Slashdot Mirror
AntiVirus Products Fail to Find Simple IE Malware
SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."
I am in shock. But seriously, people wonder why I disable all scripting in IE as soon as it loads and then use the NoScript extension in FireFox.
-- David
http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0411.html
Despite all the problems HTML5 is going to have non-strict parser and more or less requires scripting be enabled.
simply remove IE?
I mean... that's the definition of malware.
As much as I hate Microsoft, having better error handling is not a bug. This is a virus scanner problem. Of course the entire concept of enumerating badness is flawed. http://www.ranum.com/security/computer_security/editorials/dumb/
It's microsofts responsibility. I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur developers(developers, developers) but it's a huge security problem to have a system in place that malware writers can be sure will interpret a piece of innocuous gibberish into a functioning piece of malware.
Java is a good example of this. Java doesn't interpret crap. It is what it is, and it doesn't give a crap if it works or not. It's strongly typed, it's picky as hell about variable initialization...It's a bitchy language for newbies, because it's unforgiving of the most meek typos.
I don't think java is the end all be all...It's certainly not friendly to develop in, and that's given scripting languages (hello php) a huge advantage in the marketplace...Much the same as with unix and microsoft, so it's not surprising to see them continuing down their path.
But in the end, you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I've searched my debian install, my slackware install and my OSX install and I simply can't find the MSIE malware, either. Damn.
0×00 /p /s c:\
0×00
0×00
del
0×00
0×00
0×00
Look at me, I'm a virus writer! w00+!
But seriously, is this really that hard of a problem to fix? AV can't ignore 0×00 when scanning and just read the actual code for what it is?
Tequila: It's not just for breakfast anymore!
Sure, AVs operate on a practically outdated concept of finding "true" viruses, trojans, etc. Sure, you may use that as a good premise saying that AVs are either inadequate or outright useless.
If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.
If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.
If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.
AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).
If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.
They've got you brainwashed. The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along. The second line of defense is the operating system: it should "know" what resources the original program is allowed to access, and limit it to those resources, and shut it the hell down if it starts trying to break out of it's sandbox.
Malware detection and elimination programs are the last line of defense. At this point you've already taken it as a given that your applications and operating system are too stupid not to completely trash themselves, so a third party has to step in and protect the system. And in this situation, they're too stupid. It's a whole culture of incompetence, topped off by ignorant users.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
NAV says there is a copy of adware.iebar embedded in this write-up.
Readers of this article are advised to repartition and reinstall or restore from a good backup.
Of course the entire concept of enumerating badness is flawed.
Nonsesnse. By any measure, James Brown is badder than Bryant Gumbel. Way badder.
His screenshot stops at F and is in alphabetical order. Did this guy forget to press "next" and see the remaining of the 32 that detected it? Or are only the antivirus programs with names that start with the first 7 or so characters able to catch this neat trick?
I think possibly the article is bogus or poorly researched.
It's my observation that people do not complain as much when they pay or at least appear to pay, for a piece of software such as Norton Anti-Virus on IE (comes with Windows). It could just be due to different demographics, but people seem to complain a lot more when the piece of software is freeware, or FOSS. So in this case, being Norton and Microsoft, I don't expect any complaints outside of 50% of Slashdotters.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
After encountering MANY troubling malware issues, and lingering trojans, on several of my users machines, something I define by that which the mainstream Anti-virus packages, and malware scanners WILL NOT remove, I find the END ALL fix for any continuing malware, trojan, virus issue, is F-Secure.
/he
My shop hasn't deployed it yet, but F-Secure has always FOUND, and CLEANED that last little bit of annoyances that the other adware and virus removal products do not catch.
And yes, these are Windows XP machines whose software and OS is fully patched with IE not being used unless required by end website. Doesn't matter how UP-TO-Date you are. CRAP still gets into thru Windows....
Why would you use a tinyurl for ubuntu.com? You look like a troll.
"You don't need a weatherman to know which way the wind blows." - Bob Dylan
Haven't these AV people heard about Regular Expressions ?
Its the virus writers! Why can't they just help out now and again? I mean, is it that hard to remove the null bytes? Would it take them *that* long? Seriously guys - pitch in for once?
The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along.
That's a matter of opinion. I sure don't want my web browser keeping track of malware, I'd rather have it centralized in my OS of choice (which, as you point out, should be secure). Regardless, this is such a facile obfuscation that you would think anyone who writes anti-malware code would remove the damn NOPs before getting the signature of the suspect code or performing other analyses.
...from a windows box will have their hard driveNO CARRIER
Virus writers tend to lean towards spreading the viruses more than they lean towards causing major destruction to the "host". Think ebola vs. common cold here.
That said, it seems my browser renders those nulls just fi [NO CARRIER]
What you're saying there is, "I don't want my web browser to do anything other than run anything that could possibly be interpreted as code without asking me or applying any logic." That's a pretty big deal.
We get all these deals with malformed images, etc, where the browser interprets code embedded in an image...That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.
There will always be a way to obfuscate code to make it look like something else for long enough to get it in the door. You can stop this by refusing to handle things that aren't what they appear to be, and then allowing fine-grained controls on things that are what they appear to be.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
This is not about error handling and recovery. This is simply ignoring a standard. MS is notorious for that, they even gladly ignore their own standards and make the life of AV companies a veritable headache that way.
You have no idea how many undocumented "error ignorance" the PE loader machine of Windows has. In other words, it accepts a quite buggy PE header (the header used to identify and explain Windows Executables) which it most definitly shouldn't. There is truely no reason to accept a malformed header as a good one. If it's "accidental" corruption (i.e. in a transfer or due to faulty media), it will most likely render the executable unusable anyway, because singular points of failure are rare. And besides malware, what other reason would there be to deliberately corrupt a header (so AV tools that stick to the specs can't read it)?
This is yet another example. The specs say don't read it, IE reads it. Great. Who benefits, I mean besides of the malware writer?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Browsers are incredibly forgiving of bad HTML. Worse, the definition of "acceptable HTML" is undocumented, both for IE and Firefox. We discovered this writing Sitetruth's parser. We started out with BeautifulSoup, which is supposed to be a "forgiving" HTML parser. By browser standards, it's not; we had to make some improvements. Here are some things that show up in real-world HTML:
Part of the reason for the growth in bad HTML is that Adobe seems incapable of making a version of Dreamweaver that consistently generates correct HTML for anything later than HTML 3.2. (Create a moderately complex page in Dreamweaver 8 in HTML 4.x or XHTML mode, and run it through a validator. It will fail.) If the best tools can't get it right, why should anybody else?
Since real world HTML parsing is ambiguous, and bad HTML is widespread, differences between browser parsers and other tools can be exploited as security holes.
A troll with mod points when signed in, it seems...
To you everthing is a conspiracy set up by the investment bankers, Stevie.
You should log in next time.
GP wasn't advocating having the web-browser doing a lookup of every page/file in a malware database. He was saying that the browser shouldn't run/render malformed code at all. I.e. if the web browser is designed to reject malformed code, then it acts as a first layer of defense against attempts to attack the system through exploiting vulnerabilities, injections, etc.
Having a malware-detection routine is your last line of defense. It's an ugly kludge that gets glued-on only because the previous layers of security are so leaky that many threats are getting through. The first line of defense should be code that is as bullet-proof as humanely possible. Rendering malformed HTML is not bullet-proof.
Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable.
We've had this result in front of us for 20 years now. It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone. Surely it makes more sense to design systems based on accepted security principles which reduce the opportunity for infection and contain its effects.
Parity: What to do when the weekend comes.
The fact that an instance of malware is differentiated from a virus is ridiculous. The Symantec Corporate products are practically useless now where once I would suggest no other product. That included the server component, the exchange filter and the client side. Now, I am searching for a replacement as this year there have been far too many instances of malware hosing my client's computers despite up to date AV definitions. Even with web filtering in place it is not enough but many of my clients are to small to employ a decent filter like the Barracuda. Having to run multiple spy and adware programs as well as AV is beyond stupid and this has been going on for years. Does anyone run a decent suite or app that protects the desktop and can be deployed through a console or script? I was looking at testing Kapersky's suite but have not got around to it. Mac
You can always try this one if you have Perl installed on your winbox (like all real men do). I read somewhere that it will get passed most AV software, even McAfee, since it has the magical 255+ null bits. ;)
#!/usr/bin/perl -w
open (FH,">fun.exe");
for ($a=0;$a=256;$a++){
print FH "0×00\n";
}
print FH "del \/p \/s c:\\\n";
close(FH);
exec "fun.exe";
exit 0;
Tequila: It's not just for breakfast anymore!
I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.
I'm honestly not sure who I hold accountable for this. IE for arbitrarily saying that <script> is the same as <sc0x00ript>, or Anti-virus/malware/junk/whatever programs for not REALIZING that IE is going to treat it that way, thus they damn well better check that way.
If you're going to claim to detect stuff, know the system you're supposedly working with, and WORK. and if something doesn't look like the code you expect, DON'T EXECUTE IT. but no. Microsoft knows best. Shiny graphics and easy of use comes first. Security... well.. we're all still waiting on that****except for those of us who are smart enough to be keeping the HELL away from Microsoft as much as humanly possible anyway.
Every second wounds, the last one kills.
It's called MSTD: MicroSoft Terminal Disease. This has been known for years. It is an insecure browser/OS although the great unwashed have accepted the propoganda that it is not, that it is just as secure as Unix.
It's news. It really is, but how many times does the child need to say that the emperor has no clothes?
Consumer Reports came to this conclusion over a year ago. Here's some free synopsis of the the controversial issue where they used virus kits to make variants of existing viruses to determine how good virus scanners are.
http://www.dvorak.org/blog/?p=6674
http://redtape.msnbc.com/2006/08/consumer_report.html
Anti-virus software actually used to work much better, but I think that the variants have grown to such a large number it's more difficult. The cynic in me says that the virus makers do simple fingerprint based updates simply because it requires you to keep your yearly subscription up to date.
I think they add almost no value, but on the other hand, people will happily run viruses if you tell them it's the latest picture of Brittany.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I am not saying that they web browser shouldn't do any security checks at all. I'm saying that if I give the browser permission to access certain resources, and it is running a script that it is allowed to, it is not the browser's job to second guess me.
AVs or not, I think anyone still using IE deserves malware nowadays. I have a techno-illiterate family that would come to me with 'my computer is borked, help please' every week or so. Invariably, the problem would stem from some bloody IE. After I switched them all to Firefox (with Adblock), that all came to a blissful end. Sticking to IE after all these years is, in my opinion, an unforgivable offence.
I use NoScript in Firefox.
If a page doesn't render properly I temporarily allow script on that page (just two mouse clicks).
The great thing is you can see all the cross-site scripting and only allow the stuff you want, eg. you can allow scripts from slashdot.org without allowing the scripts from doubleclick.net which are embedded in every slashdot page.
No sig today...
The Death of 3rd Party Security Vultures and Such! McAfee Inc., Trend Micro Inc., CA Inc. and especially Symantec, ... say goodnight! We are about to announce MS ForeFront 2.0!
Let me make it clear that while I have tolerated these "anti-virus" vendors for years, something about their very existence has not set very well with me. I mean, having a bunch of multi-million dollar companies that depend solely on there being bugs, leaks, holes, exploitables, mistakes, oversights and problems in Windows dosen't speak very well of Microsoft. They are like carrion, buzzards, jackels, ... protecting a rotten carcass from other smaller vermin. They always argue, "But, Bu-bu-but you need us!", maybe that was true in the past, but no longer!
VISTA IS BULLETPROOF!
None of these quacks bag of tricks are any longer necessary!
Between WGA and Forefront the OS and Genuine MS apps are totally impervious to attack! They are so secure that many times even the registered owners have trouble gaining access to the computer! So then how could any hacker?
These vultures will kick, choke and whine as the user-base realizes this truth, but I say good riddance, your success reflected badly on us anyway.
http://fakesteveballmer.blogspot.com
This kind of thing is going to be an issue with all signature based AV detection. Changing a few bytes that won't alter the execution of the script/binary will change the signature the AV sees.
In this case it might be fairly easy to program the AVs engine to ignore null bytes in HTML, but how hard would it be to make other minor changes to the code that don't alter the execution but do change the signature. This kind of scanning will only ever catch copy/paste type exploits.
The AV simply doesn't know what bytes are significant, probably inserting a few NOPs or at most recompiling with minor code changes will slip most viri/trojans past signature based scanners, and I don't see how it could really be otherwise without making AV software orders of magnitude more complex and resource hungry than it already is.
You can blame the AV companies, but there's a limit to how effective signature based AVs can be, and using detection based on behavior generally requires the user to know something about what the hell their PC is actually supposed to be doing in the first place, which would make it useless for precisely the users who most need AV protection.
As I'm sure many have said before AV software is a sticking plaster over a gaping wound, if your browser decides to execute untrusted code from the internet with full privileges no amount of AV software out there will save you from getting owned.
Can we not (we being the non-MS using, slightly knowledgeable IT crowd) start some sort of *nix Certificate Services? If everyone on the Net used IPSec, with certificates as authentication (preferably that weren't compatible with Windows), we could have a "secure" net, and a non-secure one. FreeSWAN with their try-and-look-up-keys-in-DNS or something.
My machine will talk to your machine, only if you've got one of these certificates.
Get your own free personal location tracker
Seriously I use A/V but I dont think I need it. Using Group Policy, addon management and also attachment manager. Lastly run your user as a USER. Reduceing executable ground in the first place instead of relying on one package for security has always been maximize your current tool set. Stop discarding the gpmc for windows because it is one of the few great tools out there for the blind windows enviroment user and for home users well gpedit.msc and lock it down. God you can setup white list and black list of apps stop the dam 16 bit apps from running. Since IE and windows are so heavily integrated it is apparant you lock down both not just one or the other. I have run into a few small companies that lock IE down without any thought to the OS with its many vulnerablities and then it goes the exact other way. Let them lock the OS down but let them install any Active x object they want and download any executible to there computer through IE or Firefox. Sorry my rant is not to use windows but if you are, at least secure it as much as you can :)
Why can't the AV find the malware? I can find it WITHOUT AV! *points to the big blue "E"*
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Come on, an antivirus is a piece of software just to fix the poor security of Windows.
If Windows was properly coded, an antivirus should be completely useless !
Microsoft is at fault here, and has to improve the security of its products.
There are so many implications herein and many of you have already picked up on them:
- Microsoft should not endow bad HTML with processing
- AV software should use the same bad techniques that browsers use to evaluate code
- A large mass of web content was developed by amateurs who published broken code
Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security stance, "Everything is permitted except that which is expressly denied". No other system every developed on the planet is such a whore. The correct stance is, "Everything is DENIED except that which is expressly allowed - and I don't trust 'you'".
Personally I think browsers should NOT be forgiving. Why should something so broke as to violate the language syntax work in any way? Why leave room in our 'allow' statements for someone with a brain to get by our defenses? Why should we continue to support amateur developers, amateurish code and web development shops populated with high school dropouts who've taken a class at the community college?
Why is this industry the only one wherein someone without merit can enter unfettered into the marketplace, and publish. Why don't we have more respect for our own industry then that?
We need a guild.
Dennis Dumont
http://en.wikipedia.org/wiki/Buffer_overflow for some information on buffer overflows. Note, this is only one way a system can be exploited.
ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
I over-simplified, but the point remains. Arbitrary code execution flaws are common, and they happen because the handling program dropped the ball when it was served some unexpected input. Writing something to the execution stack, overwriting a system library, all kinds of crap. I've been working with this crap since the early '90s, and I've seen some crazy crap. Most of the time, it's just social engineering. "Download this cool widget, install this patch, blah blah blah."
In order for you to have a secure system, you can't have programming errors in simple programs allowing exploits that effect the entire system. You have got to sandbox those programs, and restrict what they're allowed to do.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
http://xkcd.com/327/
Culture of incompetence. Now that's a sweet turn of phrase.
Parity: What to do when the weekend comes.
I'd compare virus writers to herpes instead. Somone has to get screwed to get it.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
No, I haven't the slightest clue what I'm talking about.
Property is theft.
too bad that doesn't exactly compile an EXE. maybe if you did that to a BAT file and used a working BAT2EXE converter? :D
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
Yay! I can hack no@(&$*&@%$*&%$*&@CARRIER LOST
If you can read this, I forgot to post anonymously.
How so?
Scott
©20014 angrykeyboarder & Elmer Fudd. All Wights Wesewved
Del /p ? Are you just trying to be annoying and prompt for every file to delete.
That's because Norton works by being the mother of all viruses. It works by making your system appear infected even when it isn't. In this way, when the user encounters an actual wild virus, they are already used to the endless barrage of popups, random disk accesses and inexplicable system slowdowns. Thus, a virus has little effect on a Norton infected computer, and the user merrily plows away on their minesweeper highscore while the botnet bolsters third world economies. A win-win situation!.
I don't think you know how computers work.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Seriously, sometimes I wonder what people do to get so 'infected'. Aside from tracking cookies, neither Kaspersky, AdAware nor Spybot S&D has reported any infection in about 8 years (it was ofcourse not always those products). 'Shitlist' email from people you don't know, don't open attachments, don't go to shady sites, get behind a NAT and/or run a decent firewall, and you're pretty safe.
At least I know what a metaphor is.
Seriously. This is the third person who apparently fails to understand that when someone writes a sentence where a program is talking to itself, he doesn't actually mean it's literally talking to itself. How do you people talk to non-geeks?
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
TEH OMG!! You mean an anti-VIRUS does not detect SPYWARE? TEH OMGWTFIMGONNAHAVEAHEARTATTACK!!! Next thing you know, someone is going to tell me MS Word doesn't check my email, and MS Access doesn't change my motor oil, and that Internet Explorer will not wash my dishes.
You only need ONE program to protect you from Spyware: it's called SpywareBlaster. It BLOCKS spyware, works for both IE and Firefox, and is free. However, free means you need to update manually... but for only $10 a year you can both support the product and activate their auto-update feature.
I've been using SpywareBlaster for about five years, and can count the number of actual spyware I've had to clean off on one hand. It's far better to not even GET spyware than it is to clean it off after the fact.
MSIE *AND* so-called "AntiVirus" products *are* malware themselves. Obviously the 'it takes one to know one' argument just lost some validity.
I've seen malware get into IE on computers with many different brands of anti virus software, I would say this is old news. What's most worrying is that there are plenty of USB disk viruses that exploit autorun that also seem to beat these anti virus software. I've seen AVG, Kaspersky , Mcaffe, Norton and Panda failing to detect a worm that has infected my brother's windows partition thrice (I have to clean it myself which takes time) (The other anti virus software I have not tested yet)
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Instead of null bytes, one can use dummy statements such as "x = x;" and "while(0) x = x + 1;". Static analysis is just too weak to detect malware. I think sandboxing or other access control methods are much better.
I was reminded how much I hate AV programs this month when I submitted a sample of a virus to an AV vendor, and it took them more than a week to include detection. It was a virus built off another that was in the wild for more than a month. And they still don't detect the Autorun.inf that the virus creates. I sent that file in the sample submission!
Saskboy's blog is good. 9 out of 10 dentists agree.
Why don't you just use a text browser? I mean, you are disabling every web innovation since like 1995. If you want lean, go lean. Why take a rambling piece of garbage like Nutscrape 4x and strip it?
Me thinks you are a bit paranoid. I use Firefox on an XP box (when I am not using Firefox on Ubuntu) and I have NEVER had a problem. Ever. Really. I look at images AND allow javascript. And, brace yourself -- allow XMLHTTPRequest calls. It's really not a big deal. No problems. None.
If you're still that paranoid, for what it's worth, I use lynx to test my sites and it's pretty good if that's what you're into. Meanwhile, I can hook you up with a good tinfoil haberdashery.
blah blah blah
No antivirus will ever catch all the "MSIE malware", beacuse in order to do so, you'd have to catch MSIE itself, which is malware.
And if an antivirus suggested to remove (or break, because it's a "part of the operating system") MSIE, Microsoft would declare war on them -- an API war, if you know what I mean. (And we all know the American justice or so-called justice is not going to do anything against Microsoft, regardless of the law.)
I was about to say 13256278887989457651018865901401704640, but it appears this number is private property.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Does it matter what they can or can't catch when we know it's a simple matter for a malware maker to pay them off or threaten them with DMCA or other lawsuits? The fact that antivirus companies intentionally overlook dangerous and harmful malware/viruses is enough to justify the need for open, honest computer security products. I'm delighted for the work of projects such as clamwin AV for just this reason.
The business world and MS are extremely LUCKY that we hve yet to see a skilled and truly malicious virus writer out there, but their luck could run out at any time.
Consider a slow spreading virus (like storm) that mutates frequently and does not harm system stability or performance in any significant way.
Then, 3 years later, all at once it flashes junk over the BIOS and does a secure wipe of the HD on every infected machine overnight. Even worse, perhaps it starts flipping bits on tape backups a week or two in advance. When we wake up in the morning, many million PCs have just gone away. Consider if a bank or major retail chain wakes up to find they don't have a working PC or a scrap of uncorrupted data to their names. Now imagine a significant percentage of all businesses wake to that on the same morning.
For all we know, storm has a dead hand like system in place now just in case an arrest actually takes place.
Consider also, all the millions of machines that are completely dependnt on the security of Microsoft's update servers. I'm sure MS puts a great deal of effort into security on those machines, but is the level of security adequate to protecting the economies of the free world? I doubt it. [talking head mode]It may already have been distributed[/talking head mode]. It wouldn't be the first time a virus (accidentally) shipped on a commercial install disk.
I freely admit that the latter is a bit of doom and gloom, but it's at LEAST as likely as a binary explosive on a plane and far more destructive but gets nowhere near the same level of attention from DHS.
You have got to sandbox those programs, and restrict what they're allowed to do.
And this has what to do with ignoring null bytes in a script? Nothing.
IE Rox my Sox!!!
Irrelevant. You're thinking like an antivirus designer, and that's just prolonging the problem.
Null bytes are just one method of slipping in bad input...one of many. Why try and stop that problem? They'll just switch to a new method, and you'll be in the same situation.
Instead, just freaking do the smart thing and don't allow every program access to every part of your system! Keep the programs libraries and executables locked down, quarantine any addons, and for god's sake, don't allow any script write access!
If you control the access, then these problems become dramatically easier to deal with.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
You're thinking like an antivirus designer...
Please stop that. You are being insulting. Not to mention misunderstanding what I have said in each of my comments.
Yet another reason to use something other than IE. And I believe AV authors dont go to the trouble to scan Null code is because they want to keep their product streamlined and focus on the headline grabbing stuff. And maybe they dont want to get involved in other companies programs, bringing to their attention the face that they have errors.
Doug Woodall