How to catch a virus in the password-protected archive
Having read the rattlersnake article . Does your antivirus catch password-protected archives? I went from unbelief to doubt to disappointment and back to understanding.
As is quite correctly noted in the comments, retrieving the contents of a password-protected archive without knowing the password is impossible, therefore, verification is also impossible. But does this mean that virus detection is impossible? As it seems to me, I figured out why this is possible and why this method has the right to life.
The desire to check the correctness of the situation described in the article and find out how this is possible led me to conduct a small experiment.
')
The checked info.exe file was found from a hash with VirusTotal and packed with WinRar archiver in three archives: zip, rar and rar version 5.
A complex password was set on all archives in order to exclude its selection by the antivirus or the use of standard passwords. To my surprise, the Fortinet antivirus worked on zip and rar archives, but did not work on rar5 !
In the comments to the article there was a version that this is “false positive, false positive”. But this version is implausible, since this false positive produces the same detector as the unpacked virus. Moreover, when using different passwords, the resulting archive should be significantly different. Some other mechanism should work here, but which one?
Trying to understand what affects the operation of the antivirus, I changed one byte in the file and again packed it into the archives with a password. After checking, another surprise was waiting for me - although the virus detection in the archive disappeared (0/53) , the detection by this antivirus and the unpacked file disappeared, although most other antiviruses continued to see it (35/52) !
And then a great idea came to my mind:
Bingo! Fortinet now believes that a virus is in the archive (1/52) .
We check just in case the resulting exe file - and see a strange result - Fortinet continues to find a virus in the file. It looks like he detects it exclusively on CRC32!
Yes, it seems that miracles do not happen and the real virus detection in the password-protected archive is impossible.
On the other hand, given that Fortinet is engaged in software and hardware systems for network security, and the goal is not to miss a letter with a malicious attachment, then this approach has the right to life.
If we know the CRC32 of a malicious file, it will not be superfluous to warn the user when such a file is found in the archive with a password.
As is quite correctly noted in the comments, retrieving the contents of a password-protected archive without knowing the password is impossible, therefore, verification is also impossible. But does this mean that virus detection is impossible? As it seems to me, I figured out why this is possible and why this method has the right to life.
The desire to check the correctness of the situation described in the article and find out how this is possible led me to conduct a small experiment.
')
The checked info.exe file was found from a hash with VirusTotal and packed with WinRar archiver in three archives: zip, rar and rar version 5.
A complex password was set on all archives in order to exclude its selection by the antivirus or the use of standard passwords. To my surprise, the Fortinet antivirus worked on zip and rar archives, but did not work on rar5 !
In the comments to the article there was a version that this is “false positive, false positive”. But this version is implausible, since this false positive produces the same detector as the unpacked virus. Moreover, when using different passwords, the resulting archive should be significantly different. Some other mechanism should work here, but which one?
Trying to understand what affects the operation of the antivirus, I changed one byte in the file and again packed it into the archives with a password. After checking, another surprise was waiting for me - although the virus detection in the archive disappeared (0/53) , the detection by this antivirus and the unpacked file disappeared, although most other antiviruses continued to see it (35/52) !
And then a great idea came to my mind:
- We look at what properties of the file are available in the archive - and see the CRC32 checksum:
- Create an empty file of the same size, for example, using the fsutil file command createnew info.exe 450362
- We customize its CRC32 to the value of the original file (for example, py.exe forcecrc32.py info.exe 0 76718968) or simply setting the value of the first four bytes to 67 EE C6 57:
- We pack it in archive with the password and we check CRC32 - matches
- Checking the resulting archive on VirusTotal
Bingo! Fortinet now believes that a virus is in the archive (1/52) .
We check just in case the resulting exe file - and see a strange result - Fortinet continues to find a virus in the file. It looks like he detects it exclusively on CRC32!
Yes, it seems that miracles do not happen and the real virus detection in the password-protected archive is impossible.
On the other hand, given that Fortinet is engaged in software and hardware systems for network security, and the goal is not to miss a letter with a malicious attachment, then this approach has the right to life.
If we know the CRC32 of a malicious file, it will not be superfluous to warn the user when such a file is found in the archive with a password.
Source: https://habr.com/ru/post/276503/
All Articles