Feeds

When antivirus products (and Internet Explorer) fail you

Null hypothesis

Choosing a cloud hosting partner with confidence

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat.

He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing.

Going to 255 or greater 0x00 bytes knocks McAfee off the perch yet leaves IE quite happily rendering the malicious code (which gives a hint at some internal limits of McAfee's engine).

Internet Explorer's interpretation and handling of mangled HTML and supported scripting input certainly contributed to making the Internet accessible to a wider audience, though now it is leading to making the platform more accessible to malware authors (if that was possible).

Why should the anti-malware authors care about how to respond to different null-byte content? After all, each 0x00 different counts as a brand new variant - why only go with the provider that stops 10,000 malware types when another one stops 100,000 malware types? Surely Internet Explorer should be more careful with the way that it handles 0x00 content, given that other browsers respond differently to similar content.

As malware authors increase the number of methods and use of obfuscation in hiding the true nature of their malware, it is essential that anti-malware authors allow for and are able to identify and de-obfuscate those methods when they are present in malware. This is especially the case with well-known and simple methods such as the null-byte, and is even more critical when the target application ignores the presence of the obfuscation anyway. The results from VirusTotal suggest that the practice of using a signature detection mechanism has broken down in this instance, and the level of performance for heuristic methods is far below par for such a simple obfuscation method.

Didier goes on to point out that all is not lost, as some products have components (such as McAfee's ScriptScan that comes with VirusScan) that actually intercept the script once it has been pre-processed by Internet Explorer, and before it is executed by the scripting engine - successfully stopping it (provided it can identify the script in the first place). Users and administrators need to make sure that the AV and antimalware products they are using have similar sorts of protective mechanisms in place.

In this case, it is the antivirus and anti-malware companies that need to improve the performance of their detection and isolation mechanisms until such time as Internet Explorer's behaviour is modified to handle null-byte insertion better - surely there can't be too many edge cases where random numbers of null-bytes between valid code characters is an actual occurrence.

Sometimes people ask us whether they should still be running AV software, given all of the problems that they seem to introduce onto systems (without even getting into the problem of false positives or false negatives or silent fixes), and our answer is always a firm 'Yes'. Even if antivirus tools can bring their own set of problems, they do provide an excellent ongoing protection against older viruses and malware that are still in active circulation and which still pose a relevant threat to modern systems. Defence-in-depth is still a valid concept for protecting modern networks and systems.

This article originally appeared at Sûnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.