Slashdot Mirror
AntiVirus Products Fail to Find Simple IE Malware
SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."
http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0411.html
simply remove IE?
I mean... that's the definition of malware.
It's microsofts responsibility. I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur developers(developers, developers) but it's a huge security problem to have a system in place that malware writers can be sure will interpret a piece of innocuous gibberish into a functioning piece of malware.
Java is a good example of this. Java doesn't interpret crap. It is what it is, and it doesn't give a crap if it works or not. It's strongly typed, it's picky as hell about variable initialization...It's a bitchy language for newbies, because it's unforgiving of the most meek typos.
I don't think java is the end all be all...It's certainly not friendly to develop in, and that's given scripting languages (hello php) a huge advantage in the marketplace...Much the same as with unix and microsoft, so it's not surprising to see them continuing down their path.
But in the end, you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Better error handling means, when you get an error, it fails intelligently, without destabilizing the application, and passes a more informative error message. It doesn't mean the application should try and read the coders mind.
The code should damn well work, or not run at all.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
0×00 /p /s c:\
0×00
0×00
del
0×00
0×00
0×00
Look at me, I'm a virus writer! w00+!
But seriously, is this really that hard of a problem to fix? AV can't ignore 0×00 when scanning and just read the actual code for what it is?
Tequila: It's not just for breakfast anymore!
Sure, AVs operate on a practically outdated concept of finding "true" viruses, trojans, etc. Sure, you may use that as a good premise saying that AVs are either inadequate or outright useless.
If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.
If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.
If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.
AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).
If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.
The part Microsoft should answer for is having anything that can cause escalation of privileges and breakout from containment. Those are two big no-nos. The rest of the responsibility is entirely that of the anti-virus writers. If they cannot detect polymorphism as simple as adding no-ops, then how can they be relied upon to detect any polymorphic virus other than to have signatures for each and every single one of the forms the virus can take? (Which could, in principle, be damn-near infinite.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
They've got you brainwashed. The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along. The second line of defense is the operating system: it should "know" what resources the original program is allowed to access, and limit it to those resources, and shut it the hell down if it starts trying to break out of it's sandbox.
Malware detection and elimination programs are the last line of defense. At this point you've already taken it as a given that your applications and operating system are too stupid not to completely trash themselves, so a third party has to step in and protect the system. And in this situation, they're too stupid. It's a whole culture of incompetence, topped off by ignorant users.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
His screenshot stops at F and is in alphabetical order. Did this guy forget to press "next" and see the remaining of the 32 that detected it? Or are only the antivirus programs with names that start with the first 7 or so characters able to catch this neat trick?
I think possibly the article is bogus or poorly researched.
It's my observation that people do not complain as much when they pay or at least appear to pay, for a piece of software such as Norton Anti-Virus on IE (comes with Windows). It could just be due to different demographics, but people seem to complain a lot more when the piece of software is freeware, or FOSS. So in this case, being Norton and Microsoft, I don't expect any complaints outside of 50% of Slashdotters.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Why would you use a tinyurl for ubuntu.com? You look like a troll.
"You don't need a weatherman to know which way the wind blows." - Bob Dylan
The web was once the realm of amateurs and enthusiasts who weren't coders. Failing gracefully by trying to read the coders mind were one of the big reasons that IE gained market share in the first place.
Haven't these AV people heard about Regular Expressions ?
Its the virus writers! Why can't they just help out now and again? I mean, is it that hard to remove the null bytes? Would it take them *that* long? Seriously guys - pitch in for once?
Virus writers tend to lean towards spreading the viruses more than they lean towards causing major destruction to the "host". Think ebola vs. common cold here.
That said, it seems my browser renders those nulls just fi [NO CARRIER]
What you're saying there is, "I don't want my web browser to do anything other than run anything that could possibly be interpreted as code without asking me or applying any logic." That's a pretty big deal.
We get all these deals with malformed images, etc, where the browser interprets code embedded in an image...That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.
There will always be a way to obfuscate code to make it look like something else for long enough to get it in the door. You can stop this by refusing to handle things that aren't what they appear to be, and then allowing fine-grained controls on things that are what they appear to be.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Browsers are incredibly forgiving of bad HTML. Worse, the definition of "acceptable HTML" is undocumented, both for IE and Firefox. We discovered this writing Sitetruth's parser. We started out with BeautifulSoup, which is supposed to be a "forgiving" HTML parser. By browser standards, it's not; we had to make some improvements. Here are some things that show up in real-world HTML:
Part of the reason for the growth in bad HTML is that Adobe seems incapable of making a version of Dreamweaver that consistently generates correct HTML for anything later than HTML 3.2. (Create a moderately complex page in Dreamweaver 8 in HTML 4.x or XHTML mode, and run it through a validator. It will fail.) If the best tools can't get it right, why should anybody else?
Since real world HTML parsing is ambiguous, and bad HTML is widespread, differences between browser parsers and other tools can be exploited as security holes.
Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable.
We've had this result in front of us for 20 years now. It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone. Surely it makes more sense to design systems based on accepted security principles which reduce the opportunity for infection and contain its effects.
Parity: What to do when the weekend comes.
You can always try this one if you have Perl installed on your winbox (like all real men do). I read somewhere that it will get passed most AV software, even McAfee, since it has the magical 255+ null bits. ;)
#!/usr/bin/perl -w
open (FH,">fun.exe");
for ($a=0;$a=256;$a++){
print FH "0×00\n";
}
print FH "del \/p \/s c:\\\n";
close(FH);
exec "fun.exe";
exit 0;
Tequila: It's not just for breakfast anymore!
I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.
Nope. You can get nailed with them too, occasionally...NoScript helps a lot. The problem with IE is ActiveX, and the fact that IE really is part of the operating system. Both Opera and FF are just programs, without really deep hooks into the OS, though they can still run code, and do damage...I seem to remember one of the FF "exploits" is that it will allow remote code to call IE as a handler in certain circumstances...Don't remember the details on that one, so don't quote me.
Seeing a well designed ActiveX application does two things: One, it makes you say, "Wow, that's kinda cool..." and then it makes you say, "Jesus, I've got to turn this off!" It really does connect your browser to your OS...Use the new OWA app with IE with ActiveX allowed, and it'll hook right into your desktop and give you little popups whenever you get new mail.
That kind of access to the system allows you to do some cool stuff, but it's not well secured, and it makes it possible for a click to a webpage to completely compromise your system.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I'm honestly not sure who I hold accountable for this. IE for arbitrarily saying that <script> is the same as <sc0x00ript>, or Anti-virus/malware/junk/whatever programs for not REALIZING that IE is going to treat it that way, thus they damn well better check that way.
If you're going to claim to detect stuff, know the system you're supposedly working with, and WORK. and if something doesn't look like the code you expect, DON'T EXECUTE IT. but no. Microsoft knows best. Shiny graphics and easy of use comes first. Security... well.. we're all still waiting on that****except for those of us who are smart enough to be keeping the HELL away from Microsoft as much as humanly possible anyway.
Every second wounds, the last one kills.
The rest of the responsibility is entirely that of the anti-virus writers.
Not true, as long as they are adhering to RFC 3514 then there won't be any issue. This is what we have standards for.
Tequila: It's not just for breakfast anymore!
Consumer Reports came to this conclusion over a year ago. Here's some free synopsis of the the controversial issue where they used virus kits to make variants of existing viruses to determine how good virus scanners are.
http://www.dvorak.org/blog/?p=6674
http://redtape.msnbc.com/2006/08/consumer_report.html
Anti-virus software actually used to work much better, but I think that the variants have grown to such a large number it's more difficult. The cynic in me says that the virus makers do simple fingerprint based updates simply because it requires you to keep your yearly subscription up to date.
I think they add almost no value, but on the other hand, people will happily run viruses if you tell them it's the latest picture of Brittany.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
This kind of thing is going to be an issue with all signature based AV detection. Changing a few bytes that won't alter the execution of the script/binary will change the signature the AV sees.
In this case it might be fairly easy to program the AVs engine to ignore null bytes in HTML, but how hard would it be to make other minor changes to the code that don't alter the execution but do change the signature. This kind of scanning will only ever catch copy/paste type exploits.
The AV simply doesn't know what bytes are significant, probably inserting a few NOPs or at most recompiling with minor code changes will slip most viri/trojans past signature based scanners, and I don't see how it could really be otherwise without making AV software orders of magnitude more complex and resource hungry than it already is.
You can blame the AV companies, but there's a limit to how effective signature based AVs can be, and using detection based on behavior generally requires the user to know something about what the hell their PC is actually supposed to be doing in the first place, which would make it useless for precisely the users who most need AV protection.
As I'm sure many have said before AV software is a sticking plaster over a gaping wound, if your browser decides to execute untrusted code from the internet with full privileges no amount of AV software out there will save you from getting owned.
There are so many implications herein and many of you have already picked up on them:
- Microsoft should not endow bad HTML with processing
- AV software should use the same bad techniques that browsers use to evaluate code
- A large mass of web content was developed by amateurs who published broken code
Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security stance, "Everything is permitted except that which is expressly denied". No other system every developed on the planet is such a whore. The correct stance is, "Everything is DENIED except that which is expressly allowed - and I don't trust 'you'".
Personally I think browsers should NOT be forgiving. Why should something so broke as to violate the language syntax work in any way? Why leave room in our 'allow' statements for someone with a brain to get by our defenses? Why should we continue to support amateur developers, amateurish code and web development shops populated with high school dropouts who've taken a class at the community college?
Why is this industry the only one wherein someone without merit can enter unfettered into the marketplace, and publish. Why don't we have more respect for our own industry then that?
We need a guild.
Dennis Dumont
No, I haven't the slightest clue what I'm talking about.
Property is theft.
Seriously, sometimes I wonder what people do to get so 'infected'. Aside from tracking cookies, neither Kaspersky, AdAware nor Spybot S&D has reported any infection in about 8 years (it was ofcourse not always those products). 'Shitlist' email from people you don't know, don't open attachments, don't go to shady sites, get behind a NAT and/or run a decent firewall, and you're pretty safe.