Summer of Code 2006 is a program sponsored by Google, that offers student developers stipends to create new open source programs or to help currently established projects.
The ClamAV project is happy to join this event and get some help from emerging developers to quickly implement some of the features that are currently on our TODO list.

Google will give 5000 USD per accepted student, of which 4500 USD goes to the student and 500 USD goes to the mentoring organization.
Students who wish to join the program and help the ClamAV project will be paid 500 USD upon acceptance of their application, 2000 USD mid program (assuming they have made sufficient progress on the project), and 2000 USD at close of program (assuming they have completed the project).

Quoting from http://code.google.com/soc/studentfaq.html#1:

Summer of Code 2006 is a program that offers student developers stipends to create new open source programs or to help currently established projects. Google will be working with a variety of open source, free software, and technology-related groups to identify and fund several hundred projects over a three-month period.

ClamAV provides three individual project mentors to give guidance to students as they work through their proposals: Tomasz Kojm, aCaB and Luca Gibelli (their contact details are available on the team page).

Here is a pool of project ideas for students to choose from:

• E-mail worm heuristics: design and implement static heuristic detection for e-mail worms based on a support vector or other kernel based classifier. The system should use libclamav’s mechanisms to obtain feature vectors from input data.

• VBS/VBA or JS code emulator: many script viruses (and especially polymorphic ones) could be easily detected with an emulator. Implement VBS, VBA or JS emulator and integrate it with the ClamAV engine.

• Generic phishing detector: implement generic phishing detection module based on URL spoofing detection. Details with Phishing examples will be provided to the student.

• Implement new features in clamd:
  • Add support for ICAP (http://www.i-cap.org)
  • Collect information about malware analyzed by clamd. Add STAT command to clamd to fetch these information and eventually use it to produce a detailed report. Ultimately it should be possible to get an idea of how fast some malware is spreading and which path it follows.

• Various archivers: add support for accessing the content of archives compressed with ARJ, LZH/LHA, ARC and ACE without the need of calling an external decompressor, thus saving a lot of resources. Open source implementations of these archivers are already available for the UNIX platform.

• Unpackers: malware is often encrypted with packers. Supporting more packers increases the chances to detect malware. Support for the following packers is needed: MEW and U Pack.

W32.Polipos.A is a complex polimorphic virus infecting 32-bit Windows executables. The virus uses advanced techniques, such as entry point obscuring, to make the detection even harder. It can also spread via P2P networks and contains procedures against security software.

Extensive tests in our secure environments showed that ClamAV 0.88.2 was able to detect 100% W32.Polipos.A infections without producing a single false positive alert. (3 comments)

CVE: CVE-2006-1989
Status: Moderate risk
Vulnerable: ClamAV 0.80 – 0.88.1

Freshclam is a command line utility responsible for downloading and installing virus signature updates. One of its features is a HTTP client performing file downloads from web servers. A security vulnerability in the protocol code was discovered independently by Ulf Harnhammar and an anonymous researcher from Germany.

The problem exists due to a lack of proper check for the size of header data received from a web server:

int get_database(const char *dbfile, int socketfd, const char *file, const char *hostname, const char *proxy, const char *user, const char *pass) {
        char cmd [512], buffer [FILEBUFF], * ch;
[...]
   / * read all the http headers * / 
    ch = buffer;
    i = 0;
    while (1) {
        / * recv one byte at a time, until we reach \r\n\r\n * /
        if(recv(socketfd, buffer + i, 1, 0) == -1) {
[...]

The code assumes the size of all headers returned by the web server is smaller than 8 KB. A specially prepared HTTP server could be used by an attacker to exploit freshclam clients connecting to the database mirror. The bug was classified as moderate risk. The ClamAV project uses a big number of database mirrors gathered into round robin records. In most cases the system looks up the GeoIP database to redirect users to the closest pool of mirrors. Remote exploitation (Denial of Service) can be achieved by changing one of the mirrors configurations to run a special web server returning wrong header data or by pointing freshclam to a bogus mirror i.e. by means of DNS poisoning. Remote execution of arbitrary code is not easy due to diversity of client platforms and architectures.

On April 12, the security company SonicWALL announced Day Zero protection against vulnerability in Clam AntiVirus. The press release (see: http://biz.yahoo.com/prnews/060412/sfw078.html?.v=47) bewildered ClamAV developers. The problem described in the press release was… already fixed in the 0.88.1 version of ClamAV published on April 4. Moreover, it was ranked by the Clam AntiVirus programmers as low risk.

Information about “Clam AntiVirus Win32-UPX Heap Overflow” was posted to bugtraq (url: http://seclists.org/lists/bugtraq/2006/Apr/0174.html) on
April 6, by a member of the security group Overflow.pl . It described a potential heap overflow in the UPX unpacker. In its press release, SonicWALL failed to mention that the bug was already fixed and what’s even most important: the problem was impossible to exploit on properly configured systems. In fact, only the ClamAV installations with archive scan limits completely disabled were vulnerable to the heap overflow, however such incorrectly configured systems were at the same time vulnerable to many other attacks such as archive bombs.

It’s the opinion of Clam AntiVirus authors that these security companies and researchers should take more care about information they are publishing.
The ClamAV project always offers them help understanding its internals. (0 comments)