AntiVirus Products Fail to Find Simple IE Malware 190
SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."
Re:As much as I hate Microsoft... (Score:5, Insightful)
The code should damn well work, or not run at all.
AntiViruses aren't designed to catch malware (Score:4, Insightful)
If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.
If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.
If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.
AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).
If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.
Re:Obvious (Score:5, Insightful)
Malware detection and elimination programs are the last line of defense. At this point you've already taken it as a given that your applications and operating system are too stupid not to completely trash themselves, so a third party has to step in and protect the system. And in this situation, they're too stupid. It's a whole culture of incompetence, topped off by ignorant users.
Re:As much as I hate Microsoft... (Score:3, Insightful)
Re:Obvious (Score:4, Insightful)
We get all these deals with malformed images, etc, where the browser interprets code embedded in an image...That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.
There will always be a way to obfuscate code to make it look like something else for long enough to get it in the door. You can stop this by refusing to handle things that aren't what they appear to be, and then allowing fine-grained controls on things that are what they appear to be.
Disabling Script? (Score:5, Insightful)
Re:Regex (Score:3, Insightful)
If you do, we're hiring.
Seriously, do you really think this is due to simple neglect? AV tools have to be a lot of things, and one of them is tiny and fast. Else users will get angry. You can't simply use 500 megs of ram or take 10 seconds to scan a file. And yes, just a regex implementation won't swallow 500 megs. But it doesn't end there. You have a ton of other things to do, run a decryption machine, run an unpacker, do a pattern match, calculate a checksum, some even emulate the file if it's executable. And all that has to happen in no ram and no time. And you should on the side be able to detect what kind of beast you're currently parsing, so you handle it correctly.
In a normal tool, using a few 100 megs is no big thing. You'll be done sooner or later and the user actually wants what you're doing, because he starts the program and is aware that something like this will most likely happen. An AV tool should be most of all (at least in the mind of many users) invisible and not interfere with their normal operations.
Re:Browsers are far too forgiving (Score:5, Insightful)
There is valid and invalid HTML, there is no "acceptable" gray area.
IMO, browser tolerance for bad HTML is part of what got us into this mess. IE takes this to an unnecessary extreme. As a consequence, many de[velop|sign]ers failed to actually learn HTML (properly, if at all), and think XHTML is hard because it has rules.
Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.
If language compilers, databases, or any other critical software were as forgiving as browsers are, the IT industry would be a shadow of what it is.
Where to begin (Score:2, Insightful)
- Microsoft should not endow bad HTML with processing
- AV software should use the same bad techniques that browsers use to evaluate code
- A large mass of web content was developed by amateurs who published broken code
Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security stance, "Everything is permitted except that which is expressly denied". No other system every developed on the planet is such a whore. The correct stance is, "Everything is DENIED except that which is expressly allowed - and I don't trust 'you'".
Personally I think browsers should NOT be forgiving. Why should something so broke as to violate the language syntax work in any way? Why leave room in our 'allow' statements for someone with a brain to get by our defenses? Why should we continue to support amateur developers, amateurish code and web development shops populated with high school dropouts who've taken a class at the community college?
Why is this industry the only one wherein someone without merit can enter unfettered into the marketplace, and publish. Why don't we have more respect for our own industry then that?
We need a guild.
Dennis Dumont
Re:Halting Problem (Score:3, Insightful)
The other way you can update several apps is when they share a common base library. This helps in that you update several apps when you update the lib, but has a downside that several apps, maybe each with different attack vectors, are vulnerable until you do.
Re:Duh. (Score:3, Insightful)
Pity the newbies can't see that it's better to have compile errors rather than run time errors. Scripting languages appear easier, but try writing a big application with them and you'll see the real value strict rules
How DOES one become infected? (Score:2, Insightful)