Magic byte vulnerability

Recently the media has been paying some attention to the ‘magic byte’ vulnerability disclosed by Andrey Bayora.

The vulnerability advisory basically states that the majority of virus scanners are unable to detect some malware if a fake file header is prepended to the malicious file.

This more or less boils down to script-like malware, such as .bat and .html, going undetected if an MZ header, for instance, is prepended to the file. Most virus scanners seem to assume that such a file is an executable, and will therefore no longer detect the malware.

To circumvent this, you need to do a redundant file check: scan the _entire_ file for file headers/malicious code.

The whole issue gives rise to an interesting discussion: is this actually a vulnerability?

As the (complete) file’s hash has been changed, it’s no longer exactly the same file. This means that the malicious file is technically a variant, not the same old malware. And this leads to the conclusion that from a technical point of view, this is not a real vulnerability.

Of course, this point of view is open to debate. The question is, does the ‘vulnerability’ pose a real threat?

I don’t think so. Of course, it remains to be seen exactly how this ‘vulnerability’ will be exploited. But we see repacked malware on a daily basis; this is in some ways a similar case.

As the vast majority of malware these days is in binary form, it would be much more serious if we didn’t have unpacking support for the common runtime packers. And naturally, we are working to release a patch for the ‘magic byte’ vulnerability as I write. Or to look at it from another point of view, we are adding a feature.