Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Code obfuscation fools signature reading anti-virus software.

Tier-3 : 31 October, 2007  (Technical Article)
Tier-3 warns of re-emergence of disguised malware which uses a simple technique to fool signature-based anti-virus software thus enabling the recycling of old viruses.
Tier-3 has warned companies to be aware of a rework of the old malware disguising technique of adding zero byte entries to scripts that can still be used to fool most signature-based anti-virus and anti-malware software.

"The code 'obfuscation' technique first appeared more than a decade ago as malware writers attempted to hide their scripts from Windows 98 anti-virus software. By adding zero byte entries to the first 32 characters of a script, the malware could escape the attentions of most of the signature-based detection software of the mid-1990s," said Geoff Sweeney, Tier-3's CTO.

"Now it appears that malware authors have stumbled on the fact that many of today's 32 and 64-bit IT security software still limit their signature analyses to the first 256 or 512 bytes of a script. If a script is padded out with a lengthy string of zero byte entries, then it follows that a modern script can pass unnoticed and wreak havoc on a Windows-driven computer system," he added.

"Questions need to be asked as to why some AV products and internet browsers are still susceptible to this type of obfuscation technique. Some initial thoughts have centred around the fact that it may be to do with catering for the lowest common denominator in terms of client hardware or an indication of performance issues more generally. The performance degrading relationship between higher bandwidth speeds and larger signature databases is a well known problem to the industry", he explained

Sweeney does not claim credit for this effective rework of an old code obfuscation technique.

"The industry's thanks must go to Didier Stevens, a Belgian IT security expert with more than a quarter of a century's experience in the industry. He recently identified the problem in his blog," he explained.

"Thankfully for today's computer users, Stevens' analysis at suggests that, without the zero byte padding, 25 out of 32 IT security applications could easily detect his malware script. As more padding is added to the script, however, the detection rate went down at 254 zero-bytes between the individual characters of the script, only one AV was still able to detect the obscured script, and at 255 none detect it," Sweeney said.

According to the Tier-3 CTO, Stevens' analysis is a clear indication that a single vector protection approach to IT security can no longer be relied on to protect a company's computer resources.

"In many ways, we knew the writing was on the wall for conventional IT security software back in the mid-1990s, but IT security software vendors developed more advanced techniques to detect malware, often by extending the signature detection envelope to include heuristic analyses," he said.

"This single vector detection technique is still relied upon by at least one major security software vendor to this day, but Stevens' revelations clearly show that signature analysis can still be beaten," he added.

Sweeney went on to say that companies need to move on up to multi-vector detection software, preferably including real time behavioural analysis technology as a safety net to detect unknown, as well as less conventional known, threats.

"Behavioural analysis software is an ideal way of augmenting a company's existing IT security protection. Because it protects against unknown threats by, for example in this case looking at the behavioural characteristics of the interaction between the browser and the attacker, it is effectively future-proofed against new generations of malware and IT security threats," he said.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo