Posts Tagged ‘detection’

This is just a little midday-thought I had and well…it kinda works but not as expected yet. I’d still like to share it due to it’s simplicity. The following is all that’s needed:

<img src=”eicar.png” onload=”alert(‘AV NO’);” onerror=”alert(‘AV YES’);”>

The above should theoretically trigger “AV NO” when there is no AV installed and “AV YES” when an antivirus is installed. If you wonder why this should work it’s because of the so called “eicar string“(that you of course embed in the fake png image). When an AV encounters this special string it should trigger an alert, the string is mainly used to test if an AV functions as expected without risking an actual infection. So my theory was based upon most AV products actively blocking the file which should result in the fake image not being loaded. However after testing this with IE, Chrome & FireFox it seems that it only works as expected with IE. This test isn’t very reliable since I’ve only tested with one AV product, so feel free to test this method with others and maybe it will work with the other browsers.

I’ve done a quick search around for other detection vectors using the eicar string and only found one PDF which is pretty interesting since it describes enumerating if mail servers have an AV installed and depending on the configuration the mail servers can even disclose the AV version number.

Conclusion is that the eicar file seems to be a good candidate to detect an AV if you manage to deliver it and probe if it has been blocked. I’ve done some quick testing with cookies, but unfortunately they get manipulated by the browser thus invalidating the eicar string. If anyone has got some time on their hands maybe it’s possible to deliver eicar using HTML5 storage or flash or silverlight and detect if it’s been blocked. If you plan on further researching this to detect an AV remotely please be aware of the following requirements to deliver the eicar string:

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z.

So unfortunately my whole theory didn’t exactly work 100% as expected but hey that’s why theories are always put to the test right?

p.s. Don’t forget you can also apply this the other way around, upload a file with the eicar string to a server and you can probably determine if there is an AV product installed (assuming you are able to remotely check if the file was blocked/deleted). In the logs it will show as EICAR TEST most probably…thus maybe even fooling the adminstrator to not pay attention to it.

Well in my quest to move my old tools and papers to my new blog here is another one from the old website. Two ways to detect rootkits, one of them doesn’t work anymore (assuming all rootkits hook the function used back then) the other one I don’t know haven’t tested it latley. Here are the readme’s and the source codes.


Maybe “IDE Sniffing” is a bit misleading…but I was not sure how to call it otherwise. So this is the problem context: You need to know if a harddisk is encrypted but you are not allowed to disconnect or move the computer. You have no access to the computer, like no login,no firewire to exploit and no vulnerable services running. Let’s also assume that this computer is using normal IDE ( I know it’s a bit outdated) disks. How on earth are we going to find out?


Timing Rootkits

Posted: October 28, 2008 in kd-team archive, papers
Tags: , ,

Using timing mechanisms to detect rootkits.