Bypassing Virus Scanners Using MIME Encoding Tricks
Hendrick Weimer talks about how you can fool some virus scanners by unvalidating the base64 encoded data by inserting random characters not in the alphabet:
Base64 encoding for MIME is defined in RFC 2045, which lists such an alphabet and clearly states: All line breaks or other characters not found in the alphabet must be ignored by decoding software. So it shouldn't make any difference if we insert some random characters not in the alphabet into a Base64 encoded version of our good old EICAR string, right? Wrong. Some virus scanners will happily pass viruses once they come in an unusual but still RFC-compliant encoding. This is even more astonishing given such attacks have already been discussed before.
I personally use modified versions of amavisd-new and even if it's not vulnerable to this kind of trick, it still depends on the file utility to guess mime-types which sucks.
Anyway, i went on and decided to use create 2 mails and then submit them to virustotal:
- one with a valid base64 encoding of EICAR.COM testfile:
AntiVir 22.214.171.124 12.07.2006 no virus found Authentium 4.93.8 12.07.2006 EICAR_Test_File Avast 4.7.892.0 12.07.2006 EICAR Test-NOT virus!! AVG 386 12.07.2006 EICAR_Test (+2) BitDefender 7.2 12.07.2006 no virus found CAT-QuickHeal 8.00 12.06.2006 EICAR Test File ClamAV devel-20060426 12.07.2006 Eicar-Test-Signature DrWeb 4.33 12.07.2006 EICAR Test File (NOT a Virus!) eSafe 126.96.36.199 12.07.2006 EICAR Test File eTrust-InoculateIT 23.73.79 12.07.2006 EICAR_test_file
- one using Weimer's perl script:
AntiVir 188.8.131.52 12.07.2006 no virus found Authentium 4.93.8 12.07.2006 New or modified variant of Trivial <--- Avast 4.7.892.0 12.07.2006 EICAR Test-NOT virus!! AVG 386 12.07.2006 no virus found <--- BitDefender 7.2 12.07.2006 no virus found CAT-QuickHeal 8.00 12.06.2006 EICAR Test File ClamAV devel-20060426 12.07.2006 no virus found <--- DrWeb 4.33 12.07.2006 no virus found <--- eSafe 184.108.40.206 12.07.2006 no virus found <--- eTrust-InoculateIT 23.73.79 12.07.2006 EICAR_test_file
(for some reason, virustotal stopped scanning those files before the and of the analysis)
Not looking good, eh?
Anyway even though this trick will fool most virus scanners, your client still needs to be able to decode it, which isn't always possible, but outlook didn't mind at all and opened my second mail while mcafee VirusScan Enterprise 8.0.0 stayed quiet.