Feeds

When antivirus products (and Internet Explorer) fail you

Null hypothesis

5 things you didn’t know about cloud backup

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat.

He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing.

Going to 255 or greater 0x00 bytes knocks McAfee off the perch yet leaves IE quite happily rendering the malicious code (which gives a hint at some internal limits of McAfee's engine).

Internet Explorer's interpretation and handling of mangled HTML and supported scripting input certainly contributed to making the Internet accessible to a wider audience, though now it is leading to making the platform more accessible to malware authors (if that was possible).

Why should the anti-malware authors care about how to respond to different null-byte content? After all, each 0x00 different counts as a brand new variant - why only go with the provider that stops 10,000 malware types when another one stops 100,000 malware types? Surely Internet Explorer should be more careful with the way that it handles 0x00 content, given that other browsers respond differently to similar content.

As malware authors increase the number of methods and use of obfuscation in hiding the true nature of their malware, it is essential that anti-malware authors allow for and are able to identify and de-obfuscate those methods when they are present in malware. This is especially the case with well-known and simple methods such as the null-byte, and is even more critical when the target application ignores the presence of the obfuscation anyway. The results from VirusTotal suggest that the practice of using a signature detection mechanism has broken down in this instance, and the level of performance for heuristic methods is far below par for such a simple obfuscation method.

Didier goes on to point out that all is not lost, as some products have components (such as McAfee's ScriptScan that comes with VirusScan) that actually intercept the script once it has been pre-processed by Internet Explorer, and before it is executed by the scripting engine - successfully stopping it (provided it can identify the script in the first place). Users and administrators need to make sure that the AV and antimalware products they are using have similar sorts of protective mechanisms in place.

In this case, it is the antivirus and anti-malware companies that need to improve the performance of their detection and isolation mechanisms until such time as Internet Explorer's behaviour is modified to handle null-byte insertion better - surely there can't be too many edge cases where random numbers of null-bytes between valid code characters is an actual occurrence.

Sometimes people ask us whether they should still be running AV software, given all of the problems that they seem to introduce onto systems (without even getting into the problem of false positives or false negatives or silent fixes), and our answer is always a firm 'Yes'. Even if antivirus tools can bring their own set of problems, they do provide an excellent ongoing protection against older viruses and malware that are still in active circulation and which still pose a relevant threat to modern systems. Defence-in-depth is still a valid concept for protecting modern networks and systems.

This article originally appeared at Sûnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?