Slashdot Mirror

← Back to Stories (view on slashdot.org)

Old Malware Tricks Still Defeat Most AV Scanners

Posted by ScuttleMonkey on from the losing-the-arms-race dept.

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

6 of 122 comments (clear)

  1. Re:uh oh by mewshi_nya · · Score: 5, Insightful

    and both foobar and norton will suck. It's not the numbers it *can* detect, it's about how *well* it detects them and how little resources it takes.

  2. Credit Card Companies by MozeeToby · · Score: 4, Insightful

    You know how you charge something, sign for it and no one looks at or cares about the signiture. There's a reason for that. Credit Card companies have figured out that verifying identity is impossible. Instead they try to verify by transaction by looking at the recent pattern of purchases for signs of theft.

    Instead of trying to identify incoming virusses, they should be focusing on removal tools and monitoring. Watch the processes for unnusual behavior and flag the user if something is detected, then actually get rid of the virus if the user agrees with the analysis. Granted, unusual behavior is a pretty vaguely defined concept, but that seems a lot more adaptable to new threats than the current methods.

    1. Re:Credit Card Companies by compro01 · · Score: 4, Insightful

      Problem being, with lots of machines, they become infected on such a regular basis that your "unusual behaviour" is common enough that it becomes usual behaviour!

      --
      upon the advice of my lawyer, i have no sig at this time
    2. Re:Credit Card Companies by geckipede · · Score: 4, Insightful

      Unfortunately all that monitoring software can do is make a guess and then ask the user whether something should be allowed. The click-happy average user is even easier to fool than software. There's no way around it, if you want complete confidence in the security of your system, you have to understand what everything running on it should or should not be doing. A security product based on whitelists of known software would be interesting and probably quite effective, but I suspect not very popular.

  3. Re:Padding with 0x00 bytes? by ion.simon.c · · Score: 4, Insightful

    K. Start using Mplayer [1] and VLC [2] NOW. They ignore the executable parts of MSFT's multimedia formats.

    [1] Grab the "Windows GUI" and the "Windows X86 codec package" from here: http://www.mplayerhq.hu/design7/dload.html
    [2] http://www.videolan.org/vlc/

  4. Re:Padding with 0x00 bytes? by PitaBred · · Score: 4, Insightful

    Might be time to start running your machine as a non-admin user. I'd be willing to bet that's what the difference between your Dad's Vista PC and yours is.

    --
    My blog. Good stuff (when I remember to update it). Read it.