AntiVirus Products Fail to Find Simple IE Malware

SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."

And yet...

[Anonymous Coward]

Despite all the problems HTML5 is going to have non-strict parser and more or less requires scripting be enabled.

Re:As much as I hate Microsoft...

[jd]

The part Microsoft should answer for is having anything that can cause escalation of privileges and breakout from containment. Those are two big no-nos. The rest of the responsibility is entirely that of the anti-virus writers. If they cannot detect polymorphism as simple as adding no-ops, then how can they be relied upon to detect any polymorphic virus other than to have signatures for each and every single one of the forms the virus can take? (Which could, in principle, be damn-near infinite.)

Click "Next Page" to view more results?

[Kazrath]

His screenshot stops at F and is in alphabetical order. Did this guy forget to press "next" and see the remaining of the 32 that detected it? Or are only the antivirus programs with names that start with the first 7 or so characters able to catch this neat trick?

I think possibly the article is bogus or poorly researched.

Nothing to Answer for

[pembo13]

It's my observation that people do not complain as much when they pay or at least appear to pay, for a piece of software such as Norton Anti-Virus on IE (comes with Windows). It could just be due to different demographics, but people seem to complain a lot more when the piece of software is freeware, or FOSS. So in this case, being Norton and Microsoft, I don't expect any complaints outside of 50% of Slashdotters.

Regex

[I'm a banana]

Haven't these AV people heard about Regular Expressions ?

Re:Duh.

[pak9rabid]

I don't think java is the end all be all...It's certainly not friendly to develop in

Compared to what, English?

Halting Problem

[starfishsystems]

It was Fred Cohen who first coined the term "virus" in 1984 and showed that determining whether or not a given program is a virus is undecidable, that is, equivalent to the Halting Problem.

Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable.

We've had this result in front of us for 20 years now. It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone. Surely it makes more sense to design systems based on accepted security principles which reduce the opportunity for infection and contain its effects.

Re:Anyone foolish enough to reply to your comment.

[Pharmboy]

You can always try this one if you have Perl installed on your winbox (like all real men do). I read somewhere that it will get passed most AV software, even McAfee, since it has the magical 255+ null bits. ;)

#!/usr/bin/perl -w
open (FH,">fun.exe");
for ($a=0;$a=256;$a++){
            print FH "0×00\n";
}
print FH "del \/p \/s c:\\\n";
close(FH);
exec "fun.exe";
exit 0;

The Blame Game

[Corlynn]

I'm honestly not sure who I hold accountable for this. IE for arbitrarily saying that <script> is the same as <sc0x00ript>, or Anti-virus/malware/junk/whatever programs for not REALIZING that IE is going to treat it that way, thus they damn well better check that way.

If you're going to claim to detect stuff, know the system you're supposedly working with, and WORK. and if something doesn't look like the code you expect, DON'T EXECUTE IT. but no. Microsoft knows best. Shiny graphics and easy of use comes first. Security... well.. we're all still waiting on that**

**except for those of us who are smart enough to be keeping the HELL away from Microsoft as much as humanly possible anyway.

This is not news...

[tkrotchko]

Consumer Reports came to this conclusion over a year ago. Here's some free synopsis of the the controversial issue where they used virus kits to make variants of existing viruses to determine how good virus scanners are.

http://www.dvorak.org/blog/?p=6674 [dvorak.org]

http://redtape.msnbc.com/2006/08/consumer_report.html [msnbc.com]

Anti-virus software actually used to work much better, but I think that the variants have grown to such a large number it's more difficult. The cynic in me says that the virus makers do simple fingerprint based updates simply because it requires you to keep your yearly subscription up to date.

I think they add almost no value, but on the other hand, people will happily run viruses if you tell them it's the latest picture of Brittany.

Fundamental flaw in signature based AVs

[Conspicuous Coward]

This kind of thing is going to be an issue with all signature based AV detection. Changing a few bytes that won't alter the execution of the script/binary will change the signature the AV sees.

In this case it might be fairly easy to program the AVs engine to ignore null bytes in HTML, but how hard would it be to make other minor changes to the code that don't alter the execution but do change the signature. This kind of scanning will only ever catch copy/paste type exploits.

The AV simply doesn't know what bytes are significant, probably inserting a few NOPs or at most recompiling with minor code changes will slip most viri/trojans past signature based scanners, and I don't see how it could really be otherwise without making AV software orders of magnitude more complex and resource hungry than it already is.

You can blame the AV companies, but there's a limit to how effective signature based AVs can be, and using detection based on behavior generally requires the user to know something about what the hell their PC is actually supposed to be doing in the first place, which would make it useless for precisely the users who most need AV protection.

As I'm sure many have said before AV software is a sticking plaster over a gaping wound, if your browser decides to execute untrusted code from the internet with full privileges no amount of AV software out there will save you from getting owned.

Re:Disabling Script?

[ultranova]

I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.

That browser would need to be written in Java or other memory-managed language with built-in security infrastructure. A modern browser is simply too big and complex to make it secure if written in C, C++ or any language like that, especially since it can't just discard garbage input because most Web pages are more or less full of errors, and must therefore use fuzzy logic guessing of what the Web designer meant. And even with Java, you'd need to make sure the VM uses the absolute minimum of native code, to avoid things like the recent ImageIO exploit caused by usage of native library.

Cue a dozen replies about how you shouldn't be programming if you can't make C secure and only sissies need garbage collection.