Slashdot Mirror

← Back to Stories (view on slashdot.org)

Old Malware Tricks Still Defeat Most AV Scanners

Posted by ScuttleMonkey on from the losing-the-arms-race dept.

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

11 of 122 comments (clear)

  1. Re:Padding with 0x00 bytes? by corsec67 · · Score: 3, Insightful

    Since this is viruses evading detection, wouldn't this be "Insecurity through obscurity"?

    --
    If I have nothing to hide, don't search me
  2. Re:uh oh by mewshi_nya · · Score: 5, Insightful

    and both foobar and norton will suck. It's not the numbers it *can* detect, it's about how *well* it detects them and how little resources it takes.

  3. Of course they do ... by Eros · · Score: 1, Insightful

    Of course they still fool AV scanners. If they didn't how would they be able to sell you a malware scanner on top of your AV scanner?

  4. Credit Card Companies by MozeeToby · · Score: 4, Insightful

    You know how you charge something, sign for it and no one looks at or cares about the signiture. There's a reason for that. Credit Card companies have figured out that verifying identity is impossible. Instead they try to verify by transaction by looking at the recent pattern of purchases for signs of theft.

    Instead of trying to identify incoming virusses, they should be focusing on removal tools and monitoring. Watch the processes for unnusual behavior and flag the user if something is detected, then actually get rid of the virus if the user agrees with the analysis. Granted, unusual behavior is a pretty vaguely defined concept, but that seems a lot more adaptable to new threats than the current methods.

    1. Re:Credit Card Companies by compro01 · · Score: 4, Insightful

      Problem being, with lots of machines, they become infected on such a regular basis that your "unusual behaviour" is common enough that it becomes usual behaviour!

      --
      upon the advice of my lawyer, i have no sig at this time
    2. Re:Credit Card Companies by geckipede · · Score: 4, Insightful

      Unfortunately all that monitoring software can do is make a guess and then ask the user whether something should be allowed. The click-happy average user is even easier to fool than software. There's no way around it, if you want complete confidence in the security of your system, you have to understand what everything running on it should or should not be doing. A security product based on whitelists of known software would be interesting and probably quite effective, but I suspect not very popular.

  5. so what? by Cajun+Hell · · Score: 3, Insightful

    If your scanner doesn't say program X is malware, does that mean you should run program X?

    Of course not. Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.

    --
    "Believe me!" -- Donald Trump
    1. Re:so what? by Anonymous Coward · · Score: 2, Insightful

      Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.

      So your advising that everyone disable javascript, flash, etc in their browsers?

  6. Re:Ugh! Scanners! by jez9999 · · Score: 3, Insightful

    What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.

    A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  7. Re:Padding with 0x00 bytes? by ion.simon.c · · Score: 4, Insightful

    K. Start using Mplayer [1] and VLC [2] NOW. They ignore the executable parts of MSFT's multimedia formats.

    [1] Grab the "Windows GUI" and the "Windows X86 codec package" from here: http://www.mplayerhq.hu/design7/dload.html
    [2] http://www.videolan.org/vlc/

  8. Re:Padding with 0x00 bytes? by PitaBred · · Score: 4, Insightful

    Might be time to start running your machine as a non-admin user. I'd be willing to bet that's what the difference between your Dad's Vista PC and yours is.

    --
    My blog. Good stuff (when I remember to update it). Read it.