When antivirus products (and Internet Explorer) fail you


When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somewhat.

He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing. When antivirus products (and Internet Explorer) fail you | Channel Register

Linked by shanmuga Friday, 2nd November 2007 11:15PM