Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AntiVirus Products Fail to Find Simple IE Malware

ScuttleMonkey posted more than 6 years ago | from the no-surprise-here dept.

Internet Explorer 190

SkiifGeek writes "Didier Stevens recently took a closer look at some Internet Explorer malware that he had uncovered and found that most antivirus products that it was tested against failed to identify the malware through one of the most basic and straight forward obfuscation techniques — the null-byte. With enough null-bytes between each character of code, it is possible to fool all antivirus products (though additional software will trap it), yet Internet Explorer was quite happy to render the code. Whose responsibility is it to fix this behavior? Both the antivirus / anti-malware companies and Microsoft's IE team have something to answer for."

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

Egads! (1)

PockyBum522 (1025001) | more than 6 years ago | (#21160341)

I am in shock. But seriously, people wonder why I disable all scripting in IE as soon as it loads and then use the NoScript extension in FireFox.

Disabling Script? (5, Insightful)

JcMorin (930466) | more than 6 years ago | (#21160875)

I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.

Re:Disabling Script? (3, Informative)

PockyBum522 (1025001) | more than 6 years ago | (#21161037)

I probably should've phrased that better. I don't use IE by default, thus, I disable scripting in an attempt to keep other programs from loading it up as an embedded/external browser (WiMP does this) and using it maliciously. Just a minor precaution. Also, take a look at NoScript https://addons.mozilla.org/en-US/firefox/addon/722 [mozilla.org] it disables all scripts by default but then allows you to whitelist/blacklist on a site by site basis. It's simple and works really well.

I can surf just fine without scripts... (1)

Joce640k (829181) | more than 6 years ago | (#21161433)

I use NoScript in Firefox.

If a page doesn't render properly I temporarily allow script on that page (just two mouse clicks).

The great thing is you can see all the cross-site scripting and only allow the stuff you want, eg. you can allow scripts from slashdot.org without allowing the scripts from doubleclick.net which are embedded in every slashdot page.

Re:Disabling Script? (1, Interesting)

ultranova (717540) | more than 6 years ago | (#21162101)

I'm surprise to you can still use the web today without javascript... or at least you are missing a great part of it. I think the solution is to have secure browser... nothing more.

That browser would need to be written in Java or other memory-managed language with built-in security infrastructure. A modern browser is simply too big and complex to make it secure if written in C, C++ or any language like that, especially since it can't just discard garbage input because most Web pages are more or less full of errors, and must therefore use fuzzy logic guessing of what the Web designer meant. And even with Java, you'd need to make sure the VM uses the absolute minimum of native code, to avoid things like the recent ImageIO exploit caused by usage of native library.

Cue a dozen replies about how you shouldn't be programming if you can't make C secure and only sissies need garbage collection.

Re:Egads! (1)

x_terminat_or_3 (873666) | more than 6 years ago | (#21162633)

You will be even more shocked to learn that noscript doesn't stop javascript from executing, in fact, code attached to the window`s event handlers will still run.

And yet... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21160379)

Despite all the problems HTML5 is going to have non-strict parser and more or less requires scripting be enabled.

Wouldn't the anti-virus... (3, Funny)

Anonymous Coward | more than 6 years ago | (#21160387)

simply remove IE?
I mean... that's the definition of malware.

Re:Wouldn't the anti-virus... (0)

Anonymous Coward | more than 6 years ago | (#21160623)

malware never removes itself.

Re:Wouldn't the anti-virus... (4, Funny)

Pharmboy (216950) | more than 6 years ago | (#21160681)

And ironicly, you can't really remove IE, since it is "Part of the Operating System (tm)". You can only make it somewhat invisible, which of course, is the second part of the definition of malware.

Re:Wouldn't the anti-virus... (1, Redundant)

hedwards (940851) | more than 6 years ago | (#21161527)

That isn't entirely true, I've installed windows without IE. But it was a huge pain in the ass. I had to create my own installation media which didn't have it, and I had to install updates by hand from the ones that can be downloaded from the support site. There was for a while a 3rd party site that would provide the downloads through Firefox, but it depends on how much you're willing to trust 3rd parties to not Trojan the updates.

Re:Wouldn't the anti-virus... (1)

corsec67 (627446) | more than 6 years ago | (#21162693)

You also have to weight that against MS also not trojaning the updates as well, and not doing something that is going to mess up the computer...

Re:Wouldn't the anti-virus... (2)

daem0n1x (748565) | more than 6 years ago | (#21163711)

I don't have IE, and my OS is perfectly functional. It's called Linux, you see...

As much as I hate Microsoft... (0)

houstonbofh (602064) | more than 6 years ago | (#21160415)

As much as I hate Microsoft, having better error handling is not a bug. This is a virus scanner problem. Of course the entire concept of enumerating badness is flawed. http://www.ranum.com/security/computer_security/editorials/dumb/ [ranum.com]

Re:As much as I hate Microsoft... (5, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#21160449)

Better error handling means, when you get an error, it fails intelligently, without destabilizing the application, and passes a more informative error message. It doesn't mean the application should try and read the coders mind.

The code should damn well work, or not run at all.

Re:As much as I hate Microsoft... (2, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#21160599)

The web was once the realm of amateurs and enthusiasts who weren't coders. Failing gracefully by trying to read the coders mind were one of the big reasons that IE gained market share in the first place.

Re:As much as I hate Microsoft... (1)

SatanicPuppy (611928) | more than 6 years ago | (#21160671)

Yep. And ease of development for applications was one of the reasons Windows gained in popularity...and is the virus infested whore we know and loathe.

If they want to stay the malware browser of choice, by all means, let them keep on doing what they're doing, because it's working great.

Re:As much as I hate Microsoft... (1)

Pharmboy (216950) | more than 6 years ago | (#21160707)

Failing gracefully by trying to read the coders mind were one of the big reasons that IE gained market share in the first place.

So a platform that executes malformed code is superior to one that traps it and exits gracefully? (or just barfs?) I'm thinking this is a bit more dangerous than forgetting to close your BODY or HTML tag.

Re:As much as I hate Microsoft... (1)

G Fab (1142219) | more than 6 years ago | (#21160727)

Whether you do or not, you seem to know what the hell you're talking about.

I'm curious: is it the case that Firefox and Opera don't error correct in a way that facilitates this type of malware?

Sadly, I've been locked into Internet Explorer (to use sharepoint, one of the most banal programs ever invented), but I never use it otherwise.

Re:As much as I hate Microsoft... (2, Informative)

SatanicPuppy (611928) | more than 6 years ago | (#21160881)

Nope. You can get nailed with them too, occasionally...NoScript helps a lot. The problem with IE is ActiveX, and the fact that IE really is part of the operating system. Both Opera and FF are just programs, without really deep hooks into the OS, though they can still run code, and do damage...I seem to remember one of the FF "exploits" is that it will allow remote code to call IE as a handler in certain circumstances...Don't remember the details on that one, so don't quote me.

Seeing a well designed ActiveX application does two things: One, it makes you say, "Wow, that's kinda cool..." and then it makes you say, "Jesus, I've got to turn this off!" It really does connect your browser to your OS...Use the new OWA [wikipedia.org] app with IE with ActiveX allowed, and it'll hook right into your desktop and give you little popups whenever you get new mail.

That kind of access to the system allows you to do some cool stuff, but it's not well secured, and it makes it possible for a click to a webpage to completely compromise your system.

Halting Problem (4, Interesting)

starfishsystems (834319) | more than 6 years ago | (#21160843)

It was Fred Cohen who first coined the term "virus" in 1984 and showed that determining whether or not a given program is a virus is undecidable, that is, equivalent to the Halting Problem.

Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable.

We've had this result in front of us for 20 years now. It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone. Surely it makes more sense to design systems based on accepted security principles which reduce the opportunity for infection and contain its effects.

Re:Halting Problem (1)

kebes (861706) | more than 6 years ago | (#21161123)

Indeed.

Anti-virus software's main purpose, it would appear, is not to detect novel threats, but to limit the proliferation of established threats. And for it to perform this task, it needs to be continually updated with new virus definitions.

However, if every virus infection necessarily requires the exploiting of a security vulnerability... then it would seem that all the effort in designing and implementing a "virus signature update" system would be better spent designing and implementing a "uniform software update" system, so that the number of vulnerabilities on a computer is always as low as humanly possible.

I think most readers will recognize that this is precisely what Linux does: considerable effort is put into having a uniform package manager, so that software all gets updated routinely and uniformly (rather than expecting the user to separately update each of hundreds of apps with possible vulnerabilities). Rather than spend time worrying about getting the latest virus signature in the database, the coders worry about having all the code in the trusted repository being as bug-free as possible.

Re:Halting Problem (2, Insightful)

cant_get_a_good_nick (172131) | more than 6 years ago | (#21162507)

Anti-virus software's main purpose, it would appear, is not to detect novel threats, but to limit the proliferation of established threats. And for it to perform this task, it needs to be continually updated with new virus definitions.
Somewhat. It also does some heuristics to predict certain things. These are always going to be hard, you're essentially trying to find out what abnormal is on a machine that is worth most when it is most flexible and has no hard definition of normal. Apps change, and with it, what's normal changes. If i'm an OS, how do i determine if the info that this app is sending is my pic for an IM, or secret data to a Identity Thief?

However, if every virus infection necessarily requires the exploiting of a security vulnerability... then it would seem that all the effort in designing and implementing a "virus signature update" system would be better spent designing and implementing a "uniform software update" system, so that the number of vulnerabilities on a computer is always as low as humanly possible.
This is more complex than you make it out to be. There are several fronts to attack. You can fix bugs in software so software that exploits bugs can't work. You can make design changes in software to minimize attacks. Remember, outlook viruses are doing EXACTLY what Microsoft programmed Outlook to do, run attachments when you doubleclicked on them, and the app associated happened to be able to do anything to your system, including send mail. If someone made a Linux mail app that did '/bin/bash file.sh' whenever if someone clicked on file.sh would be doing exactly what you asked for, but also destroying system security. Phishing scams do what the software was intended to do.

I think most readers will recognize that this is precisely what Linux does: considerable effort is put into having a uniform package manager,
It's not uniform, there are several package managers, and several front ends on top of that. Even if we all used RPM or apt or whatever, layout differences config file differences will mean that there is not one central repository, each distro still needs their own customizations.

so that software all gets updated routinely and uniformly (rather than expecting the user to separately update each of hundreds of apps with possible vulnerabilities).
I think you conflate two points here. Having one respository for apps is more of a distro thing, it depends on how much third party stuff you install. My fedora install, for example, has several repos, not one single one. A single repo also promotes a software monoculture, which can have negative effects on security.

The other way you can update several apps is when they share a common base library. This helps in that you update several apps when you update the lib, but has a downside that several apps, maybe each with different attack vectors, are vulnerable until you do.

Rather than spend time worrying about getting the latest virus signature in the database, the coders worry about having all the code in the trusted repository being as bug-free as possible.
Again, security is not just the absence of exploitable bugs, it's proper design as well. Microsoft products have a long history of being exploitable when working as designed. There really needs to be a new security model created. Remember that Windows and UNIX both have had networking bolted on well after the initial design. UNIX spread well because it was a simple model, and therefore easy to port. This simplicity has some downsides when the simple model is easily exploitable. Windows has been designed to be "easy to use", but some design decisions are horrible when measured against their security implications.

Re:Halting Problem (1)

Have Brain Will Rent (1031664) | more than 6 years ago | (#21162027)

The term "worm" precedes that by more than a decade - used by John Brunner in his book Shockwave Rider. Brunner may not have been the first.

As for the efficacy of antivirus software... as stated it is clearly a losing battle. Instead of people paying $20/year for an anti-virus subscription they should contrinbute it to a bounty fund that awards $1,000,000 (or other suitable amounts) for the arrest and conviction of those using virus/worm/malware/etc. to cause problems to others.

Re:Halting Problem (1)

Em Adespoton (792954) | more than 6 years ago | (#21162321)

Surely it makes more sense to design systems based on accepted security principles which reduce the opportunity for infection and contain its effects.


You mean remove the human element? You're right... computers would work much better without end users.

Re:Halting Problem (1)

Cheesey (70139) | more than 6 years ago | (#21162771)

Cohen saw that one implication of this result is that virus detection is an endless arms race. Viruses are free to mutate into an infinite variety of functionally equivalent forms, whereas the process of establishing their equivalence is undecidable... It has always seemed bizarre to me that so much of our focus should therefore be on this futile exercise of closing the barn door after the horse has gone.

This is what anti-virus software vendors won't tell you. Anti-virus software, and (generalising) anti-malware software, is snake oil. Although it might be useful for detecting some well-known threats, provided that they haven't put much effort into hiding, its main contribution is a false sense of security. It's like a magic talisman to ward off evil: expensive, shiny, and useless.

Based on this, I think that one of the benefits of moving from Windows to Macintosh is actually an illusion! Windows users are used to running programs that do nothing but slow their systems down. (Norton being the classic example.) When they move to Mac, they chuck out all these lucky charms. Result: massive performance improvement. But you could get the same effect on Windows by (1) keeping your software up to date, (2) being careful what websites you visit and what programs you run, and (3) not installing any anti-malware software.

If you want to do something dangerous, reboot into Linux. Boot from a live CD if you are really paranoid. Don't do it on Windows, though. You can't expect your genuine amulet of magical virus protection (+1) to protect you from the Black Death!

Re:Halting Problem (1)

koh (124962) | more than 6 years ago | (#21163387)

Must... build... better... mousetrap!

Re:Halting Problem (0)

Anonymous Coward | more than 6 years ago | (#21163725)

"[Cohen] showed that determining whether or not a given program is a virus is undecidable"

However, he didn't show that determining if a given program is a virus is undecidable. Because it's not, in fact it's trivial. The only difficulty is making the set of false positives as small as possible.

Re:As much as I hate Microsoft... (0)

Anonymous Coward | more than 6 years ago | (#21161937)

Signature based anti virus products are fundamentally flawed

Heuristics work great, but can have some false positives
Even if a consumer had the best heuristics scanners available , the average dumb-soomer would damage his applications and Os by misusing it
In fact, even experts must use a heuristics scanner with care

Still, Anti-Virus manufactures can make a very good heuristics AV product
THEY WONT!
They want to sell us updated signature files over and over instead ! I hate them They are to blame IMHO

Re:As much as I hate Microsoft... (3, Interesting)

jd (1658) | more than 6 years ago | (#21160491)

The part Microsoft should answer for is having anything that can cause escalation of privileges and breakout from containment. Those are two big no-nos. The rest of the responsibility is entirely that of the anti-virus writers. If they cannot detect polymorphism as simple as adding no-ops, then how can they be relied upon to detect any polymorphic virus other than to have signatures for each and every single one of the forms the virus can take? (Which could, in principle, be damn-near infinite.)

Re:As much as I hate Microsoft... (4, Funny)

Pharmboy (216950) | more than 6 years ago | (#21160981)

The rest of the responsibility is entirely that of the anti-virus writers.

Not true, as long as they are adhering to RFC 3514 [rfc-editor.org] then there won't be any issue. This is what we have standards for.

Re:As much as I hate Microsoft... (0)

Anonymous Coward | more than 6 years ago | (#21160503)

Marcus Ranum's famous rant fails to offer any reasonable alternatives. He rails against "enumerating badness", but offers only "enumerating all possible goodness" as an alternative.

Most active AV protection isn't even based on signatures, it's behavior-based.

Nonsense (0)

Anonymous Coward | more than 6 years ago | (#21160539)

Of course the entire concept of enumerating badness is flawed.

Nonsesnse. By any measure, James Brown is badder than Bryant Gumbel. Way badder.

Erh... no (1)

Opportunist (166417) | more than 6 years ago | (#21160799)

This is not about error handling and recovery. This is simply ignoring a standard. MS is notorious for that, they even gladly ignore their own standards and make the life of AV companies a veritable headache that way.

You have no idea how many undocumented "error ignorance" the PE loader machine of Windows has. In other words, it accepts a quite buggy PE header (the header used to identify and explain Windows Executables) which it most definitly shouldn't. There is truely no reason to accept a malformed header as a good one. If it's "accidental" corruption (i.e. in a transfer or due to faulty media), it will most likely render the executable unusable anyway, because singular points of failure are rare. And besides malware, what other reason would there be to deliberately corrupt a header (so AV tools that stick to the specs can't read it)?

This is yet another example. The specs say don't read it, IE reads it. Great. Who benefits, I mean besides of the malware writer?

Duh. (5, Informative)

SatanicPuppy (611928) | more than 6 years ago | (#21160431)

It's microsofts responsibility. I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur developers(developers, developers) but it's a huge security problem to have a system in place that malware writers can be sure will interpret a piece of innocuous gibberish into a functioning piece of malware.

Java is a good example of this. Java doesn't interpret crap. It is what it is, and it doesn't give a crap if it works or not. It's strongly typed, it's picky as hell about variable initialization...It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

I don't think java is the end all be all...It's certainly not friendly to develop in, and that's given scripting languages (hello php) a huge advantage in the marketplace...Much the same as with unix and microsoft, so it's not surprising to see them continuing down their path.

But in the end, you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.

Re:Duh. (1)

RetroGeek (206522) | more than 6 years ago | (#21160775)

you've got to embrace some maturity and stop bottlefeeding your developers and make them fix their damn code when it doesn't conform to a normal standard.

Amen to this.

I was once trying to view a page which the site owners (note this was a major company) stated was IE only. I looked at the HTML and saw that several TD tags were not closed. I closed them and the page now worked in Netscape.

IE only indeed.

Re:Duh. (2, Interesting)

pak9rabid (1011935) | more than 6 years ago | (#21160823)

I don't think java is the end all be all...It's certainly not friendly to develop in

Compared to what, English?

Re:Duh. (1)

N7DR (536428) | more than 6 years ago | (#21161187)

I've said it before, and I'll say it again, "Interpreting broken code is a security weakness." Yes it makes things easier for amateur

Which is exactly why I've always maintained that the Postel rule that one should "be conservative in what one sends and liberal in what one accepts" (or words to that effect) might possibly have made some sort of sense in the environment in which Postel first coined it but makes no sense whatsoever in today's Internet. In anything in which security matters (which pretty much means "everywhere") one should be as picky as possible in choosing what to accept. Yeah, it's inconvenient; yeah, it increases development time; yeah it means that one really has to think about what one is doing: but in the end, it's the only way to proceed if one wants security to be anything more than an illusion.

The trouble is, it's awfully hard to win any argument when one is contradicting Jon Postel. But in this case many years of experience have led me to the conclusion that he was simply wrong (or, to be kinder, it's simply an error to apply his words to the modern Internet).

Re:Duh. (1)

SL Baur (19540) | more than 6 years ago | (#21162239)

Postel wasn't wrong then and he isn't wrong now, but common sense must be applied. The problem as I see it is that first Netscape (introducing javascript) and then Microsoft (with ActiveX) got people used to executable content and that's always been an unwise thing to do. Unshar was written for a reason - it's not safe to run scripts off the wire even when they're coming from comp.sources.unix.

In the absence of executable content it makes sense to attempt to render something in the face of malformed HTML. It makes no sense to be liberal about what kinds of executable content to accept and even less sense to attempt to run it anyway when it is malformed.

Re:Duh. (1)

MarsDefenseMinister (738128) | more than 6 years ago | (#21163299)

I can contradict Jon Postel right now, and he won't have a thing to say about it.

Re:Duh. (1)

wclacy (870064) | more than 6 years ago | (#21161495)

And that is why on some computers you have to have 4 different versions of Java! Which really sucks when you have thousands of workstations you are in charge of and the newest version of Java does not run all your Apps.

Re:Duh. (1)

SatanicPuppy (611928) | more than 6 years ago | (#21161757)

Yea, welcome to the wonderful world. Every app I write in java these days kicks off from a batch file that calls a the code with a very specific set of libraries. I'm done re-writing my code every time they release a new goddamn version. If there is no new functionality, and the app is secure, don't give me crap when I want to keep using the same library.

The worst is with older macs, because the java installers wrapped up by apple are only available in a narrow range, depending on OS release, and otherwise you have to make it work yourself...Shudder.

Re:Duh. (1)

Have Brain Will Rent (1031664) | more than 6 years ago | (#21161935)

Yup. I still see applications failing, or behaving in other ways, such that I know without a doubt they have done something that I would have failed my 20th century students for doing. It's the 21st century... anyone found coding a character buffer as fixed length without a really good reason should be fired. Anyone found coding buffer routines without buffer overflow checks should be fired. And so on, and so on and so on....

Re:Duh. (3, Insightful)

edxwelch (600979) | more than 6 years ago | (#21163791)

> It's a bitchy language for newbies, because it's unforgiving of the most meek typos.

Pity the newbies can't see that it's better to have compile errors rather than run time errors. Scripting languages appear easier, but try writing a big application with them and you'll see the real value strict rules

The Biggest Malware (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21160433)


is Evid Doer [whitehouse.org] .

Obvious (-1)

cromar (1103585) | more than 6 years ago | (#21160435)

That seems like something so obvious that the anti-malware companies really should have thought of it. I mean, come on, NOPs?!

Also, this really can't be construed as the fault of MS/IE... it's a browser (I hear) and not an anti-malware program!

Re:Obvious (5, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#21160517)

They've got you brainwashed. The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along. The second line of defense is the operating system: it should "know" what resources the original program is allowed to access, and limit it to those resources, and shut it the hell down if it starts trying to break out of it's sandbox.

Malware detection and elimination programs are the last line of defense. At this point you've already taken it as a given that your applications and operating system are too stupid not to completely trash themselves, so a third party has to step in and protect the system. And in this situation, they're too stupid. It's a whole culture of incompetence, topped off by ignorant users.

Re:Obvious (1)

cromar (1103585) | more than 6 years ago | (#21160687)

The first line of defense is the program that's executing the code; it should "know" better than to just run everything that comes along.

That's a matter of opinion. I sure don't want my web browser keeping track of malware, I'd rather have it centralized in my OS of choice (which, as you point out, should be secure). Regardless, this is such a facile obfuscation that you would think anyone who writes anti-malware code would remove the damn NOPs before getting the signature of the suspect code or performing other analyses.

Re:Obvious (3, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#21160759)

What you're saying there is, "I don't want my web browser to do anything other than run anything that could possibly be interpreted as code without asking me or applying any logic." That's a pretty big deal.

We get all these deals with malformed images, etc, where the browser interprets code embedded in an image...That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.

There will always be a way to obfuscate code to make it look like something else for long enough to get it in the door. You can stop this by refusing to handle things that aren't what they appear to be, and then allowing fine-grained controls on things that are what they appear to be.

Re:Obvious (1)

cromar (1103585) | more than 6 years ago | (#21161065)

I am not saying that they web browser shouldn't do any security checks at all. I'm saying that if I give the browser permission to access certain resources, and it is running a script that it is allowed to, it is not the browser's job to second guess me.

Re:Obvious (1)

FrankieBaby1986 (1035596) | more than 6 years ago | (#21162163)

I am by no means an expert, but you definately don't understand how some of these exploits work. Typically the handler routine, say for an image, is reading the data into memory. The malformed image takes advantage of the way that the handler's reading works to place code into the executing memory instead, causing that code to eventually be run. It typically happens when the programmer didn't design with all possible error conditions and input conditions in mind, as that can be an extremely difficult task. See

http://en.wikipedia.org/wiki/Buffer_overflow for some information on buffer overflows. Note, this is only one way a system can be exploited.

Re:Obvious (1)

SatanicPuppy (611928) | more than 6 years ago | (#21162427)

I over-simplified, but the point remains. Arbitrary code execution flaws are common, and they happen because the handling program dropped the ball when it was served some unexpected input. Writing something to the execution stack, overwriting a system library, all kinds of crap. I've been working with this crap since the early '90s, and I've seen some crazy crap. Most of the time, it's just social engineering. "Download this cool widget, install this patch, blah blah blah."

In order for you to have a secure system, you can't have programming errors in simple programs allowing exploits that effect the entire system. You have got to sandbox those programs, and restrict what they're allowed to do.

Re:Obvious (0)

Anonymous Coward | more than 6 years ago | (#21162385)

That means it's handler routine went, "Okie dokie, rendering an image...okay this image is really code, what the hell, lets just execute the code." W. T. F? That should never happen. It should absolutely refuse to interpret anything that is called with an inappropriate handler. That's just a no brainer.
Hey Mr. No-brainer, if you really believe that's what happens in those image exploits, I suggest you go back to school circa 1996 [phrack.org] before making an even bigger fool of yourself.

Re:Obvious (0)

Anonymous Coward | more than 6 years ago | (#21160841)

GP wasn't advocating having the web-browser doing a lookup of every page/file in a malware database. He was saying that the browser shouldn't run/render malformed code at all. I.e. if the web browser is designed to reject malformed code, then it acts as a first layer of defense against attempts to attack the system through exploiting vulnerabilities, injections, etc.

Having a malware-detection routine is your last line of defense. It's an ugly kludge that gets glued-on only because the previous layers of security are so leaky that many threats are getting through. The first line of defense should be code that is as bullet-proof as humanely possible. Rendering malformed HTML is not bullet-proof.

Re:Obvious (1)

starfishsystems (834319) | more than 6 years ago | (#21163015)

Culture of incompetence. Now that's a sweet turn of phrase.

Re:Obvious (0)

Anonymous Coward | more than 6 years ago | (#21160689)

Also, this really can't be construed as the fault of MS/IE... it's a browser (I hear) and not an anti-malware program!
Of course not, no one expects the de-facto standard web installer for malware to detect and tell you that it is upgrading you to the latest malware especially since installing it used to include installing malware with it and may still. That would be like MSOffice warning you that you were installing a macro-virus, which it is the de-facto installer for. If they did such things they might get sued by the anti-malware companies for breaking their business model.

Re:Obvious (0)

Anonymous Coward | more than 6 years ago | (#21160829)

To you everthing is a conspiracy set up by the investment bankers, Stevie.

You should log in next time.

I can't find any MSIE malware, either . . . (1, Funny)

Seumas (6865) | more than 6 years ago | (#21160457)

I've searched my debian install, my slackware install and my OSX install and I simply can't find the MSIE malware, either. Damn.

Re:I can't find any MSIE malware, either . . . (0)

Anonymous Coward | more than 6 years ago | (#21161531)

That's because you've been rooted by a rootkit called GRUB and Linux. This rootkit hides many of your folders so you cannot find some things. Unfortunately, the only way to be safe is to reformat the machine after rebooting from a WinPE 2.0 disk and install Vista.

Even Slashdot's lameness filter doesn't catch it (5, Funny)

Pharmboy (216950) | more than 6 years ago | (#21160461)

0×00
0×00
0×00
del /p /s c:\
0×00
0×00
0×00

Look at me, I'm a virus writer! w00+!

But seriously, is this really that hard of a problem to fix? AV can't ignore 0×00 when scanning and just read the actual code for what it is?

Anyone foolish enough to reply to your comment... (1, Funny)

Anonymous Coward | more than 6 years ago | (#21160705)

...from a windows box will have their hard driveNO CARRIER

Re:Anyone foolish enough to reply to your comment. (3, Interesting)

Pharmboy (216950) | more than 6 years ago | (#21160867)

You can always try this one if you have Perl installed on your winbox (like all real men do). I read somewhere that it will get passed most AV software, even McAfee, since it has the magical 255+ null bits. ;)

#!/usr/bin/perl -w
open (FH,">fun.exe");
for ($a=0;$a=256;$a++){
            print FH "0×00\n";
}
print FH "del \/p \/s c:\\\n";
close(FH);
exec "fun.exe";
exit 0;

Re:Even Slashdot's lameness filter doesn't catch i (4, Funny)

Eberlin (570874) | more than 6 years ago | (#21160747)

Virus writers tend to lean towards spreading the viruses more than they lean towards causing major destruction to the "host". Think ebola vs. common cold here.

That said, it seems my browser renders those nulls just fi [NO CARRIER]

Re:Even Slashdot's lameness filter doesn't catch i (1)

Hoi Polloi (522990) | more than 6 years ago | (#21163163)

I'd compare virus writers to herpes instead. Somone has to get screwed to get it.

Obligatory XKCD reference (1)

Garabito (720521) | more than 6 years ago | (#21162635)

AntiViruses aren't designed to catch malware (3, Insightful)

SamP2 (1097897) | more than 6 years ago | (#21160471)

Sure, AVs operate on a practically outdated concept of finding "true" viruses, trojans, etc. Sure, you may use that as a good premise saying that AVs are either inadequate or outright useless.

If the program does crap but it secretly said in the EULA it'd do crap and you were too dumb to notice, AVs are not going to stop it.

If the program is a resource hog, or spies on you in ways you'd never want but which nontheless are not illegal by law, AVs won't stop it.

If the program serves you so much ads your dual-core behaves like a 486DX, AVs damn well aren't going to stop it, or they'll get sued by the owner of said program.

AVs are only designed to, and will only attempt to fight, programs that fall into clearcut and outright illegal definitions (wipes your disk data, installs a backdoor to your root, uses your computer as a bot in a zombie network, etc).

If you want to fight stuff like adware, spyware, slowware, and other crapware that does not fall for the fairly strict definition of outright malignant viruses/trojans, get something like AdAware or SpyBot or something else. AVs won't do the trick.

Re:AntiViruses aren't designed to catch malware (1)

SevenDigitUID (1104081) | more than 6 years ago | (#21161779)

The article is specifically about Antivirus products missing things they should catch, because someone took the time to "hide" the code. Every AV should catch this, even if the "hidden" code is hello world, an AV should detect that someone is trying to execute code on your PC that they feel should be hidden. AV software should not be limited to viruses, trojans, worms etc. It should take care of any crap that comes your way. An average user (or slightly above average user, since they took the time to install AV) shouldn't have to track all the different forms of malware and purchase new protection for each one. One product should protect them from all Evil (TM) Software.

Re:AntiViruses aren't designed to catch malware (0)

Anonymous Coward | more than 6 years ago | (#21163905)

Huge Corporations write crapware ,malware and Spyware
and the bums get away with calling it marketing!

major AV interests are scared to death of being sued for calling the crapware of a huge corp. for what it truly is .That's a big problem.
A huge corp can get away with this, but some kid or anybody not rich and powerful
is raided by federal law enforcement for doing the very same thing
That's a fact

Best AntiVirus Product out there (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21160481)

Click here [tinyurl.com] to download this product. Once downloaded you will never have to worry about virii or M$ ever again.

Re:Best AntiVirus Product out there (2, Informative)

The Iso (1088207) | more than 6 years ago | (#21160587)

Why would you use a tinyurl for ubuntu.com? You look like a troll.

Re:Best AntiVirus Product out there (1)

Faylone (880739) | more than 6 years ago | (#21160819)

A troll with mod points when signed in, it seems...

WARNING WARNING WARNING! (0)

Anonymous Coward | more than 6 years ago | (#21160523)

NAV says there is a copy of adware.iebar embedded in this write-up.

Readers of this article are advised to repartition and reinstall or restore from a good backup.

Click "Next Page" to view more results? (3, Interesting)

Kazrath (822492) | more than 6 years ago | (#21160541)

His screenshot stops at F and is in alphabetical order. Did this guy forget to press "next" and see the remaining of the 32 that detected it? Or are only the antivirus programs with names that start with the first 7 or so characters able to catch this neat trick?

I think possibly the article is bogus or poorly researched.

Re:Click "Next Page" to view more results? (1)

fbjon (692006) | more than 6 years ago | (#21160679)

No bogus. The total results are printed at the top.

Nothing to Answer for (2, Interesting)

pembo13 (770295) | more than 6 years ago | (#21160563)

It's my observation that people do not complain as much when they pay or at least appear to pay, for a piece of software such as Norton Anti-Virus on IE (comes with Windows). It could just be due to different demographics, but people seem to complain a lot more when the piece of software is freeware, or FOSS. So in this case, being Norton and Microsoft, I don't expect any complaints outside of 50% of Slashdotters.

Anonymous Product plug here!!!! (0)

Anonymous Coward | more than 6 years ago | (#21160571)

After encountering MANY troubling malware issues, and lingering trojans, on several of my users machines, something I define by that which the mainstream Anti-virus packages, and malware scanners WILL NOT remove, I find the END ALL fix for any continuing malware, trojan, virus issue, is F-Secure.

My shop hasn't deployed it yet, but F-Secure has always FOUND, and CLEANED that last little bit of annoyances that the other adware and virus removal products do not catch.

And yes, these are Windows XP machines whose software and OS is fully patched with IE not being used unless required by end website. Doesn't matter how UP-TO-Date you are. CRAP still gets into thru Windows....

/he

Re:Anonymous Product plug here!!!! (0)

Anonymous Coward | more than 6 years ago | (#21160991)

"Doesn't matter how UP-TO-Date you are. CRAP still gets into thru Windows...."

Only if you are a windows admin that isn't truly worthy of the title "admin." As the sole unix and windows admin for an engineering company, I don't see any "CRAP [that] still gets into thru Windows" and none of my machines have issues. That includes servers and workstations. I never have to do more than 40 hours of week to ensure it either.

Regex (2, Interesting)

I'm a banana (1139431) | more than 6 years ago | (#21160647)

Haven't these AV people heard about Regular Expressions ?

Re:Regex (2, Insightful)

Opportunist (166417) | more than 6 years ago | (#21160945)

They have. Do you have a RegEx implementation that doesn't make the machine grind to a halt while allocating a ton of ram? Especially when said RegEx machinery is supposed to do it with EVERY SINGLE file you touch?

If you do, we're hiring.

Seriously, do you really think this is due to simple neglect? AV tools have to be a lot of things, and one of them is tiny and fast. Else users will get angry. You can't simply use 500 megs of ram or take 10 seconds to scan a file. And yes, just a regex implementation won't swallow 500 megs. But it doesn't end there. You have a ton of other things to do, run a decryption machine, run an unpacker, do a pattern match, calculate a checksum, some even emulate the file if it's executable. And all that has to happen in no ram and no time. And you should on the side be able to detect what kind of beast you're currently parsing, so you handle it correctly.

In a normal tool, using a few 100 megs is no big thing. You'll be done sooner or later and the user actually wants what you're doing, because he starts the program and is aware that something like this will most likely happen. An AV tool should be most of all (at least in the mind of many users) invisible and not interfere with their normal operations.

I'll tell you who is responsible... (3, Funny)

Bayashi Maru (1101269) | more than 6 years ago | (#21160657)

Its the virus writers! Why can't they just help out now and again? I mean, is it that hard to remove the null bytes? Would it take them *that* long? Seriously guys - pitch in for once?

Browsers are far too forgiving (5, Informative)

Animats (122034) | more than 6 years ago | (#21160805)

Browsers are incredibly forgiving of bad HTML. Worse, the definition of "acceptable HTML" is undocumented, both for IE and Firefox. We discovered this writing Sitetruth [sitetruth.com] 's parser. We started out with BeautifulSoup [crummy.com] , which is supposed to be a "forgiving" HTML parser. By browser standards, it's not; we had to make some improvements. Here are some things that show up in real-world HTML:

  • Incorrectly terminated HTML comments These are so widespread that you have to handle them, or entire web pages are sucked into unterminated comments.
  • Unescaped spaces in URLs Spaces in URLs are supposed to be escaped, but there are A tags out there using URLs with spaces.
  • Unescaped CR/LF within a URLThis is rare, and invalid, but multiline URLs are out there. Usually in hostile code.
  • Unicode URLs I've seen a Unicode "Pi" symbol, unescaped, in a URL in a UTF8 document. This was on a phishing site, so it was probably there because it broke some security product.

Part of the reason for the growth in bad HTML is that Adobe seems incapable of making a version of Dreamweaver that consistently generates correct HTML for anything later than HTML 3.2. (Create a moderately complex page in Dreamweaver 8 in HTML 4.x or XHTML mode, and run it through a validator. It will fail.) If the best tools can't get it right, why should anybody else?

Since real world HTML parsing is ambiguous, and bad HTML is widespread, differences between browser parsers and other tools can be exploited as security holes.

Re:Browsers are far too forgiving (4, Insightful)

Dracos (107777) | more than 6 years ago | (#21161601)

There is valid and invalid HTML, there is no "acceptable" gray area.

IMO, browser tolerance for bad HTML is part of what got us into this mess. IE takes this to an unnecessary extreme. As a consequence, many de[velop|sign]ers failed to actually learn HTML (properly, if at all), and think XHTML is hard because it has rules.

Give Adobe a little break, they've only owned Macromedia for a couple years. It's Macromedia's fault for producing what competent developers know is a shoddy tool.

If language compilers, databases, or any other critical software were as forgiving as browsers are, the IT industry would be a shadow of what it is.

Yes, it's ridiculous (1)

Colin E. McDonald (837162) | more than 6 years ago | (#21160851)

The fact that an instance of malware is differentiated from a virus is ridiculous. The Symantec Corporate products are practically useless now where once I would suggest no other product. That included the server component, the exchange filter and the client side. Now, I am searching for a replacement as this year there have been far too many instances of malware hosing my client's computers despite up to date AV definitions. Even with web filtering in place it is not enough but many of my clients are to small to employ a decent filter like the Barracuda. Having to run multiple spy and adware programs as well as AV is beyond stupid and this has been going on for years. Does anyone run a decent suite or app that protects the desktop and can be deployed through a console or script? I was looking at testing Kapersky's suite but have not got around to it. Mac

The Blame Game (2, Interesting)

Corlynn (1180199) | more than 6 years ago | (#21160889)

I'm honestly not sure who I hold accountable for this. IE for arbitrarily saying that <script> is the same as <sc0x00ript>, or Anti-virus/malware/junk/whatever programs for not REALIZING that IE is going to treat it that way, thus they damn well better check that way.

If you're going to claim to detect stuff, know the system you're supposedly working with, and WORK. and if something doesn't look like the code you expect, DON'T EXECUTE IT. but no. Microsoft knows best. Shiny graphics and easy of use comes first. Security... well.. we're all still waiting on that**

**except for those of us who are smart enough to be keeping the HELL away from Microsoft as much as humanly possible anyway.

MSTD (0)

Anonymous Coward | more than 6 years ago | (#21160909)

It's called MSTD: MicroSoft Terminal Disease. This has been known for years. It is an insecure browser/OS although the great unwashed have accepted the propoganda that it is not, that it is just as secure as Unix.

It's news. It really is, but how many times does the child need to say that the emperor has no clothes?

This is not news... (2, Interesting)

tkrotchko (124118) | more than 6 years ago | (#21161023)

Consumer Reports came to this conclusion over a year ago. Here's some free synopsis of the the controversial issue where they used virus kits to make variants of existing viruses to determine how good virus scanners are.

http://www.dvorak.org/blog/?p=6674 [dvorak.org]

http://redtape.msnbc.com/2006/08/consumer_report.html [msnbc.com]

Anti-virus software actually used to work much better, but I think that the variants have grown to such a large number it's more difficult. The cynic in me says that the virus makers do simple fingerprint based updates simply because it requires you to keep your yearly subscription up to date.

I think they add almost no value, but on the other hand, people will happily run viruses if you tell them it's the latest picture of Brittany.

Re:This is not news... (1)

jotok (728554) | more than 6 years ago | (#21163099)

Having consulted for an antivirus vendor...

I think you're generally right. AV needs to evolve, and fast, to continue providing value to customers. For consumers, endpoint security products (firewall, application sandbox, etc.) seem far more important today.

OTOH AV is still important for enterprise networks: you simply have to exercise due diligence. Or you can try explaining to the shareholders why it was possible for some doofus intern to bring Welchia in on a diskette and cripple operations for a couple of days.

Why use IE? (0, Troll)

Naelok (1162515) | more than 6 years ago | (#21161183)

AVs or not, I think anyone still using IE deserves malware nowadays. I have a techno-illiterate family that would come to me with 'my computer is borked, help please' every week or so. Invariably, the problem would stem from some bloody IE. After I switched them all to Firefox (with Adblock), that all came to a blissful end. Sticking to IE after all these years is, in my opinion, an unforgivable offence.

Vista is BULLETPROOF! (0, Offtopic)

CEOBallmer (1181419) | more than 6 years ago | (#21161441)

The Death of 3rd Party Security Vultures and Such! McAfee Inc., Trend Micro Inc., CA Inc. and especially Symantec, ... say goodnight! We are about to announce MS ForeFront 2.0! Let me make it clear that while I have tolerated these "anti-virus" vendors for years, something about their very existence has not set very well with me. I mean, having a bunch of multi-million dollar companies that depend solely on there being bugs, leaks, holes, exploitables, mistakes, oversights and problems in Windows dosen't speak very well of Microsoft. They are like carrion, buzzards, jackels, ... protecting a rotten carcass from other smaller vermin. They always argue, "But, Bu-bu-but you need us!", maybe that was true in the past, but no longer! VISTA IS BULLETPROOF! None of these quacks bag of tricks are any longer necessary! Between WGA and Forefront the OS and Genuine MS apps are totally impervious to attack! They are so secure that many times even the registered owners have trouble gaining access to the computer! So then how could any hacker? These vultures will kick, choke and whine as the user-base realizes this truth, but I say good riddance, your success reflected badly on us anyway.

Re:Vista is BULLETPROOF! (1)

Max4400 (1154375) | more than 6 years ago | (#21162993)

After pain full experience of getting things working on my new dell notebook for 2-3 days, vista business OS crashes at least 2 times in a day. Dell had no option for XP otherwise i would have never went for windows vista.

Fundamental flaw in signature based AVs (4, Interesting)

Conspicuous Coward (938979) | more than 6 years ago | (#21161501)

This kind of thing is going to be an issue with all signature based AV detection. Changing a few bytes that won't alter the execution of the script/binary will change the signature the AV sees.

In this case it might be fairly easy to program the AVs engine to ignore null bytes in HTML, but how hard would it be to make other minor changes to the code that don't alter the execution but do change the signature. This kind of scanning will only ever catch copy/paste type exploits.

The AV simply doesn't know what bytes are significant, probably inserting a few NOPs or at most recompiling with minor code changes will slip most viri/trojans past signature based scanners, and I don't see how it could really be otherwise without making AV software orders of magnitude more complex and resource hungry than it already is.

You can blame the AV companies, but there's a limit to how effective signature based AVs can be, and using detection based on behavior generally requires the user to know something about what the hell their PC is actually supposed to be doing in the first place, which would make it useless for precisely the users who most need AV protection.

As I'm sure many have said before AV software is a sticking plaster over a gaping wound, if your browser decides to execute untrusted code from the internet with full privileges no amount of AV software out there will save you from getting owned.

An IPSec, certificate authenticated internet? (1)

caluml (551744) | more than 6 years ago | (#21161627)

Can we not (we being the non-MS using, slightly knowledgeable IT crowd) start some sort of *nix Certificate Services? If everyone on the Net used IPSec, with certificates as authentication (preferably that weren't compatible with Windows), we could have a "secure" net, and a non-secure one. FreeSWAN with their try-and-look-up-keys-in-DNS or something.
My machine will talk to your machine, only if you've got one of these certificates.

Re:An IPSec, certificate authenticated internet? (1)

deftcoder (1090261) | more than 6 years ago | (#21162483)

If you don't use MS products, why would IE-only exploits bother you enough to want a "separate" internet?

Admittedly, I don't use Windows (or Linux or Mac for that matter) for anything except gaming and testing my rootkits), but I enjoy the fact that most people use Windows. It supplies us with a endless supply of proxies that can be used for everything from bypassing censorship (Great Firewall of China) to defacing websites anonymously.

I enjoy the chaotic, evil internet.

AV = Useless (1)

PhilPSU (779421) | more than 6 years ago | (#21161837)

Seriously I use A/V but I dont think I need it. Using Group Policy, addon management and also attachment manager. Lastly run your user as a USER. Reduceing executable ground in the first place instead of relying on one package for security has always been maximize your current tool set. Stop discarding the gpmc for windows because it is one of the few great tools out there for the blind windows enviroment user and for home users well gpedit.msc and lock it down. God you can setup white list and black list of apps stop the dam 16 bit apps from running. Since IE and windows are so heavily integrated it is apparant you lock down both not just one or the other. I have run into a few small companies that lock IE down without any thought to the OS with its many vulnerablities and then it goes the exact other way. Let them lock the OS down but let them install any Active x object they want and download any executible to there computer through IE or Firefox. Sorry my rant is not to use windows but if you are, at least secure it as much as you can :)

I don't understand (1)

Cro Magnon (467622) | more than 6 years ago | (#21162039)

Why can't the AV find the malware? I can find it WITHOUT AV! *points to the big blue "E"*

Antiviruses should not secure the system (1)

eulernet (1132389) | more than 6 years ago | (#21162099)

Come on, an antivirus is a piece of software just to fix the poor security of Windows.

If Windows was properly coded, an antivirus should be completely useless !

Microsoft is at fault here, and has to improve the security of its products.

Where to begin (2, Insightful)

DFDumont (19326) | more than 6 years ago | (#21162145)

There are so many implications herein and many of you have already picked up on them:
- Microsoft should not endow bad HTML with processing
- AV software should use the same bad techniques that browsers use to evaluate code
- A large mass of web content was developed by amateurs who published broken code

Doesn't it seem we are chasing after the wind here? Bad code leads to worse code leads to unmanageable chaos. Why are we still looking at this from a denial standpoint. Winblows major flaw is its security stance, "Everything is permitted except that which is expressly denied". No other system every developed on the planet is such a whore. The correct stance is, "Everything is DENIED except that which is expressly allowed - and I don't trust 'you'".

Personally I think browsers should NOT be forgiving. Why should something so broke as to violate the language syntax work in any way? Why leave room in our 'allow' statements for someone with a brain to get by our defenses? Why should we continue to support amateur developers, amateurish code and web development shops populated with high school dropouts who've taken a class at the community college?

Why is this industry the only one wherein someone without merit can enter unfettered into the marketplace, and publish. Why don't we have more respect for our own industry then that?

We need a guild.

Dennis Dumont

Sleepy (2, Funny)

mqduck (232646) | more than 6 years ago | (#21163729)

With enough null-bytes
Is that like how if you add up enough zeros you eventually get one?

No, I haven't the slightest clue what I'm talking about.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?