Old Malware Tricks Still Defeat Most AV Scanners

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

Fir0x00st!

[fph+il+quozientatore]

Fir0x00st!

Re:Fir0x00st!

[Zencyde]

Strangely, the 0x00 exploit even works on Slashdot... you've somehow gotten a "first post" to +5 Funny. If that's not hacker-worthy, I don't know what is.

Padding with 0x00 bytes?

[glindsey]

So padding it with nothing makes it undetectable? I never thought of that!

Re:Padding with 0x00 bytes?

[floorpirate]

If someone ever figures out how to translate 0x00 bytes into something that can affect human senses, they'll have developed the Somebody Else's Problem field!

Re:Padding with 0x00 bytes?

[Zencyde]

Wow.. that analogy made sense. I propose Slashdot move from car analogies to Superman analogies. All in favor?

uh oh

[gEvil+(beta)]

At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant.

Don't give the guys in marketing any ideas. "New and Improved! FoobarAV now detects an infinite number of viruses! Compare that with Norton's piddly 30,000."

Re:uh oh

[sexconker]

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Re:uh oh

[zappepcs]

Pardon me young man. You do work here, don't you?

Well, yes, you can help me. I was just wondering if you can explain the differences between the Value-add Anti-Rootkit Pro module and the Value-add Anti-Rootkit Amateur module.

You see, my wife doesn't think I should be messing with anything for professionals, so I need to know the differences.

Re:uh oh

[jgtg32a]

Not so much anymore most virus's these days just want to leach your bandwidth and DOS someone else, there is less of a performance loss when compared to most AV software

IDW

This is the dirty secret of desktop / on-access antivirus scanners; they don't work.

F.D., I work in the industry, and the sole exception from this rule is my own employer's product, xxxxxxxxxxxx, of course.

Old Jedi Malware Tricks

[whitehatlurker]

These0x00are0x00not0x00the0x00softwares0x00you0x00are0x00scanning0x00for.

Re:Antivirus/Antispyware 2009

[kv9]

ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez

I've been downloading goat pr0n and warez for years, and I'm OK. well, my computers are.

Virus scanners don't stop malware? really...

[crossmr]

That's like saying bug repellent is no good against tigers. News at 11!