27 September 2006, 23:42

Antivirus software misfires on new VML exploits

Security expert Aviv Raff took one of the VML exploits currently in circulation and modified it into various forms for testing purposes. After combining several modifications, his new creation was only recognised by one of the antivirus programs used on virustotal. A similar result was achieved by HD Moore, who published a VML module for the Metasploit framework. Tests by heise Security found that it did require some minor adjustments to create functional exploits, but thereafter they were not recognised by any of the roughly two dozen scanners tested. This means that anyone capable of working with a command line interface can create highly flexible exploits and then embed them on websites. Making it all the more urgent for users to apply the patch released yesterday evening by Microsoft.

The results of the tests by Raff and Moore correspond to the experiences of heise Security, which often finds it shockingly easy to use minor changes to modify exploits to the point that, at least the signature based components of antivirus software, fail to sound the alarm. Moore's masking techniques are hardly voodoo. He does things like arbitrarily scatter line breaks, empty spaces and similar items, throughout his code. The failure on the part of the scanners can at least partially be attributed to the fact that the signatures are generally written to handle specific exploits that have been uncovered and not to generally detect the exploitation of a flaw. Alternative protective mechanisms like behavioural blocking are still only taking baby steps, as shown in a test by c't magazine (c't 14/2006, p. 222).

These kinds of investigations are actually frowned upon within the antivirus community though; the creation of a modified piece of malware is seen in those quarters as sacrilege (see our comment Thou Shalt Not Build Viruses!).