Feeds

When antivirus products (and Internet Explorer) fail you

Null hypothesis

SANS - Survey on application security programs

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat.

He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing.

Going to 255 or greater 0x00 bytes knocks McAfee off the perch yet leaves IE quite happily rendering the malicious code (which gives a hint at some internal limits of McAfee's engine).

Internet Explorer's interpretation and handling of mangled HTML and supported scripting input certainly contributed to making the Internet accessible to a wider audience, though now it is leading to making the platform more accessible to malware authors (if that was possible).

Why should the anti-malware authors care about how to respond to different null-byte content? After all, each 0x00 different counts as a brand new variant - why only go with the provider that stops 10,000 malware types when another one stops 100,000 malware types? Surely Internet Explorer should be more careful with the way that it handles 0x00 content, given that other browsers respond differently to similar content.

As malware authors increase the number of methods and use of obfuscation in hiding the true nature of their malware, it is essential that anti-malware authors allow for and are able to identify and de-obfuscate those methods when they are present in malware. This is especially the case with well-known and simple methods such as the null-byte, and is even more critical when the target application ignores the presence of the obfuscation anyway. The results from VirusTotal suggest that the practice of using a signature detection mechanism has broken down in this instance, and the level of performance for heuristic methods is far below par for such a simple obfuscation method.

Didier goes on to point out that all is not lost, as some products have components (such as McAfee's ScriptScan that comes with VirusScan) that actually intercept the script once it has been pre-processed by Internet Explorer, and before it is executed by the scripting engine - successfully stopping it (provided it can identify the script in the first place). Users and administrators need to make sure that the AV and antimalware products they are using have similar sorts of protective mechanisms in place.

In this case, it is the antivirus and anti-malware companies that need to improve the performance of their detection and isolation mechanisms until such time as Internet Explorer's behaviour is modified to handle null-byte insertion better - surely there can't be too many edge cases where random numbers of null-bytes between valid code characters is an actual occurrence.

Sometimes people ask us whether they should still be running AV software, given all of the problems that they seem to introduce onto systems (without even getting into the problem of false positives or false negatives or silent fixes), and our answer is always a firm 'Yes'. Even if antivirus tools can bring their own set of problems, they do provide an excellent ongoing protection against older viruses and malware that are still in active circulation and which still pose a relevant threat to modern systems. Defence-in-depth is still a valid concept for protecting modern networks and systems.

This article originally appeared at Sûnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.