Palo Alto ignoring malware > 10MB
I just got a PA200 patched with PAN-OS 6.0.10 with latest Threat Prevention and WildFire, so I decided to put it up for the test. First, I grabbed stuxnet from https://tuts4you.com/download.php?view.3011, where I then extracted and uploaded it to a local webserver for testing. PAN-OS was quickly able to identify the malware protecting me from it.
Perfect. It works and I’m now finally safe from all dangers internet got to offer! 😀
Well.. we all know that ain’t true.
So, lets start by modifying the file by appending some dummy 00’s, see if changing the size and checksum will trick the firewall to accept my file or at least trigger the wildfire to upload it for sandboxing.
Same as before, I’m safe!!!
It was not uploaded to the wildfire database, which means my appended 00’s had no effect at all.
After digging around, i found this: The Palo Alto Networks device only compares the first 1024 bytes, instead of full checksum, of the files. It seems like the first 1024 bytes does not include the PE header, so tampering with meaningless data will not work. I probably need to modify the code itself to avoid any known checksums and by doing so, PAN-OS will upload the file for sandboxing.
See size limits for sandboxing here: https://live.paloaltonetworks.com/docs/DOC-7418
Oh well, I’m not going to spend this night with IDA and HxD, so I’ll just try to download the last file before I call it a day.
From what I can see, PAN-OS does not check the first 1024 bytes in files that is bigger than 10MB.
This was also tested with CryptoLocker and Zeus from https://www.grc.com/malware.htm. And yes, they still work.
Magic Number: 10486400 Bytes