In association with heise online

30 October 2007, 17:03

Zero byte padded scripts still fool antivirus

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Belgian security specialist Didier Stevens has reported on his blog that at best only 46 per cent of the antivirus tools on VirusTotal detect zero byte padded scripts.

This obfuscation technique inserts blocks of literal zeros between the characters of a script, which are ignored by Internet Explorer. Over two years ago heise Security conducted and published similar tests with fully functional exploits. At that time none of the tested antivirus products were able to discover the fully functional exploits. It appears from this report that many antivirus offerings still fail to recognise zero byte padded malicious scripts.

Stevens experimented with differing block lengths of zero bytes, and further found that once the block length reaches 256, none of the tools on VirusTotal detected the script as malicious. Although he points out that file scanning is not the sole method used by antivirus today, it is disturbing that 32 products including some by mainstream vendors still fail in this elementary respect.

Microsoft told heise Security two years ago, that the behaviour of Internet Explorer is "actually by design". To check the behaviour of your own browser and antivirus with zero byte padded scripts, you can use the demos at heise Security.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit