Slashdot Mirror
AntiVirus Products Fail to Find Simple IE Malware
SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."
Better error handling means, when you get an error, it fails intelligently, without destabilizing the application, and passes a more informative error message. It doesn't mean the application should try and read the coders mind.
The code should damn well work, or not run at all.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Sure, AVs operate on a practically outdated concept of finding "true" viruses, trojans, etc. Sure, you may use that as a good premise saying that AVs are either inadequate or outright useless.
If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.
If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.
If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.
AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).
If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.
They've got you brainwashed. The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along. The second line of defense is the operating system: it should "know" what resources the original program is allowed to access, and limit it to those resources, and shut it the hell down if it starts trying to break out of it's sandbox.
Malware detection and elimination programs are the last line of defense. At this point you've already taken it as a given that your applications and operating system are too stupid not to completely trash themselves, so a third party has to step in and protect the system. And in this situation, they're too stupid. It's a whole culture of incompetence, topped off by ignorant users.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The web was once the realm of amateurs and enthusiasts who weren't coders. Failing gracefully by trying to read the coders mind were one of the big reasons that IE gained market share in the first place.
What you're saying there is, "I don't want my web browser to do anything other than run anything that could possibly be interpreted as code without asking me or applying any logic." That's a pretty big deal.
We get all these deals with malformed images, etc, where the browser interprets code embedded in an image...That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.
There will always be a way to obfuscate code to make it look like something else for long enough to get it in the door. You can stop this by refusing to handle things that aren't what they appear to be, and then allowing fine-grained controls on things that are what they appear to be.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.
They have. Do you have a RegEx implementation that doesn't make the machine grind to a halt while allocating a ton of ram? Especially when said RegEx machinery is supposed to do it with EVERY SINGLE file you touch?
If you do, we're hiring.
Seriously, do you really think this is due to simple neglect? AV tools have to be a lot of things, and one of them is tiny and fast. Else users will get angry. You can't simply use 500 megs of ram or take 10 seconds to scan a file. And yes, just a regex implementation won't swallow 500 megs. But it doesn't end there. You have a ton of other things to do, run a decryption machine, run an unpacker, do a pattern match, calculate a checksum, some even emulate the file if it's executable. And all that has to happen in no ram and no time. And you should on the side be able to detect what kind of beast you're currently parsing, so you handle it correctly.
In a normal tool, using a few 100 megs is no big thing. You'll be done sooner or later and the user actually wants what you're doing, because he starts the program and is aware that something like this will most likely happen. An AV tool should be most of all (at least in the mind of many users) invisible and not interfere with their normal operations.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
There is valid and invalid HTML, there is no "acceptable" gray area.
IMO, browser tolerance for bad HTML is part of what got us into this mess. IE takes this to an unnecessary extreme. As a consequence, many de[velop|sign]ers failed to actually learn HTML (properly, if at all), and think XHTML is hard because it has rules.
Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.
If language compilers, databases, or any other critical software were as forgiving as browsers are, the IT industry would be a shadow of what it is.
There are so many implications herein and many of you have already picked up on them:
- Microsoft should not endow bad HTML with processing
- AV software should use the same bad techniques that browsers use to evaluate code
- A large mass of web content was developed by amateurs who published broken code
Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security stance, "Everything is permitted except that which is expressly denied". No other system every developed on the planet is such a whore. The correct stance is, "Everything is DENIED except that which is expressly allowed - and I don't trust 'you'".
Personally I think browsers should NOT be forgiving. Why should something so broke as to violate the language syntax work in any way? Why leave room in our 'allow' statements for someone with a brain to get by our defenses? Why should we continue to support amateur developers, amateurish code and web development shops populated with high school dropouts who've taken a class at the community college?
Why is this industry the only one wherein someone without merit can enter unfettered into the marketplace, and publish. Why don't we have more respect for our own industry then that?
We need a guild.
Dennis Dumont
The other way you can update several apps is when they share a common base library. This helps in that you update several apps when you update the lib, but has a downside that several apps, maybe each with different attack vectors, are vulnerable until you do. Rather than spend time worrying about getting the latest virus signature in the database, the coders worry about having all the code in the trusted repository being as bug-free as possible. Again, security is not just the absence of exploitable bugs, it's proper design as well. Microsoft products have a long history of being exploitable when working as designed. There really needs to be a new security model created. Remember that Windows and UNIX both have had networking bolted on well after the initial design. UNIX spread well because it was a simple model, and therefore easy to port. This simplicity has some downsides when the simple model is easily exploitable. Windows has been designed to be "easy to use", but some design decisions are horrible when measured against their security implications.
> It's a bitchy language for newbies, because it's unforgiving of the most meek typos.
Pity the newbies can't see that it's better to have compile errors rather than run time errors. Scripting languages appear easier, but try writing a big application with them and you'll see the real value strict rules
Seriously, sometimes I wonder what people do to get so 'infected'. Aside from tracking cookies, neither Kaspersky, AdAware nor Spybot S&D has reported any infection in about 8 years (it was ofcourse not always those products). 'Shitlist' email from people you don't know, don't open attachments, don't go to shady sites, get behind a NAT and/or run a decent firewall, and you're pretty safe.