Old Malware Tricks Still Work
When Didier Stevens stumbled across a zero-byte padded piece of malware a year ago he was somewhat surprised to see that many antivirus systems tested against it failed to identify the underlying malware despite the targeted application (Internet Explorer) being quite happy to strip the 0x00 content and run the malware.
Didier has revisited his earlier work and happily found that successful detection for the original malware samples has increased markedly in the past twelve months (29/36 for unobfuscated samples). When he lengthened the 0x00 padding within the malware samples, however, the detection rates dropped off significantly. By only doubling the length of padding, the rate of detection dropped from 6 to 3 out of 36 command line scanners. It is still disturbing that by adding 255 bytes worth of 0x00 is enough to see the detection rate drop from 29 to 6 scanners, especially given that the obfuscation technique has been well known for a number of years.
Even more interesting is the change in detection when the 0x00 bytes are added to the malware sample. For the engines that do detect the modified file, there is often a change in description of the malware between the unobfuscated sample and the obscured one. In almost all cases it is a move to a generic descriptor (0x00 padded) from a specific definition (original sample), so it doesn't appear that scanning engine developers are claiming a new and unique variant for each 0x00 padded file (which is a good thing).
While the generic detection of the modified files points to at least partially-functioning heuristics in some engines, the lack of detection from the clear majority of command line scanners being used at VirusTotal shows that there is still some way to go for antimalware companies as they drag their products away from purely signature-based detection to a more flexible model.
As Didier points out in his post, it could be that the command line versions of the scanning engines are lacking in some of the features that the GUI versions will have that could detect his malware samples. It would be better if those features were actually in the command line versions as it would provide a greater level of protection in a managed network environment, where it is more likely that network level scanning is being managed by a command line tool.
7 November 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.