________________________________________________________________________

                 From the low-hanging-fruit-department
             Bitdefender generic evasion of heuristics (for PDF)
________________________________________________________________________

CHEAP Plug :
************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************************************************************************

Release mode: Coordinated but limited disclosure.
Ref         : [TZO-23-2009] - Bitdefender generic PDF evasion (heuristics)
WWW         : http://blog.zoller.lu/2009/04/advisory-bitdefender-generic-evasion.html
Vendor      : http://www.bitdefender.com
Status      : Patched (with sig update after 13.05.2009)
CVE         : none provided
Credit      : none 
OSVDB vendor entry: none [1]
Security notification reaction rating : good
Notification to patch window : 5 days

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Bitdefender Antivirus 2009 
- Bitdefender Internet Security 2009 
- Bitdefender Total Security 2009 
- Bitdefender Small Office Security 
- Bitdefender for Fileservers 
- Bitdefender for Samba
- Bitdefender for Sharepoint 
- Bitdefender Security for Exchange 
- Bitdefender Security for Mailservers 
- Bitdefender for ISA Servers 
- Bitdefender Client security 

Bundles:
- BitDefender Business Security 
- Bitdefender Antivirus for Unices 
- Bitdefender Corporate Security 
- Bitdefender SBS Security 

I. Background
~~~~~~~~~~~~~
Quote: "BitDefender™ provides security solutions to satisfy the protection requirements 
of today's computing environment, delivering effective threat management for 
over 41 million home and corporate users in more than 100 countries. BitDefender, 
a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in 
Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and 
Fort Lauderdale (FL), USA."


II. Description
~~~~~~~~~~~~~~~
The heuristics can be bypassed by a special formatted PDF "container", this
leads to the bypass of malicious PDF files, old or new. This is not a 
bypass that relies on archive structures but relies on evading certain 
code paths in the AV engine "through various means".


III. Impact
~~~~~~~~~~~
To know more about the impact and type of "evasion", I updated the 
description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

Interestingly this opens the possibility to evade at scan time and
run-time.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
08/05/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date.
                         
13/05/2009 : Bitdefender notifies my that the patch was deployed.


[1]
Bitdefender is encouraged to leave their security contact details at
http://osvdb.org/vendor/1/SOFTWIN to facilate communication and reduce lost reports.