A flaw in several virus scanners could let a malicious file evade detection, a security researcher has warned. But some in the industry dispute that it's a bug.
By adding some data to a file, an attacker could trick virus scanners into letting a malicious executable file pass through, security researcher Andrey Bayora wrote in an advisory. The problem lies in the scanning engine, which won't detect files that have the extra data. Bayora refers to that extra data as the "Magic Byte".
The problem affects numerous antivirus products, including software from Trend Micro, McAfee, Computer Associates and Kaspersky Lab, according to Bayora, who works as a computer security consultant in Israel. His advisory also lists several products that are not affected, including software from Symantec, F-Secure and BitDefender.
"This is one of the most significant antivirus vulnerabilities of recent times as it affects the majority of scanner software," Bayora wrote in an article on his Web site that details the issue.
Bayora originally disclosed details of the flaw on 24 October. Since then, the topic has been the subject of lively discussions on the popular Full Disclosure mailing list.
The issue is further evidence that researchers are increasingly looking for holes in security products. Protective technology is commonly installed on PCs, servers, network gateways and mobile devices. As security software becomes more widespread, it becomes a more attractive target to cybercriminals, experts have said.
But in this case, what Bayora calls out as a vulnerability in virus scanning engines, some in the industry see as inherent to signature-based protection of antivirus software.
"It's not a real security vulnerability, as this is the way antivirus scanners work: If someone creates a new malware, the antivirus industry will create a new signature for it," said Andreas Marx, an antivirus software expert at the University of Magdeburg in Germany. "This way always leaves a detection and protection gap."
The signatures in antivirus software are like a dictionary of known viruses. The virus-scanning process looks for matches against that dictionary. If a new threat is found, a signature is added.
Bayora actually created a variant of a virus, said Ken Williams, a representative of Computer Associates. "Modifying a virus to the point where it is no longer detectable does not qualify as a vulnerability. Most viruses are modified in this way over time on a regular basis, and CA treats this as a new virus variant," he said in a statement.
But Kaspersky and Trend Micro do see the Magic Byte issue as a software flaw and are offering updates to fix it.
"A patch for affected products is currently being tested and should be available within a week," Kaspersky said in a notice on its Web site. Trend Micro has addressed the "potential vulnerability" in the latest version of its virus pattern files, a representative said in an emailed statement.
According to Trend Micro, the problem in its product is limited to one specific type of potential virus file that typically would be blocked in most enterprises' email systems and would need to be executed manually. Bayora in a posting to a security mailing list identified that file type as a batch, or .bat, file.
McAfee did not respond to requests seeking comment for this story.
