Zero byte padded scripts still fool antivirus
This obfuscation technique inserts blocks of literal zeros between the characters of a script, which are ignored by Internet Explorer. Over two years ago heise Security conducted and published similar tests with fully functional exploits. At that time none of the tested antivirus products were able to discover the fully functional exploits. It appears from this report that many antivirus offerings still fail to recognise zero byte padded malicious scripts.
Stevens experimented with differing block lengths of zero bytes, and further found that once the block length reaches 256, none of the tools on VirusTotal detected the script as malicious. Although he points out that file scanning is not the sole method used by antivirus today, it is disturbing that 32 products including some by mainstream vendors still fail in this elementary respect.
Microsoft told heise Security two years ago, that the behaviour of Internet Explorer is "actually by design". To check the behaviour of your own browser and antivirus with zero byte padded scripts, you can use the demos at heise Security.