ???????? ??????????
• s_block_start(somefiledata)
• s_binary_variable(41424344) // ?????????
  ??????????
• s_block_end(somefiledata)
• SPIKE ???????? ?????? ????? ? ????? (???
  ?????????? ?????? ????????),
• ??????? ????? ??????? ???? ? ???????????
  ??????????, ????????, ????? 0,
• -1,4294967295,0,0x40000000,0x7fffffff ? ??.,
  ?????? nnnn, \x00,
• ../../../../../, ?????? ?? ???????? 'A' ??????
  ?????.
• ? ???????? ????????? ??????, SPIKE ????????
  ????????? ?????????? ??????
• ??? ??????? ?? ?????? ?????? ????????, ?? ??????
  ???????? ?????????? SPIKE
• ????? ?? ??????? ??????????? 0, -1, ?????
  4294967295 ? ??. ????? ??????
• ????? ??????, SPIKE ?????????? ???????? ?????? ?
  ????????? ????.

14
??????????? ????

• F-Prot AntiVirus, http//www.f-prot.com
• AVG AntiVirus, http//free.grisoft.com
• Dr.Web AntiVirus, http//www.drweb.com
• CA Anti-Virus, http//www.ca.com
• Avira AntiVir for Windows Workstations,
  http//www.avira.com
• Kaspersky AntiVirus, http//www.kaspersky.com!?
  ????? RAR ???????, ?????????? ???????????
  ?????? 2224, ?? Windows XP SP2

15
??????????

• F-PROT 6.0 f-prot1.rar- DoS (??????????? ????)?
• AVG 7.5 avg1.rar - DoS (??????????? ????)?
• Dr.Web 4.44 drweb1.rar - ?????????? ??????,
  drweb2.rar - DoS (??????????? ????)?
• CA Anti-Virus ca1.rar DoS (??????????? ????)?
• Avira AntiVir 7.06.00.507 avira1.rar DoS
  (?/?)?
• Kaspersky Anti-Virus 7.0 kasp1.rar DoS
  (?/?)!?????, ? ??????? ??????? ?????
  ????????????? ????????? ?????????? ???????? ??
  ?????? - http//www.gleg.net/ruscrypto2008/avtests
  .tgz

16
F-Prot AntiVirus 6.0, 11.01.2008
17
AVG AntiVirus 7.5, 11.01.2008
18
Dr.Web Anti-Virus 4.44.2
19
Dr.Web Anti-Virus 4.44.2
20
CA Anti-Virus 2008
21
AVIRA AntiVir 7.06.00.507
22
Kaspersky Anti-Virus 7.0.0.125
23
????????

• ????????????? ?? ?????? ???????????
• ???? ?? ??????? ??????????,??????? ?????
  ???????????? ??? ?????????? ????????????? ?????
• ??????????????? ?? ????? ??? ?????? ????????
  ???????
• ????????? ???????? ?????????? ?????? ???????
  (??????????? ???? ? ??)?

24

• Attacking AntiViruses
• ????? ??????????? ? ???????????
• ??????? ?? ????????!