Old Malware Tricks Still Defeat Most AV Scanners 122
SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."
Re:Padding with 0x00 bytes? (Score:4, Insightful)
Since this is viruses evading detection, wouldn't this be "Insecurity through obscurity"?
Re:uh oh (Score:5, Insightful)
and both foobar and norton will suck. It's not the numbers it *can* detect, it's about how *well* it detects them and how little resources it takes.
Of course they do ... (Score:1, Insightful)
Of course they still fool AV scanners. If they didn't how would they be able to sell you a malware scanner on top of your AV scanner?
Credit Card Companies (Score:5, Insightful)
You know how you charge something, sign for it and no one looks at or cares about the signiture. There's a reason for that. Credit Card companies have figured out that verifying identity is impossible. Instead they try to verify by transaction by looking at the recent pattern of purchases for signs of theft.
Instead of trying to identify incoming virusses, they should be focusing on removal tools and monitoring. Watch the processes for unnusual behavior and flag the user if something is detected, then actually get rid of the virus if the user agrees with the analysis. Granted, unusual behavior is a pretty vaguely defined concept, but that seems a lot more adaptable to new threats than the current methods.
Re:Credit Card Companies (Score:5, Insightful)
Problem being, with lots of machines, they become infected on such a regular basis that your "unusual behaviour" is common enough that it becomes usual behaviour!
so what? (Score:4, Insightful)
If your scanner doesn't say program X is malware, does that mean you should run program X?
Of course not. Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.
Re:Credit Card Companies (Score:5, Insightful)
Re:so what? (Score:2, Insightful)
So your advising that everyone disable javascript, flash, etc in their browsers?
Re:Ugh! Scanners! (Score:4, Insightful)
What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.
A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?
Re:Padding with 0x00 bytes? (Score:5, Insightful)
K. Start using Mplayer [1] and VLC [2] NOW. They ignore the executable parts of MSFT's multimedia formats.
[1] Grab the "Windows GUI" and the "Windows X86 codec package" from here: http://www.mplayerhq.hu/design7/dload.html [mplayerhq.hu]
[2] http://www.videolan.org/vlc/ [videolan.org]
Re:Padding with 0x00 bytes? (Score:5, Insightful)
Might be time to start running your machine as a non-admin user. I'd be willing to bet that's what the difference between your Dad's Vista PC and yours is.