Email scanner blind to MIME-coded attachments
Hendrik Weimer has released a bug report in which he describes how viruses in mail attachments can be smuggled past virus scanners. His process involves encoding a test virus, EICAR, using Base64 and then injecting symbols into it that are not part of the standard character set for MIME-Base 64, such as white spaces. By default, these kinds of symbols should be ignored by programs processing them--although scanners should nevertheless be able to recognise viruses modified in that way. Yet not every scanner is able to do so. They are particularly baffled when the files are wrapped into one or more layers of multipart/mixed content.
The email check on heise Security demonstrates the problem. Users can utilize it to test whether their own scanner recognises the specially prepared file. This test does not use multiple wrapped MIME parts though. You can use a perl script supplied by Weimer to generate this kind of mails.
Weimer only tested scanners on mail gateways: BitDefender Mail Protection for SMB 2.0, ClamAV 0.88.6, F-Prot Antivirus for Linux x86 Mail Servers 4.6.61 and Kaspersky Anti-Virus for Linux Mail Server 5.5.10 failed to recognise a prepared Eicar file. This is remarkable, not least because, as Weimer notes, this kind of disguising act has been known about for quite some time now. As an example, Darren Bounds demonstrated how infected images could be snuck past a scanner using special encoding. NUL symbols can also be used to trick security software.
Linux/Unix Servers 2.0.0 fared better against the rigged files in Weimer's test. While F-Secure Anti-Virus for Linux Gateways 4.65 failed to recognise the data, it nevertheless interrupted delivery because the mail could not be scanned.
- Bypassing Virus Scanners Using MIME Encoding Tricks, bug report from Hendrik Weimer
- Demo in Emailcheck from heise Security