AVs prove less-effective
Last year I started working on the Web Backdoor Compilation (WBC). The idea behind the project was the following:
- A tool to aid penetration testers and web developers with security testing document management applications.
Recently I made a pre-v2 release of the tool, which has received even more feedback then the previous version and the project just got even more exciting.
During web applications security audits, I have come across a couple of situations where my uploaded file just vanished off the server - I am sure many reading this have come across this too. The reason behind this was that an Anti-Virus (AV) application had detected the malicious script and removed it. My future plans for this project is to check the effectiveness of AV filters against the scripts in WBC. Dancho Danchev has gone ahead and made a fantastic start to this!
I have gone ahead and added his research into the WBC table for easy viewing and as a centralised location for AV vendors and other interested parties. The results are certainly not a shocker but definately an eye opener. WBC has certainly demonstrated what all security researchers already know, this area needs work!
I can really see AV vendors catching a wake up call in this area or atleast I hope they do. The fun will soon begin to see how we can circumvent their restrictions and help improve some of these products!
Usint VirusTotal for this kind of things is not serious.
White on black is difficult to read. Use black on white.
Julio, don’t really get what your saying?
pp, what is difficult to read, the site in general or a particular post?
Not only are the AV engines in VirusTotal different (perimeter, host, ..) which make “comparing” rather unscientific, but also it’s questionable if these scripts (which anybody can change its contents completely) should be detected by AV signatures or other technologies such as web app IDS/IPS or even web server configuration/filters. This study is not serious, not scientific and, worse of all, not relevant and a waste of time. Spend your time on more useful stuff.
Looks like the latest Symantec AV-10 picks up on CFEXEC.CFM now. It can probably be modified to bypass heuristics. :)
Kurt, can you send me the version info and i’ll update the list :)
kk, can’t comment for Julio, don’t really know much about VirusTotal. However, the debate of whether AV engines should detect malicious code is already being done. The debate is more “what” signatures should be added - it seems to be done by risk and personal preference at the moment. This really requires a post on its own.
Thanks for your guys feedback.