Forgot your password?
typodupeerror
Internet Explorer The Internet Security

AntiVirus Products Fail to Find Simple IE Malware 190

Posted by ScuttleMonkey
from the no-surprise-here dept.
SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."
This discussion has been archived. No new comments can be posted.

AntiVirus Products Fail to Find Simple IE Malware

Comments Filter:
  • by Anonymous Coward on Monday October 29, 2007 @03:22PM (#21160387)
    simply remove IE?
    I mean... that's the definition of malware.
  • Duh. (Score:5, Informative)

    by SatanicPuppy (611928) * <Satanicpuppy&gmail,com> on Monday October 29, 2007 @03:24PM (#21160431) Journal
    It's microsofts responsibility. I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur developers(developers, developers) but it's a huge security problem to have a system in place that malware writers can be sure will interpret a piece of innocuous gibberish into a functioning piece of malware.

    Java is a good example of this. Java doesn't interpret crap. It is what it is, and it doesn't give a crap if it works or not. It's strongly typed, it's picky as hell about variable initialization...It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

    I don't think java is the end all be all...It's certainly not friendly to develop in, and that's given scripting languages (hello php) a huge advantage in the marketplace...Much the same as with unix and microsoft, so it's not surprising to see them continuing down their path.

    But in the end, you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.
    • Re: (Score:2, Interesting)

      by pak9rabid (1011935)
      I don't think java is the end all be all...It's certainly not friendly to develop in

      Compared to what, English?
    • by N7DR (536428)
      I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur

      Which is exactly why I've always maintained that the Postel rule that one should "be conservative in what one sends and liberal in what one accepts" (or words to that effect) might possibly have made some sort of sense in the environment in which Postel first coined it but makes no sense whatsoever in today's Internet. In anything in which security matters (which pretty mu

      • by SL Baur (19540)
        Postel wasn't wrong then and he isn't wrong now, but common sense must be applied. The problem as I see it is that first Netscape (introducing javascript) and then Microsoft (with ActiveX) got people used to executable content and that's always been an unwise thing to do. Unshar was written for a reason - it's not safe to run scripts off the wire even when they're coming from comp.sources.unix.

        In the absence of executable content it makes sense to attempt to render something in the face of malformed HTML.
    • Re: (Score:3, Insightful)

      by edxwelch (600979)
      > It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

      Pity the newbies can't see that it's better to have compile errors rather than run time errors. Scripting languages appear easier, but try writing a big application with them and you'll see the real value strict rules
      • by Eivind (15695)
        Are you another one of those guys that confuse -strict- typing with -static- typing ? One ain't the other... Besides, the problems mentioned in this article, aswell as most hard-to-find errors are *neither* compile-time nor run-time failures of datatypes. They're logic-errors and/or race-conditions.
    • by DrSkwid (118965)
      There's another name for broken code: data.
    • by Eivind (15695)
      I think you're overstating the advantage of static typing, and possibly confusing it with *strict* typing. Static, compile-time typing would do diddly-squat to alleviate problems such as these.

      AV-scanner fail to recognize "da\0nger" as "danger" is by design. The two *aren't* the same afterall. IE choosing to interpret the second as the first is also not due to a lack of static typing in the language used to write IE. (I'd guess mostly C++)

      The dilemma is that the web is horribly broken. A browser that flat-o
      • The fixable bug though is whatever made it possible to infect a Windows-machine simply as the result of the user viewing a webpage.

        But the Microsoft paradigm is that an application isn't "useful" unless it "owns" the entire OS and machine. After all, why else would Office have been the Microsoft Virus Developer's Kit for so many years? Why else would Microsoft have created ActiveX, which by its very nature opens the contents of your computer to every Web page? Why else would they have literally opened th
        • by Eivind (15695)
          I never got that. The click-click-click I mean. Do they honestly imagine people read these ? Much less that people are capable, even if they bothered trying, to determine what is safe and what isn't ?

          For that matter, that dialogue mainly comes when the user have *already* double-clicked a exe-file, or similar, at which point the user has -already- decided that -yes- he/she wants to let that app run. (if that is safe or not is an entirely different matter)

          I actually think it makes security -worse-. People ge
  • by Pharmboy (216950) on Monday October 29, 2007 @03:28PM (#21160461) Journal
    0×00
    0×00
    0×00
    del /p /s c:\
    0×00
    0×00
    0×00

    Look at me, I'm a virus writer! w00+!

    But seriously, is this really that hard of a problem to fix? AV can't ignore 0×00 when scanning and just read the actual code for what it is?
  • by SamP2 (1097897) on Monday October 29, 2007 @03:29PM (#21160471)
    Sure, AVs operate on a practically outdated concept of finding "true" viruses, trojans, etc. Sure, you may use that as a good premise saying that AVs are either inadequate or outright useless.

    If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.

    If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.

    If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.

    AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).

    If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.
    • "installs a backdoor to your root"

      Unless, of course, it was distributed by a company as big or bigger than Sony. On that case, the distributor can make a deal with the AV so it is not stopped.

  • by Kazrath (822492) on Monday October 29, 2007 @03:33PM (#21160541)
    His screenshot stops at F and is in alphabetical order. Did this guy forget to press "next" and see the remaining of the 32 that detected it? Or are only the antivirus programs with names that start with the first 7 or so characters able to catch this neat trick?

    I think possibly the article is bogus or poorly researched.

  • by pembo13 (770295) on Monday October 29, 2007 @03:34PM (#21160563) Homepage
    It's my observation that people do not complain as much when they pay or at least appear to pay, for a piece of software such as Norton Anti-Virus on IE (comes with Windows). It could just be due to different demographics, but people seem to complain a lot more when the piece of software is freeware, or FOSS. So in this case, being Norton and Microsoft, I don't expect any complaints outside of 50% of Slashdotters.
    • That's because Norton works by being the mother of all viruses. It works by making your system appear infected even when it isn't. In this way, when the user encounters an actual wild virus, they are already used to the endless barrage of popups, random disk accesses and inexplicable system slowdowns. Thus, a virus has little effect on a Norton infected computer, and the user merrily plows away on their minesweeper highscore while the botnet bolsters third world economies. A win-win situation!.
  • Regex (Score:2, Interesting)

    by I'm a banana (1139431)
    Haven't these AV people heard about Regular Expressions ?
    • Re: (Score:3, Insightful)

      by Opportunist (166417)
      They have. Do you have a RegEx implementation that doesn't make the machine grind to a halt while allocating a ton of ram? Especially when said RegEx machinery is supposed to do it with EVERY SINGLE file you touch?

      If you do, we're hiring.

      Seriously, do you really think this is due to simple neglect? AV tools have to be a lot of things, and one of them is tiny and fast. Else users will get angry. You can't simply use 500 megs of ram or take 10 seconds to scan a file. And yes, just a regex implementation won't
  • by Bayashi Maru (1101269) on Monday October 29, 2007 @03:41PM (#21160657)
    Its the virus writers! Why can't they just help out now and again? I mean, is it that hard to remove the null bytes? Would it take them *that* long? Seriously guys - pitch in for once?
  • by Animats (122034) on Monday October 29, 2007 @03:55PM (#21160805) Homepage

    Browsers are incredibly forgiving of bad HTML. Worse, the definition of "acceptable HTML" is undocumented, both for IE and Firefox. We discovered this writing Sitetruth [sitetruth.com]'s parser. We started out with BeautifulSoup [crummy.com], which is supposed to be a "forgiving" HTML parser. By browser standards, it's not; we had to make some improvements. Here are some things that show up in real-world HTML:

    • Incorrectly terminated HTML comments These are so widespread that you have to handle them, or entire web pages are sucked into unterminated comments.
    • Unescaped spaces in URLs Spaces in URLs are supposed to be escaped, but there are A tags out there using URLs with spaces.
    • Unescaped CR/LF within a URLThis is rare, and invalid, but multiline URLs are out there. Usually in hostile code.
    • Unicode URLs I've seen a Unicode "Pi" symbol, unescaped, in a URL in a UTF8 document. This was on a phishing site, so it was probably there because it broke some security product.

    Part of the reason for the growth in bad HTML is that Adobe seems incapable of making a version of Dreamweaver that consistently generates correct HTML for anything later than HTML 3.2. (Create a moderately complex page in Dreamweaver 8 in HTML 4.x or XHTML mode, and run it through a validator. It will fail.) If the best tools can't get it right, why should anybody else?

    Since real world HTML parsing is ambiguous, and bad HTML is widespread, differences between browser parsers and other tools can be exploited as security holes.

    • by Dracos (107777) on Monday October 29, 2007 @04:49PM (#21161601)

      There is valid and invalid HTML, there is no "acceptable" gray area.

      IMO, browser tolerance for bad HTML is part of what got us into this mess. IE takes this to an unnecessary extreme. As a consequence, many de[velop|sign]ers failed to actually learn HTML (properly, if at all), and think XHTML is hard because it has rules.

      Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.

      If language compilers, databases, or any other critical software were as forgiving as browsers are, the IT industry would be a shadow of what it is.

      • Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.

        I'm inclined to agree, especially from my web-monkey days, where I found Dreamweaver with or w/o
        Adobe influence to be the least "offensive".

        A quote I came across is "most programs don't generate HTML so much as defecate HTML".

        Hence DW being the least offensive, say compared to Indesign (IIRC) and $deity forbid that which
        spews from word processors

      • by sjames (1099)

        Actually, any interoperable program SHOULD be tolerant of ill formed input and make a 'best effort' to do something reasonable with it. The problem is that they are not tolerant enough! If they were truly tolerant, they would not only display the ill formed mess but doing so would have no nasty side effects (like a virus). Allowing a viral infection is not a case of doing something reasonable.

        Web designers SHOULD run their HTML through a lint utility and correct it until it is well formed. However, since

    • by Eivind (15695)
      I'm all with you on Adobe. All their products suck donkey-balls on generating code even close to valid.

      Make a Flash in flash-designer and use the "generate flash-snippet" function, you get a snippet of supposed HTML that is valid in NO version of HTML whatsoever. Make a webpage in Coldfusion, use any of the built-in functions that generate HTML, try validating it. You get errors, typically on every single line of generated html.

      I agree. If so-called "professional" tools can't get close to doing it right, we
  • The Blame Game (Score:2, Interesting)

    by Corlynn (1180199) *

    I'm honestly not sure who I hold accountable for this. IE for arbitrarily saying that <script> is the same as <sc0x00ript>, or Anti-virus/malware/junk/whatever programs for not REALIZING that IE is going to treat it that way, thus they damn well better check that way.

    If you're going to claim to detect stuff, know the system you're supposedly working with, and WORK. and if something doesn't look like the code you expect, DON'T EXECUTE IT. but no. Microsoft knows best. Shiny graphics and easy

  • This is not news... (Score:3, Interesting)

    by tkrotchko (124118) * on Monday October 29, 2007 @04:10PM (#21161023) Homepage
    Consumer Reports came to this conclusion over a year ago. Here's some free synopsis of the the controversial issue where they used virus kits to make variants of existing viruses to determine how good virus scanners are.

    http://www.dvorak.org/blog/?p=6674 [dvorak.org]

    http://redtape.msnbc.com/2006/08/consumer_report.html [msnbc.com]

    Anti-virus software actually used to work much better, but I think that the variants have grown to such a large number it's more difficult. The cynic in me says that the virus makers do simple fingerprint based updates simply because it requires you to keep your yearly subscription up to date.

    I think they add almost no value, but on the other hand, people will happily run viruses if you tell them it's the latest picture of Brittany.
    • by jotok (728554)
      Having consulted for an antivirus vendor...

      I think you're generally right. AV needs to evolve, and fast, to continue providing value to customers. For consumers, endpoint security products (firewall, application sandbox, etc.) seem far more important today.

      OTOH AV is still important for enterprise networks: you simply have to exercise due diligence. Or you can try explaining to the shareholders why it was possible for some doofus intern to bring Welchia in on a diskette and cripple operations for a coupl
  • by Conspicuous Coward (938979) on Monday October 29, 2007 @04:42PM (#21161501)

    This kind of thing is going to be an issue with all signature based AV detection. Changing a few bytes that won't alter the execution of the script/binary will change the signature the AV sees.

    In this case it might be fairly easy to program the AVs engine to ignore null bytes in HTML, but how hard would it be to make other minor changes to the code that don't alter the execution but do change the signature. This kind of scanning will only ever catch copy/paste type exploits.

    The AV simply doesn't know what bytes are significant, probably inserting a few NOPs or at most recompiling with minor code changes will slip most viri/trojans past signature based scanners, and I don't see how it could really be otherwise without making AV software orders of magnitude more complex and resource hungry than it already is.

    You can blame the AV companies, but there's a limit to how effective signature based AVs can be, and using detection based on behavior generally requires the user to know something about what the hell their PC is actually supposed to be doing in the first place, which would make it useless for precisely the users who most need AV protection.

    As I'm sure many have said before AV software is a sticking plaster over a gaping wound, if your browser decides to execute untrusted code from the internet with full privileges no amount of AV software out there will save you from getting owned.

  • Can we not (we being the non-MS using, slightly knowledgeable IT crowd) start some sort of *nix Certificate Services? If everyone on the Net used IPSec, with certificates as authentication (preferably that weren't compatible with Windows), we could have a "secure" net, and a non-secure one. FreeSWAN with their try-and-look-up-keys-in-DNS or something.
    My machine will talk to your machine, only if you've got one of these certificates.
    • If you don't use MS products, why would IE-only exploits bother you enough to want a "separate" internet?

      Admittedly, I don't use Windows (or Linux or Mac for that matter) for anything except gaming and testing my rootkits), but I enjoy the fact that most people use Windows. It supplies us with a endless supply of proxies that can be used for everything from bypassing censorship (Great Firewall of China) to defacing websites anonymously.

      I enjoy the chaotic, evil internet.
  • Why can't the AV find the malware? I can find it WITHOUT AV! *points to the big blue "E"*
  • Where to begin (Score:2, Insightful)

    by DFDumont (19326)
    There are so many implications herein and many of you have already picked up on them:
    - Microsoft should not endow bad HTML with processing
    - AV software should use the same bad techniques that browsers use to evaluate code
    - A large mass of web content was developed by amateurs who published broken code

    Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security st
  • Sleepy (Score:3, Funny)

    by mqduck (232646) <mqduck@mqAAAduck.net minus threevowels> on Monday October 29, 2007 @07:03PM (#21163729)

    With enough null-bytes
    Is that like how if you add up enough zeros you eventually get one?

    No, I haven't the slightest clue what I'm talking about.
  • Seriously, sometimes I wonder what people do to get so 'infected'. Aside from tracking cookies, neither Kaspersky, AdAware nor Spybot S&D has reported any infection in about 8 years (it was ofcourse not always those products). 'Shitlist' email from people you don't know, don't open attachments, don't go to shady sites, get behind a NAT and/or run a decent firewall, and you're pretty safe.
  • MSIE *AND* so-called "AntiVirus" products *are* malware themselves. Obviously the 'it takes one to know one' argument just lost some validity.
  • I've seen malware get into IE on computers with many different brands of anti virus software, I would say this is old news. What's most worrying is that there are plenty of USB disk viruses that exploit autorun that also seem to beat these anti virus software. I've seen AVG, Kaspersky , Mcaffe, Norton and Panda failing to detect a worm that has infected my brother's windows partition thrice (I have to clean it myself which takes time) (The other anti virus software I have not tested yet)
  • I was reminded how much I hate AV programs this month when I submitted a sample of a virus to an AV vendor, and it took them more than a week to include detection. It was a virus built off another that was in the wild for more than a month. And they still don't detect the Autorun.inf that the virus creates. I sent that file in the sample submission!

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux

Working...