Slashdot Mirror

← Back to Stories (view on slashdot.org)

AntiVirus Products Fail to Find Simple IE Malware

Posted by ScuttleMonkey on from the no-surprise-here dept.

SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."

10 of 190 comments (clear)

  1. Wouldn't the anti-virus... by Anonymous Coward · · Score: 3, Funny

    simply remove IE?
    I mean... that's the definition of malware.

    1. Re:Wouldn't the anti-virus... by Pharmboy · · Score: 4, Funny

      And ironicly, you can't really remove IE, since it is "Part of the Operating System (tm)". You can only make it somewhat invisible, which of course, is the second part of the definition of malware.

      --
      Tequila: It's not just for breakfast anymore!
  2. I can't find any MSIE malware, either . . . by Seumas · · Score: 1, Funny

    I've searched my debian install, my slackware install and my OSX install and I simply can't find the MSIE malware, either. Damn.

  3. Even Slashdot's lameness filter doesn't catch it by Pharmboy · · Score: 5, Funny

    0×00
    0×00
    0×00
    del /p /s c:\
    0×00
    0×00
    0×00

    Look at me, I'm a virus writer! w00+!

    But seriously, is this really that hard of a problem to fix? AV can't ignore 0×00 when scanning and just read the actual code for what it is?

    --
    Tequila: It's not just for breakfast anymore!
  4. I'll tell you who is responsible... by Bayashi+Maru · · Score: 3, Funny

    Its the virus writers! Why can't they just help out now and again? I mean, is it that hard to remove the null bytes? Would it take them *that* long? Seriously guys - pitch in for once?

  5. Anyone foolish enough to reply to your comment... by Anonymous Coward · · Score: 1, Funny

    ...from a windows box will have their hard driveNO CARRIER

  6. Re:Even Slashdot's lameness filter doesn't catch i by Eberlin · · Score: 4, Funny

    Virus writers tend to lean towards spreading the viruses more than they lean towards causing major destruction to the "host". Think ebola vs. common cold here.

    That said, it seems my browser renders those nulls just fi [NO CARRIER]

  7. Re:As much as I hate Microsoft... by Pharmboy · · Score: 4, Funny

    The rest of the responsibility is entirely that of the anti-virus writers.

    Not true, as long as they are adhering to RFC 3514 then there won't be any issue. This is what we have standards for.

    --
    Tequila: It's not just for breakfast anymore!
  8. Sleepy by mqduck · · Score: 2, Funny

    With enough null-bytes Is that like how if you add up enough zeros you eventually get one?

    No, I haven't the slightest clue what I'm talking about.
    --
    Property is theft.
  9. Re:Disabling Script? by asg1 · · Score: 3, Funny

    Real men allocate their own memory.

    :D