Feeds

When antivirus products (and Internet Explorer) fail you

Null hypothesis

Website security in corporate America

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat.

He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing.

Going to 255 or greater 0x00 bytes knocks McAfee off the perch yet leaves IE quite happily rendering the malicious code (which gives a hint at some internal limits of McAfee's engine).

Internet Explorer's interpretation and handling of mangled HTML and supported scripting input certainly contributed to making the Internet accessible to a wider audience, though now it is leading to making the platform more accessible to malware authors (if that was possible).

Why should the anti-malware authors care about how to respond to different null-byte content? After all, each 0x00 different counts as a brand new variant - why only go with the provider that stops 10,000 malware types when another one stops 100,000 malware types? Surely Internet Explorer should be more careful with the way that it handles 0x00 content, given that other browsers respond differently to similar content.

As malware authors increase the number of methods and use of obfuscation in hiding the true nature of their malware, it is essential that anti-malware authors allow for and are able to identify and de-obfuscate those methods when they are present in malware. This is especially the case with well-known and simple methods such as the null-byte, and is even more critical when the target application ignores the presence of the obfuscation anyway. The results from VirusTotal suggest that the practice of using a signature detection mechanism has broken down in this instance, and the level of performance for heuristic methods is far below par for such a simple obfuscation method.

Didier goes on to point out that all is not lost, as some products have components (such as McAfee's ScriptScan that comes with VirusScan) that actually intercept the script once it has been pre-processed by Internet Explorer, and before it is executed by the scripting engine - successfully stopping it (provided it can identify the script in the first place). Users and administrators need to make sure that the AV and antimalware products they are using have similar sorts of protective mechanisms in place.

In this case, it is the antivirus and anti-malware companies that need to improve the performance of their detection and isolation mechanisms until such time as Internet Explorer's behaviour is modified to handle null-byte insertion better - surely there can't be too many edge cases where random numbers of null-bytes between valid code characters is an actual occurrence.

Sometimes people ask us whether they should still be running AV software, given all of the problems that they seem to introduce onto systems (without even getting into the problem of false positives or false negatives or silent fixes), and our answer is always a firm 'Yes'. Even if antivirus tools can bring their own set of problems, they do provide an excellent ongoing protection against older viruses and malware that are still in active circulation and which still pose a relevant threat to modern systems. Defence-in-depth is still a valid concept for protecting modern networks and systems.

This article originally appeared at Sûnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.