AntiVirus Products Fail to Find Simple IE Malware

SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."

It's 2005 again!

[Arapahoe Moe]

http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0411.html [neohapsis.com]

Wouldn't the anti-virus...

[Anonymous Coward]

simply remove IE?
I mean... that's the definition of malware.

Re:Wouldn't the anti-virus...

[Pharmboy]

And ironicly, you can't really remove IE, since it is "Part of the Operating System (tm)". You can only make it somewhat invisible, which of course, is the second part of the definition of malware.

Re:

[hedwards]

That isn't entirely true, I've installed windows without IE. But it was a huge pain in the ass. I had to create my own installation media which didn't have it, and I had to install updates by hand from the ones that can be downloaded from the support site. There was for a while a 3rd party site that would provide the downloads through Firefox, but it depends on how much you're willing to trust 3rd parties to not Trojan the updates.

Re:

[corsec67]

You also have to weight that against MS also not trojaning the updates as well, and not doing something that is going to mess up the computer...

Re:

[Bearhouse]

Yes, it's a pain, but works fine. Products like XPlite, (http://www.litepc.com/), or nLite, (http://www.nliteos.com/index.html), are a big help, and save time over 'roll your own' versions. Keep another partition/VM/old machine to boot into a version with IE & get your updates - that way you can review before deploying, and don't have to rely on other people's integrity...

Re:

[daem0n1x]

I don't have IE, and my OS is perfectly functional. It's called Linux, you see...

Re:

[a.d.trick]

That just removes the icons, the program is still very much there.

Re:

[Pharmboy]

As someone pointed out, that does NOT uninstall IE. Same for the other windows programs, it just removes the icons and 'deactives' the program (makes it not the default). The libraries and such are still very much still there, as they are part of the api for all of windows now.

Duh.

[SatanicPuppy]

It's microsofts responsibility. I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur developers(developers, developers) but it's a huge security problem to have a system in place that malware writers can be sure will interpret a piece of innocuous gibberish into a functioning piece of malware.

Java is a good example of this. Java doesn't interpret crap. It is what it is, and it doesn't give a crap if it works or not. It's strongly typed, it's picky as hell about variable initialization...It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

I don't think java is the end all be all...It's certainly not friendly to develop in, and that's given scripting languages (hello php) a huge advantage in the marketplace...Much the same as with unix and microsoft, so it's not surprising to see them continuing down their path.

But in the end, you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.

Re:

[pak9rabid]

I don't think java is the end all be all...It's certainly not friendly to develop in

Compared to what, English?

Re:

[N7DR]

I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur

Which is exactly why I've always maintained that the Postel rule that one should "be conservative in what one sends and liberal in what one accepts" (or words to that effect) might possibly have made some sort of sense in the environment in which Postel first coined it but makes no sense whatsoever in today's Internet. In anything in which security matters (which pretty mu

Re:

[SL Baur]

Postel wasn't wrong then and he isn't wrong now, but common sense must be applied. The problem as I see it is that first Netscape (introducing javascript) and then Microsoft (with ActiveX) got people used to executable content and that's always been an unwise thing to do. Unshar was written for a reason - it's not safe to run scripts off the wire even when they're coming from comp.sources.unix.

In the absence of executable content it makes sense to attempt to render something in the face of malformed HTML.

Re:

[edxwelch]

> It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

Pity the newbies can't see that it's better to have compile errors rather than run time errors. Scripting languages appear easier, but try writing a big application with them and you'll see the real value strict rules

Re:

[Eivind]

Are you another one of those guys that confuse -strict- typing with -static- typing ? One ain't the other... Besides, the problems mentioned in this article, aswell as most hard-to-find errors are *neither* compile-time nor run-time failures of datatypes. They're logic-errors and/or race-conditions.

Re:

[Eivind]

That's another axis alltogether then. There are both static and dynamically typed languages that allow or disallow this.

I don't know, I've seldom had problems with these, typically you get a crash with some variant of "file.ext: linenum: fooo is undefined", at which point it's usually not hard to see that really, you meant foo.

I'm sure there's some situations where this can bite though.

Re:

[DrSkwid]

There's another name for broken code: data.

Re:

[Eivind]

I think you're overstating the advantage of static typing, and possibly confusing it with *strict* typing. Static, compile-time typing would do diddly-squat to alleviate problems such as these.

AV-scanner fail to recognize "da\0nger" as "danger" is by design. The two *aren't* the same afterall. IE choosing to interpret the second as the first is also not due to a lack of static typing in the language used to write IE. (I'd guess mostly C++)

The dilemma is that the web is horribly broken. A browser that flat-o

Re:

[ConceptJunkie]

The fixable bug though is whatever made it possible to infect a Windows-machine simply as the result of the user viewing a webpage.

But the Microsoft paradigm is that an application isn't "useful" unless it "owns" the entire OS and machine. After all, why else would Office have been the Microsoft Virus Developer's Kit for so many years? Why else would Microsoft have created ActiveX, which by its very nature opens the contents of your computer to every Web page? Why else would they have literally opened th

Re:

[Eivind]

I never got that. The click-click-click I mean. Do they honestly imagine people read these ? Much less that people are capable, even if they bothered trying, to determine what is safe and what isn't ?

For that matter, that dialogue mainly comes when the user have *already* double-clicked a exe-file, or similar, at which point the user has -already- decided that -yes- he/she wants to let that app run. (if that is safe or not is an entirely different matter)

I actually think it makes security -worse-. People ge

Re:

[SatanicPuppy]

Yea, welcome to the wonderful world. Every app I write in java these days kicks off from a batch file that calls a the code with a very specific set of libraries. I'm done re-writing my code every time they release a new goddamn version. If there is no new functionality, and the app is secure, don't give me crap when I want to keep using the same library.

The worst is with older macs, because the java installers wrapped up by apple are only available in a narrow range, depending on OS release, and otherwise

Re:

[mikael]

Interesting. What if you are using sprintf to convert an integer to a string for an embedded system. How would you determine the size of the buffer that you are going to need?

Even Slashdot's lameness filter doesn't catch it

[Pharmboy]

0×00
0×00
0×00
del /p /s c:\
0×00
0×00
0×00

Look at me, I'm a virus writer! w00+!

But seriously, is this really that hard of a problem to fix? AV can't ignore 0×00 when scanning and just read the actual code for what it is?

Re:Even Slashdot's lameness filter doesn't catch i

[Eberlin]

Virus writers tend to lean towards spreading the viruses more than they lean towards causing major destruction to the "host". Think ebola vs. common cold here.

That said, it seems my browser renders those nulls just fi [NO CARRIER]

Re:

[Hoi Polloi]

I'd compare virus writers to herpes instead. Somone has to get screwed to get it.

Re:

[sjames]

The business world and MS are extremely LUCKY that we hve yet to see a skilled and truly malicious virus writer out there, but their luck could run out at any time.

Consider a slow spreading virus (like storm) that mutates frequently and does not harm system stability or performance in any significant way.

Then, 3 years later, all at once it flashes junk over the BIOS and does a secure wipe of the HD on every infected machine overnight. Even worse, perhaps it starts flipping bits on tape backups a week or

Obligatory XKCD reference

[Garabito]

http://xkcd.com/327/ [xkcd.com]

Re:Anyone foolish enough to reply to your comment.

[Pharmboy]

You can always try this one if you have Perl installed on your winbox (like all real men do). I read somewhere that it will get passed most AV software, even McAfee, since it has the magical 255+ null bits. ;)

#!/usr/bin/perl -w
open (FH,">fun.exe");
for ($a=0;$a=256;$a++){
            print FH "0×00\n";
}
print FH "del \/p \/s c:\\\n";
close(FH);
exec "fun.exe";
exit 0;

Re:

[Kingrames]

Yay! I can hack no@(&$*&@%$*&%$*&@CARRIER LOST

AntiViruses aren't designed to catch malware

[SamP2]

Sure, AVs operate on a practically outdated concept of finding "true" viruses, trojans, etc. Sure, you may use that as a good premise saying that AVs are either inadequate or outright useless.

If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.

If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.

If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.

AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).

If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.

Re:

[marcosdumay]

"installs a backdoor to your root"

Unless, of course, it was distributed by a company as big or bigger than Sony. On that case, the distributor can make a deal with the AV so it is not stopped.

Click "Next Page" to view more results?

[Kazrath]

His screenshot stops at F and is in alphabetical order. Did this guy forget to press "next" and see the remaining of the 32 that detected it? Or are only the antivirus programs with names that start with the first 7 or so characters able to catch this neat trick?

I think possibly the article is bogus or poorly researched.

Re:

[fbjon]

No bogus. The total results are printed at the top.

Nothing to Answer for

[pembo13]

It's my observation that people do not complain as much when they pay or at least appear to pay, for a piece of software such as Norton Anti-Virus on IE (comes with Windows). It could just be due to different demographics, but people seem to complain a lot more when the piece of software is freeware, or FOSS. So in this case, being Norton and Microsoft, I don't expect any complaints outside of 50% of Slashdotters.

Norton is a different beast

[Nazlfrag]

That's because Norton works by being the mother of all viruses. It works by making your system appear infected even when it isn't. In this way, when the user encounters an actual wild virus, they are already used to the endless barrage of popups, random disk accesses and inexplicable system slowdowns. Thus, a virus has little effect on a Norton infected computer, and the user merrily plows away on their minesweeper highscore while the botnet bolsters third world economies. A win-win situation!.

Regex

[I'm a banana]

Haven't these AV people heard about Regular Expressions ?

Re:

[Opportunist]

They have. Do you have a RegEx implementation that doesn't make the machine grind to a halt while allocating a ton of ram? Especially when said RegEx machinery is supposed to do it with EVERY SINGLE file you touch?

If you do, we're hiring.

Seriously, do you really think this is due to simple neglect? AV tools have to be a lot of things, and one of them is tiny and fast. Else users will get angry. You can't simply use 500 megs of ram or take 10 seconds to scan a file. And yes, just a regex implementation won't

I'll tell you who is responsible...

[Bayashi Maru]

Its the virus writers! Why can't they just help out now and again? I mean, is it that hard to remove the null bytes? Would it take them *that* long? Seriously guys - pitch in for once?

Browsers are far too forgiving

[Animats]

Browsers are incredibly forgiving of bad HTML. Worse, the definition of "acceptable HTML" is undocumented, both for IE and Firefox. We discovered this writing Sitetruth [sitetruth.com]'s parser. We started out with BeautifulSoup [crummy.com], which is supposed to be a "forgiving" HTML parser. By browser standards, it's not; we had to make some improvements. Here are some things that show up in real-world HTML:

• Incorrectly terminated HTML comments These are so widespread that you have to handle them, or entire web pages are sucked into unterminated comments.
• Unescaped spaces in URLs Spaces in URLs are supposed to be escaped, but there are A tags out there using URLs with spaces.
• Unescaped CR/LF within a URLThis is rare, and invalid, but multiline URLs are out there. Usually in hostile code.
• Unicode URLs I've seen a Unicode "Pi" symbol, unescaped, in a URL in a UTF8 document. This was on a phishing site, so it was probably there because it broke some security product.

Part of the reason for the growth in bad HTML is that Adobe seems incapable of making a version of Dreamweaver that consistently generates correct HTML for anything later than HTML 3.2. (Create a moderately complex page in Dreamweaver 8 in HTML 4.x or XHTML mode, and run it through a validator. It will fail.) If the best tools can't get it right, why should anybody else?

Since real world HTML parsing is ambiguous, and bad HTML is widespread, differences between browser parsers and other tools can be exploited as security holes.

Re:Browsers are far too forgiving

[Dracos]

There is valid and invalid HTML, there is no "acceptable" gray area.

IMO, browser tolerance for bad HTML is part of what got us into this mess. IE takes this to an unnecessary extreme. As a consequence, many de[velop|sign]ers failed to actually learn HTML (properly, if at all), and think XHTML is hard because it has rules.

Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.

If language compilers, databases, or any other critical software were as forgiving as browsers are, the IT industry would be a shadow of what it is.

Re:

[A_Non_Moose]

Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.

I'm inclined to agree, especially from my web-monkey days, where I found Dreamweaver with or w/o
Adobe influence to be the least "offensive".

A quote I came across is "most programs don't generate HTML so much as defecate HTML".

Hence DW being the least offensive, say compared to Indesign (IIRC) and $deity forbid that which
spews from word processors

Re:

[sjames]

Actually, any interoperable program SHOULD be tolerant of ill formed input and make a 'best effort' to do something reasonable with it. The problem is that they are not tolerant enough! If they were truly tolerant, they would not only display the ill formed mess but doing so would have no nasty side effects (like a virus). Allowing a viral infection is not a case of doing something reasonable.

Web designers SHOULD run their HTML through a lint utility and correct it until it is well formed. However, since

Re:

[CCFreak2K]

Adobe had a HTML editor/designer before Dreamweaver. [wikipedia.org]

Re:

[Eivind]

I'm all with you on Adobe. All their products suck donkey-balls on generating code even close to valid.

Make a Flash in flash-designer and use the "generate flash-snippet" function, you get a snippet of supposed HTML that is valid in NO version of HTML whatsoever. Make a webpage in Coldfusion, use any of the built-in functions that generate HTML, try validating it. You get errors, typically on every single line of generated html.

I agree. If so-called "professional" tools can't get close to doing it right, we

The Blame Game

[Corlynn]

I'm honestly not sure who I hold accountable for this. IE for arbitrarily saying that <script> is the same as <sc0x00ript>, or Anti-virus/malware/junk/whatever programs for not REALIZING that IE is going to treat it that way, thus they damn well better check that way.

If you're going to claim to detect stuff, know the system you're supposedly working with, and WORK. and if something doesn't look like the code you expect, DON'T EXECUTE IT. but no. Microsoft knows best. Shiny graphics and easy

This is not news...

[tkrotchko]

Consumer Reports came to this conclusion over a year ago. Here's some free synopsis of the the controversial issue where they used virus kits to make variants of existing viruses to determine how good virus scanners are.

http://www.dvorak.org/blog/?p=6674 [dvorak.org]

http://redtape.msnbc.com/2006/08/consumer_report.html [msnbc.com]

Anti-virus software actually used to work much better, but I think that the variants have grown to such a large number it's more difficult. The cynic in me says that the virus makers do simple fingerprint based updates simply because it requires you to keep your yearly subscription up to date.

I think they add almost no value, but on the other hand, people will happily run viruses if you tell them it's the latest picture of Brittany.

Re:

[jotok]

Having consulted for an antivirus vendor...

I think you're generally right. AV needs to evolve, and fast, to continue providing value to customers. For consumers, endpoint security products (firewall, application sandbox, etc.) seem far more important today.

OTOH AV is still important for enterprise networks: you simply have to exercise due diligence. Or you can try explaining to the shareholders why it was possible for some doofus intern to bring Welchia in on a diskette and cripple operations for a coupl

Fundamental flaw in signature based AVs

[Conspicuous Coward]

This kind of thing is going to be an issue with all signature based AV detection. Changing a few bytes that won't alter the execution of the script/binary will change the signature the AV sees.

In this case it might be fairly easy to program the AVs engine to ignore null bytes in HTML, but how hard would it be to make other minor changes to the code that don't alter the execution but do change the signature. This kind of scanning will only ever catch copy/paste type exploits.

The AV simply doesn't know what bytes are significant, probably inserting a few NOPs or at most recompiling with minor code changes will slip most viri/trojans past signature based scanners, and I don't see how it could really be otherwise without making AV software orders of magnitude more complex and resource hungry than it already is.

You can blame the AV companies, but there's a limit to how effective signature based AVs can be, and using detection based on behavior generally requires the user to know something about what the hell their PC is actually supposed to be doing in the first place, which would make it useless for precisely the users who most need AV protection.

As I'm sure many have said before AV software is a sticking plaster over a gaping wound, if your browser decides to execute untrusted code from the internet with full privileges no amount of AV software out there will save you from getting owned.

An IPSec, certificate authenticated internet?

[caluml]

Can we not (we being the non-MS using, slightly knowledgeable IT crowd) start some sort of *nix Certificate Services? If everyone on the Net used IPSec, with certificates as authentication (preferably that weren't compatible with Windows), we could have a "secure" net, and a non-secure one. FreeSWAN with their try-and-look-up-keys-in-DNS or something.
My machine will talk to your machine, only if you've got one of these certificates.

Re:

[deftcoder]

If you don't use MS products, why would IE-only exploits bother you enough to want a "separate" internet?

Admittedly, I don't use Windows (or Linux or Mac for that matter) for anything except gaming and testing my rootkits), but I enjoy the fact that most people use Windows. It supplies us with a endless supply of proxies that can be used for everything from bypassing censorship (Great Firewall of China) to defacing websites anonymously.

I enjoy the chaotic, evil internet.

I don't understand

[Cro Magnon]

Why can't the AV find the malware? I can find it WITHOUT AV! *points to the big blue "E"*

Where to begin

[DFDumont]

There are so many implications herein and many of you have already picked up on them:
- Microsoft should not endow bad HTML with processing
- AV software should use the same bad techniques that browsers use to evaluate code
- A large mass of web content was developed by amateurs who published broken code

Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security st

Sleepy

[mqduck]

With enough null-bytes

Is that like how if you add up enough zeros you eventually get one?

No, I haven't the slightest clue what I'm talking about.

How DOES one become infected?

[SirJorgelOfBorgel]

Seriously, sometimes I wonder what people do to get so 'infected'. Aside from tracking cookies, neither Kaspersky, AdAware nor Spybot S&D has reported any infection in about 8 years (it was ofcourse not always those products). 'Shitlist' email from people you don't know, don't open attachments, don't go to shady sites, get behind a NAT and/or run a decent firewall, and you're pretty safe.

EH?

[The Cisco Kid]

MSIE *AND* so-called "AntiVirus" products *are* malware themselves. Obviously the 'it takes one to know one' argument just lost some validity.

Slashdot story fails to surprise me

[Vexorian]

I've seen malware get into IE on computers with many different brands of anti virus software, I would say this is old news. What's most worrying is that there are plenty of USB disk viruses that exploit autorun that also seem to beat these anti virus software. I've seen AVG, Kaspersky , Mcaffe, Norton and Panda failing to detect a worm that has infected my brother's windows partition thrice (I have to clean it myself which takes time) (The other anti virus software I have not tested yet)

AV sucks

[saskboy]

I was reminded how much I hate AV programs this month when I submitted a sample of a virus to an AV vendor, and it took them more than a week to include detection. It was a virus built off another that was in the wild for more than a month. And they still don't detect the Autorun.inf that the virus creates. I sent that file in the sample submission!

Re:As much as I hate Microsoft...

[SatanicPuppy]

Better error handling means, when you get an error, it fails intelligently, without destabilizing the application, and passes a more informative error message. It doesn't mean the application should try and read the coders mind.

The code should damn well work, or not run at all.

Re:

[moderatorrater]

The web was once the realm of amateurs and enthusiasts who weren't coders. Failing gracefully by trying to read the coders mind were one of the big reasons that IE gained market share in the first place.

Re:

[SatanicPuppy]

Yep. And ease of development for applications was one of the reasons Windows gained in popularity...and is the virus infested whore we know and loathe.

If they want to stay the malware browser of choice, by all means, let them keep on doing what they're doing, because it's working great.

Re:

[Pharmboy]

Failing gracefully by trying to read the coders mind were one of the big reasons that IE gained market share in the first place.

So a platform that executes malformed code is superior to one that traps it and exits gracefully? (or just barfs?) I'm thinking this is a bit more dangerous than forgetting to close your BODY or HTML tag.

Re:

[Peeteriz]

Exactly, a platform that executes malformed code, as life has shown many times, tends to be more successful than a platform that breaks down, stops executing it and exits.
That's the whole point, IE gained a lot by being designed this way. To 99% of the users, ease of use and convenience is much more important than security.

Re:

[G Fab]

Whether you do or not, you seem to know what the hell you're talking about.

I'm curious: is it the case that Firefox and Opera don't error correct in a way that facilitates this type of malware?

Sadly, I've been locked into Internet Explorer (to use sharepoint, one of the most banal programs ever invented), but I never use it otherwise.

Re:

[SatanicPuppy]

Nope. You can get nailed with them too, occasionally...NoScript helps a lot. The problem with IE is ActiveX, and the fact that IE really is part of the operating system. Both Opera and FF are just programs, without really deep hooks into the OS, though they can still run code, and do damage...I seem to remember one of the FF "exploits" is that it will allow remote code to call IE as a handler in certain circumstances...Don't remember the details on that one, so don't quote me.

Seeing a well designed ActiveX

Halting Problem

[starfishsystems]

It was Fred Cohen who first coined the term "virus" in 1984 and showed that determining whether or not a given program is a virus is undecidable, that is, equivalent to the Halting Problem.

Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable.

We've had this result in front of us for 20 years now. It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone. Surely it makes more sense to design systems based on accepted security principles which reduce the opportunity for infection and contain its effects.

Re:

[kebes]

Indeed.

Anti-virus software's main purpose, it would appear, is not to detect novel threats, but to limit the proliferation of established threats. And for it to perform this task, it needs to be continually updated with new virus definitions.

However, if every virus infection necessarily requires the exploiting of a security vulnerability... then it would seem that all the effort in designing and implementing a "virus signature update" system would be better spent designing and implementing a "uniform softwa

Re:

[cant_get_a_good_nick]

Anti-virus software's main purpose, it would appear, is not to detect novel threats, but to limit the proliferation of established threats. And for it to perform this task, it needs to be continually updated with new virus definitions.

Somewhat. It also does some heuristics to predict certain things. These are always going to be hard, you're essentially trying to find out what abnormal is on a machine that is worth most when it is most flexible and has no hard definition of normal. Apps change, and with it, what's normal changes. If i'm an OS, how do i determine if the info that this app is sending is my pic for an IM, or secret data to a Identity Thief?

However, if every virus infection necessarily requires the exploiting of a security vulnerability... then it would seem that all the effort in designing and implementing a "virus signature update" system would be better spent designing and implementing a "uniform software update" system, so that the number of vulnerabilities on a computer is always as low as humanly possible.

This is more complex than you make it out to be. There are several fronts to at

Re:

[Cheesey]

Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable... It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone.

This is what anti-virus software vendors won't tell you. Anti-virus software, and (generalising) anti-ma

Re:

[koh]

Must... build... better... mousetrap!

Re:As much as I hate Microsoft...

[jd]

The part Microsoft should answer for is having anything that can cause escalation of privileges and breakout from containment. Those are two big no-nos. The rest of the responsibility is entirely that of the anti-virus writers. If they cannot detect polymorphism as simple as adding no-ops, then how can they be relied upon to detect any polymorphic virus other than to have signatures for each and every single one of the forms the virus can take? (Which could, in principle, be damn-near infinite.)

Re:As much as I hate Microsoft...

[Pharmboy]

The rest of the responsibility is entirely that of the anti-virus writers.

Not true, as long as they are adhering to RFC 3514 [rfc-editor.org] then there won't be any issue. This is what we have standards for.

Erh... no

[Opportunist]

This is not about error handling and recovery. This is simply ignoring a standard. MS is notorious for that, they even gladly ignore their own standards and make the life of AV companies a veritable headache that way.

You have no idea how many undocumented "error ignorance" the PE loader machine of Windows has. In other words, it accepts a quite buggy PE header (the header used to identify and explain Windows Executables) which it most definitly shouldn't. There is truely no reason to accept a malformed head

Re:Obvious

[SatanicPuppy]

They've got you brainwashed. The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along. The second line of defense is the operating system: it should "know" what resources the original program is allowed to access, and limit it to those resources, and shut it the hell down if it starts trying to break out of it's sandbox.

Malware detection and elimination programs are the last line of defense. At this point you've already taken it as a given that your applications and operating system are too stupid not to completely trash themselves, so a third party has to step in and protect the system. And in this situation, they're too stupid. It's a whole culture of incompetence, topped off by ignorant users.

Re:

[cromar]

The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along.

That's a matter of opinion. I sure don't want my web browser keeping track of malware, I'd rather have it centralized in my OS of choice (which, as you point out, should be secure). Regardless, this is such a facile obfuscation that you would think anyone who writes anti-malware code would remove the damn NOPs before getting the signature of the suspect code or perform

Re:Obvious

[SatanicPuppy]

What you're saying there is, "I don't want my web browser to do anything other than run anything that could possibly be interpreted as code without asking me or applying any logic." That's a pretty big deal.

We get all these deals with malformed images, etc, where the browser interprets code embedded in an image...That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.

There will always be a way to obfuscate code to make it look like something else for long enough to get it in the door. You can stop this by refusing to handle things that aren't what they appear to be, and then allowing fine-grained controls on things that are what they appear to be.

Re:

[cromar]

I am not saying that they web browser shouldn't do any security checks at all. I'm saying that if I give the browser permission to access certain resources, and it is running a script that it is allowed to, it is not the browser's job to second guess me.

Re:

[SatanicPuppy]

I over-simplified, but the point remains. Arbitrary code execution flaws are common, and they happen because the handling program dropped the ball when it was served some unexpected input. Writing something to the execution stack, overwriting a system library, all kinds of crap. I've been working with this crap since the early '90s, and I've seen some crazy crap. Most of the time, it's just social engineering. "Download this cool widget, install this patch, blah blah blah."

In order for you to have a secure

Re:

[cromar]

You have got to sandbox those programs, and restrict what they're allowed to do.

And this has what to do with ignoring null bytes in a script? Nothing.

Re:

[SatanicPuppy]

Irrelevant. You're thinking like an antivirus designer, and that's just prolonging the problem.

Null bytes are just one method of slipping in bad input...one of many. Why try and stop that problem? They'll just switch to a new method, and you'll be in the same situation.

Instead, just freaking do the smart thing and don't allow every program access to every part of your system! Keep the programs libraries and executables locked down, quarantine any addons, and for god's sake, don't allow any script write acce

Re:

[cromar]

You're thinking like an antivirus designer...

Please stop that. You are being insulting. Not to mention misunderstanding what I have said in each of my comments.

Well...

[SatanicPuppy]

At least I know what a metaphor [google.com] is.

Seriously. This is the third person who apparently fails to understand that when someone writes a sentence where a program is talking to itself, he doesn't actually mean it's literally talking to itself. How do you people talk to non-geeks?

Re:

[starfishsystems]

Culture of incompetence. Now that's a sweet turn of phrase.

Re:

[The Iso]

Why would you use a tinyurl for ubuntu.com? You look like a troll.

Disabling Script?

[JcMorin]

I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.

Re:

[PockyBum522]

I probably should've phrased that better. I don't use IE by default, thus, I disable scripting in an attempt to keep other programs from loading it up as an embedded/external browser (WiMP does this) and using it maliciously. Just a minor precaution. Also, take a look at NoScript https://addons.mozilla.org/en-US/firefox/addon/722 [mozilla.org] it disables all scripts by default but then allows you to whitelist/blacklist on a site by site basis. It's simple and works really well.

Re:

[account_deleted]

Comment removed based on user account deletion

I can surf just fine without scripts...

[Joce640k]

I use NoScript in Firefox.

If a page doesn't render properly I temporarily allow script on that page (just two mouse clicks).

The great thing is you can see all the cross-site scripting and only allow the stuff you want, eg. you can allow scripts from slashdot.org without allowing the scripts from doubleclick.net which are embedded in every slashdot page.

Re:

[ultranova]

I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.

That browser would need to be written in Java or other memory-managed language with built-in security infrastructure. A modern browser is simply too big and complex to make it secure if written in C, C++ or any language like that, especially since it can't just discard garbage input because most Web pages are more or less ful

Re:

[asg1]

Real men allocate their own memory.

:D

Re:

[DrSkwid]

pfft, NoScript is the best thing since sliced disks
two clicks and all is well

It is amazing how many sites don't test against no Javscript, very unprofessional.

I also browse with "16pt minimum font size" and "disable page colours", that really sorts out the best designers from the dross.

Re:

[hobo sapiens]

The pffft made me think you were being sarcastic. But the rest of your post seems to indicate you were serious. So, I hopped over to your site [milksucks.com]. If that's actually your site, then you shouldn't be offering web design tips.

* Your code doesn't validate, even against a transitional DTD.
* You have javascript, which is against your own principles. And what clunky javascript, I must add. You sniff for user agent strings? Really!? Sheesh.
* You have javascript errors, very unprofessional.
* You have invented H

Re:

[DrSkwid]

You went to a lot of effort for a site I have nothing to do with. All those points are valid and usually the first ones I use to critique a website.

All my sites w3 validate, have unfixed font sizes that allow any font size, my javascript degrades even my ajax sites when a user has javascript but not xmlhttp objects.

Making assumptions about your visitors' browsers is poor practice.

Re:

[hobo sapiens]

You went to a lot of effort...

In all fairness, I did say "If that's actually your site...". Glad to know it's not. :)

Making assumptions about your visitors' browsers is poor practice.

I agree with you to a point about making assumptions. Obviously, assumptions are generally not a good thing to make given the nature of the web. But from a practical perspective you have to make _some_ assumptions, no? Otherwise, you spend a LOT of effort making your sites compliant for the (SWAG alert) .5% of users with "r

Re:

[DrSkwid]

tbh my ajax degrading is inserting a <script> tag on to the bottom of the document, I don't use the XML part of Ajax, I usually send script back to the browser and eval it :>

Re:

[DrSkwid]

When the parts removed are the Font size and the colours then yes, it really is a good marker of quality. It means the designer has ignored the needs of those with visual imparements for whom small fonts and use of colour make browsing diffucult/impossible.

Colour blindness / dyslexia / old age are just 3 not insignificant groups of people for whom that would be an issue.

But hey, we can just ignore that right ?

Re:

[MadMidnightBomber]

Huh? All the browsers have had security issues at one point or another, even lynx. Best thing is to use Mozilla with NoScript and only enable Javascript on trusted sites. If you have to use IE, use IE 7.

Re:

[ACMENEWSLLC]

>>I am in shock. But seriously, people wonder why I disable all scripting in IE as soon as it loads and then use the NoScript extension in FireFox.

This really is the only way to be safe. For some sites I use Netscape 4.8. Why? Because I can turn everything off, including images. While by itself, 4.8 isn't secure - with everything turned off it becomes secure.

Take a look at document.unescape. We've had several viruses get onto our network due to document.unescape encoding which downloaded a jav

Re:

[cheater512]

Or just use Linux which solves the security problems nicely.

Re:

[cheater512]

That seems like good security to me. I count 9 worms and 14 viruses.
Also those viruses are rather old. I doubt any would work anymore.

This shows the virus breakdown somewhat better: http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses [wikipedia.org]
Mac OS X: 1
Linux: 30
Windows: approx 140,000

Looks like you shot yourself in the foot.

Egads! the sequel!

[hobo sapiens]

Why don't you just use a text browser [browser.org]? I mean, you are disabling every web innovation since like 1995. If you want lean, go lean. Why take a rambling piece of garbage like Nutscrape 4x and strip it?

Me thinks you are a bit paranoid. I use Firefox on an XP box (when I am not using Firefox on Ubuntu) and I have NEVER had a problem. Ever. Really. I look at images AND allow javascript. And, brace yourself -- allow XMLHTTPRequest calls. It's really not a big deal. No problems. None.

If you're still that