Slashdot Mirror

← Back to Stories (view on slashdot.org)

AntiVirus Products Fail to Find Simple IE Malware

Posted by ScuttleMonkey on from the no-surprise-here dept.

SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."

6 of 190 comments (clear)

  1. It's 2005 again! by Arapahoe+Moe · · Score: 3, Informative

    http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0411.html

  2. Duh. by SatanicPuppy · · Score: 5, Informative

    It's microsofts responsibility. I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur developers(developers, developers) but it's a huge security problem to have a system in place that malware writers can be sure will interpret a piece of innocuous gibberish into a functioning piece of malware.

    Java is a good example of this. Java doesn't interpret crap. It is what it is, and it doesn't give a crap if it works or not. It's strongly typed, it's picky as hell about variable initialization...It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

    I don't think java is the end all be all...It's certainly not friendly to develop in, and that's given scripting languages (hello php) a huge advantage in the marketplace...Much the same as with unix and microsoft, so it's not surprising to see them continuing down their path.

    But in the end, you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  3. Re:Best AntiVirus Product out there by The+Iso · · Score: 2, Informative

    Why would you use a tinyurl for ubuntu.com? You look like a troll.

    --
    "You don't need a weatherman to know which way the wind blows." - Bob Dylan
  4. Browsers are far too forgiving by Animats · · Score: 5, Informative

    Browsers are incredibly forgiving of bad HTML. Worse, the definition of "acceptable HTML" is undocumented, both for IE and Firefox. We discovered this writing Sitetruth's parser. We started out with BeautifulSoup, which is supposed to be a "forgiving" HTML parser. By browser standards, it's not; we had to make some improvements. Here are some things that show up in real-world HTML:

    • Incorrectly terminated HTML comments These are so widespread that you have to handle them, or entire web pages are sucked into unterminated comments.
    • Unescaped spaces in URLs Spaces in URLs are supposed to be escaped, but there are A tags out there using URLs with spaces.
    • Unescaped CR/LF within a URLThis is rare, and invalid, but multiline URLs are out there. Usually in hostile code.
    • Unicode URLs I've seen a Unicode "Pi" symbol, unescaped, in a URL in a UTF8 document. This was on a phishing site, so it was probably there because it broke some security product.

    Part of the reason for the growth in bad HTML is that Adobe seems incapable of making a version of Dreamweaver that consistently generates correct HTML for anything later than HTML 3.2. (Create a moderately complex page in Dreamweaver 8 in HTML 4.x or XHTML mode, and run it through a validator. It will fail.) If the best tools can't get it right, why should anybody else?

    Since real world HTML parsing is ambiguous, and bad HTML is widespread, differences between browser parsers and other tools can be exploited as security holes.

  5. Re:As much as I hate Microsoft... by SatanicPuppy · · Score: 2, Informative

    Nope. You can get nailed with them too, occasionally...NoScript helps a lot. The problem with IE is ActiveX, and the fact that IE really is part of the operating system. Both Opera and FF are just programs, without really deep hooks into the OS, though they can still run code, and do damage...I seem to remember one of the FF "exploits" is that it will allow remote code to call IE as a handler in certain circumstances...Don't remember the details on that one, so don't quote me.

    Seeing a well designed ActiveX application does two things: One, it makes you say, "Wow, that's kinda cool..." and then it makes you say, "Jesus, I've got to turn this off!" It really does connect your browser to your OS...Use the new OWA app with IE with ActiveX allowed, and it'll hook right into your desktop and give you little popups whenever you get new mail.

    That kind of access to the system allows you to do some cool stuff, but it's not well secured, and it makes it possible for a click to a webpage to completely compromise your system.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  6. Re:Disabling Script? by PockyBum522 · · Score: 3, Informative

    I probably should've phrased that better. I don't use IE by default, thus, I disable scripting in an attempt to keep other programs from loading it up as an embedded/external browser (WiMP does this) and using it maliciously. Just a minor precaution. Also, take a look at NoScript https://addons.mozilla.org/en-US/firefox/addon/722 it disables all scripts by default but then allows you to whitelist/blacklist on a site by site basis. It's simple and works really well.

    --
    -- David