Following our talk at EICAR 2011 (first day), we have announced the release of some technical data. Of course, for fairness Peter Szor at McAFee has been contacted about our paper and the present post and his feedback and comments have been very constructive. In this respect, McAfee decision to recruit Peter is likely to be a wise and strategic decision which could result in a significantly better AV. Wait and see...
We would like address the problem of the quarantine file (referring to Section Wake up! in the paper)
Why the McAfee Quarantine Wake-up Proof of Concept happened? Our PoC relies on two factors:
- The McAfee Quarantine Directory is accessible to ALL users. It can be read and by the fact extracted to other directories.
- The McAfee Quarantined files are protected by a weak key encryption
- As soon as the EICAR is detected by the McAfee Antivirus protection software, it is moved to the Quarantine directory and deleted.
- All McAfee Quarantine files are under the BUP extension which in fact “extractable” from the 7zip open source software.
- As soon as you can extract it with 7zip file, you still not able to restore the original file.
- Details gives you all the information to restore the file (name and extension of the original virus).
- You need to XOR all the files previously extracted by the key “0x6A”
McAfee has been informed, through its Indian development team at Tata, India, during the EICAR 2011 conference and will fix as soon as possible this critical issue (probably in the next McAfee Roadmap). It is worth mentionning that weak management in quarantine directories and weak encryption has been identified for a few other AV vendors and products. To be continues then...
Source code (PERL):
Regarding the ZouAV detection issues and concerns. Since our talk, this code has now two additional names. More to come in a forthcoming post.