back to article When antivirus products (and Internet Explorer) fail you

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as …

COMMENTS

This topic is closed for new posts.
  1. John
    Boffin

    NULL ^= NUL

    It grieves me that someone who pretends IT competence doesn't ken the difference between NUL and NULL.

    NUL is the name of the (ASCII) character with the binary value of 0000 0000.

    NULL is empty, not value, undefined. As in a NULL pointer, a pointer that has not been initialised.

    A NUL is commonly used in programs (and hence the strings of characters the use) to denote the end of a string, and this would be why Internet Exploder ignores them.

  2. Chris Ovenden
    Gates Horns

    Sigh

    While it is refreshing to see antivirus vendors under attack for poor detection, rather than, as is traditional, end users for allowing their machines to get infected - a car analogy usually helps with this - I can't help feeling that an anti-IE paragraph is required in this article.

    People have been told again and again how unsafe IE is. If they continue to use it, they must take part of the responsibility when one of its myriad vulnerabilities trips them up.

  3. Chris Rowson
    Flame

    Or you could just....

    <flamebait>Use a proper operating system like Linux instead of Windows</flamebait>

  4. Glenn Gilbert

    Isn't it time to unbundle the browser?

    Microsoft put in a large effort to bury IE in the operating system. This is utterly wrong; as has been discussed here many times before.

    Surely the time has come to get the EU to force MS to unbundle IE from the operating system? At least then there will be a genuine market for browsers; more browsers mean fewer attacks.

  5. Tawakalna
    Gates Horns

    depends, doesn't it?

    on which anti-virus that you use. Some are excellent, some are so-so, and some are complete rubbish (like Norton) and are almost as bad as a virus itself.

    Or just don't use Windows anymore.

  6. George
    Stop

    The end of black listing.

    This only encourages the statement that we are seeing an end of black listing software, so called anti-virus. There are many new products that takes care of "anything" using white listing. Not saying that it applies to web traffic but it does prevent the computer from executing non-allowed software that these malicious pages makes IE execute.

  7. Anonymous Coward
    Pirate

    Fit for purpose?

    If an operating system intended for use on the internet needs third party software to keep it secure then it is NOT FIT FOR PURPOSE.

    Why the public allow Microsoft to continue to ship broken by design software is a mystery.

    There will always be bugs that need fixes but Microsoft seem to go out of their way to design in holes that will eventually be exploited. Isolation is the key to security and the browser should protect, not infect, a computer.

  8. Anonymous Coward
    Gates Horns

    Hotmail's rejecting firefox

    Seems the new hotmail gives firefox the runaround during logins, until firefox complains the page fails to redirect properly.

    Happening on an some email addresses not others. I'd think it was a bug, but this is Microsoft and the same thing works on Safari and IE.

  9. Joe Stalin
    Boffin

    @NULL ^= NUL

    The only reason that NUL is NUL is that the control codes in the ASCII code set (values 0 - 31 Decimal) is the are either 2 or 3 character labels. If the developers had allowed 4 character descriptors then NUL would have probably been NULL.

  10. Anonymous Coward
    Black Helicopters

    I see it often

    The company I work for uses Symantec Corporate Edition for virus/malware protection. Usually at least once a month I have a user complaining that his/her machine is 'slow', 'broken', or 'acting weird'. At which time, I find that it's infected with something that Symantec completely misses. Usually I can clean the machine by pulling the hard drive and examining common locations for viruses like the System32 directory, then eventually booting it and cleaning up the registry. Who knows how many infected machines are out there with AV software merrily ticking away, running system scans at designated times, the users (and many IT depts) oblivious to the infections, even proud that they're "doing what they're supposed" to do to be safe. As the sophistication of malware increases, so must the method used to protect. Using Firefox with 'Noscript' installed is a good start IMHO, but my company has adamantly refused to let users install Firefox. So it goes.

  11. Chris Ovenden
    Stop

    @I see it often

    Presumably your company believes that by sticking with the market leaders - Microsoft and Symantec - they can come to no harm. But an infection a month is a very high rate - they should understand that someday it won't just be one person's workstation "acting weird" but their entire network. And that their 'stick with IE' policy will be to blame. It's your duty, AC, as perhaps the only person in your organization who actually knows about this stuff, to insist on a change of policy.

  12. Cameron Colley

    Re:NULL ^= NUL

    Perhaps I'm wrong here, but wouldn't (NULL!=NUL) be a more correct way of putting it?

  13. Anonymous Coward
    Anonymous Coward

    Why the public allow Microsoft to continue to ship broken by design software is a mystery.

    The public are the *last* people to have their voices heard in this picture. There is an unholy alliance in the Windows ecosystem, starting with MS itself, continuing with the big name PC vendors, including the MS-dependent IT media (consumer and pro) and all the other outfits whose continued survival depends on the continued success of Windows. Line all that lot up and Linux doesn't stand much chance, though Vista is providing the best opportunity there has been in *years*.

  14. Gordon Fecyk
    Thumb Down

    When AV software fails, you blame Microsoft. Again. And again...

    Sûnnet Beskerming needs to read vmyths.com before writing anything else. Enough said.

  15. Sean Nevin

    psedocode

    While computer programming language occasionally creeps into my writing too, the mind is a far better "compiler" than gcc.

    NULL ^= NUL makes some sense, as ^ is the bitwise exclusive OR operator. And if applied to a variable with a value of zero, would simply turn it into 255 (1111 1111) if it was a char type anyways. So it would be the functional equivalent of the NOT (!) operator is this particular instance. However NULL is defined as a constant, and hence cannot be assigned a new value.

    I would have to agree with Cameron here, as the intent of the statement is to demonstrate that NULL is not equal to NUL; even though they are both zero, NUL is a string termination character (/0), and NULL is a value for invalid or uninitialized data, and can exist in different data types. They are not the same, but using the ^ operator is incorrect to demonstrate it.

  16. Pascal Monett Silver badge

    The public

    The public is supposed to resist the evil corporations and set things right ?

    If "the public" was able to do that, "the public" would never elect a President with less culture and intelligence than a monkey, nor would they listen to politicians who change their stance on important subject every time the wind changes, nor would they forget that the moron they are voting for now is the same one that said or approved the exact contrary just months ago.

    "the public" is the worst possible failsafe, and can be deemed directly responsible for not caring, not having a clue, and not being arsed enough to find out what the L is actually going on.

    You have the democracy, the entertainment, the operating system and the spam that you are worthy of.

    The only way things are going to get better is by MAKING people pay attention - at gunpoint if necessary. And that is not going to happen.

  17. W
    Coat

    Ecosystem?

    ecosystem (n): An ecological community together with its environment, functioning as a unit.

    Stop this needless corruption of the word ecosystem.

    Now where's my L'Oreal collagen biosphere cream? I'm sure I left it in one of my coat pockets...

  18. zombini

    Test is bogus - NIS/NAV 2008 Browser Defender detects such obfuscation

    If you try to open such files with NIS/NAV2008 installed it easily detects the underlying vulnerability. Testing with Virus Total is bogus as flat-file scanning is yesterday's technology.

  19. JeffyPooh

    Symantec Sucks

    It's bad when the cure is almost as bad as the desease...

    http://www.symantec-sucks.blogspot.com/

  20. Nick L
    Dead Vulture

    Re: NULL ^= NUL

    Actually as every SQL beginner knows, the test is

    IF nul IS NOT NULL

    ayethengyou

  21. BitTwister

    Windows...

    ...is ready for the desktop - has been for years, apparently. Bwah-ha-ha-haaa.

  22. Doug Woodall

    Null is so nul

    The real problem here is that the normal online user has no idea what we are talking about. Yet they stand to lose the most.

This topic is closed for new posts.

Other stories you might like