Old Malware Tricks Still Defeat Most AV Scanners

Posted by ScuttleMonkey on Friday November 7, 2008 @05:02AM from the losing-the-arms-race dept.

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

3 of 122 comments (clear)

Min score:

Reason:

Sort:

Fir0x00st! by fph+il+quozientatore · 2008-11-07 05:08 · Score: 5, Funny

Fir0x00st!

--
My first program:
Hell Segmentation fault
Padding with 0x00 bytes? by glindsey · 2008-11-07 05:08 · Score: 5, Funny

So padding it with nothing makes it undetectable? I never thought of that!
Re:uh oh by mewshi_nya · 2008-11-07 05:26 · Score: 5, Insightful

and both foobar and norton will suck. It's not the numbers it *can* detect, it's about how *well* it detects them and how little resources it takes.