Feeds

When antivirus products (and Internet Explorer) fail you

Null hypothesis

Beginner's guide to SSL certificates

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat.

He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing.

Going to 255 or greater 0x00 bytes knocks McAfee off the perch yet leaves IE quite happily rendering the malicious code (which gives a hint at some internal limits of McAfee's engine).

Internet Explorer's interpretation and handling of mangled HTML and supported scripting input certainly contributed to making the Internet accessible to a wider audience, though now it is leading to making the platform more accessible to malware authors (if that was possible).

Why should the anti-malware authors care about how to respond to different null-byte content? After all, each 0x00 different counts as a brand new variant - why only go with the provider that stops 10,000 malware types when another one stops 100,000 malware types? Surely Internet Explorer should be more careful with the way that it handles 0x00 content, given that other browsers respond differently to similar content.

As malware authors increase the number of methods and use of obfuscation in hiding the true nature of their malware, it is essential that anti-malware authors allow for and are able to identify and de-obfuscate those methods when they are present in malware. This is especially the case with well-known and simple methods such as the null-byte, and is even more critical when the target application ignores the presence of the obfuscation anyway. The results from VirusTotal suggest that the practice of using a signature detection mechanism has broken down in this instance, and the level of performance for heuristic methods is far below par for such a simple obfuscation method.

Didier goes on to point out that all is not lost, as some products have components (such as McAfee's ScriptScan that comes with VirusScan) that actually intercept the script once it has been pre-processed by Internet Explorer, and before it is executed by the scripting engine - successfully stopping it (provided it can identify the script in the first place). Users and administrators need to make sure that the AV and antimalware products they are using have similar sorts of protective mechanisms in place.

In this case, it is the antivirus and anti-malware companies that need to improve the performance of their detection and isolation mechanisms until such time as Internet Explorer's behaviour is modified to handle null-byte insertion better - surely there can't be too many edge cases where random numbers of null-bytes between valid code characters is an actual occurrence.

Sometimes people ask us whether they should still be running AV software, given all of the problems that they seem to introduce onto systems (without even getting into the problem of false positives or false negatives or silent fixes), and our answer is always a firm 'Yes'. Even if antivirus tools can bring their own set of problems, they do provide an excellent ongoing protection against older viruses and malware that are still in active circulation and which still pose a relevant threat to modern systems. Defence-in-depth is still a valid concept for protecting modern networks and systems.

This article originally appeared at Sûnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.