Hiding malware may evade antivirus
Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly encoded exe file (windows executable or program file.) It took several iterations of their analysis to uncover the actual file. A followup referred to a study of “hiding” malware in various Microsoft Word supported formats and how successful (or unfortunately UNsuccessful) several antivirus programs tested were able to identify it. This was performed by running the files through virus total and the virus was the EICAR test pattern.
The pdf of this analysis is available here. Basically, only 2 Antivirus programs were able to detect the malware in all 7 file formats. (They used .doc .dot .doc (rtf) .xml .mht .rtf .zip (word document, document template, Word 97-200 and 6/95 rtf, xml, single web page, rich text format and web page (which bundles all files into a zip archive.)))
It looks as though Microsoft and McAfee antivirus products were the only ones to raise an alarm over the file encoded in all 7 formats. Norton and Clamav were members of the 2 of 7 club and AVG (common free antivirus) detected 0 of 7.
So, maybe this should throw down the gauntlet to antivirus scanners to be able to better parse the contents of various files.
–Update 8/30/06–
Sunbelt blog has skewered the methodology of the above testing. Noting that the EICAR test signature is just a string of characters and nothing more. They even say antivirus programs SHOULDN’T detect this embedded in another file. They do say that this kind of testing is not entirely worthless, but should be done on real, live malware samples. (They note – that’s what VMWare is for…)
Also, on a somewhat related note, the security fix has a few musings on antivirus in wake of a scandal involving consumer reports inventing viruses to test antivirus scanners. in a way, the thinking makes sense – “I can’t test against KNOWN viruses, I need to test against new, unknown viruses…” Unfortunately, genies don’t always stay in the bottle, so that’s not a great idea for a number of other reasons.
He does not an idea that may have some promise – An idea that was presented at Defcon for a huge malware repository. The idea being that different AV vendors could submit their recent samples there, this would give others a chance to test their scanners against the new/emerging viruses. I don’t know how likely that is to happen, but it would seem to have some serious advantages. The biggest argument against is that it might make it easier for the “bad guys” to get at live working viruses, but realistically – they already have pretty easy access – maybe it’s time to give the “good guys” such easy access so that the playing field is level.
–Update 9/5/06–
After the criticisms of the original “hiding malware inside document files” test which involved the EICAR test signature, Jan Monsch has redone his tests. SunbeltBlog has a summary and the pdf. Really, the results aren’t that much different from the original findings with the test signature. AVG bats 0 for 7 and Microsoft and McAfee do very well at 7 of 7 detected. This time the test was taken with the Netsky virus. Clamav scanning for a postfix mailserver only cauight 2 of 7 of the netsky virus files. So the conclusion is that viruses aren’t usually embedded within a traditional document format in this sense. Could we see more of that in the future? If OpenDocument became THE “one format to rule them all” would it be a common vector? I think most virus writers will tend to follow the path of least resistance to the greatest benefit. In other words if it’s easy to write a networkable worm that will infect LOT’s of PC’s, they’ll do it. If that means embedding a virus within a document and embed the name as something that people will reliably click on, then that will likely work too. There will always be some that will target more niche areas, usually with a personal or monetary motivation. It’s worth it to know what vectors are possible and it would be good if all of the antivirus programs could do a good inspection of any mail attachments contents.
Popularity: 2% [?]
Related Posts - The latest and greatest in Malware Removals I have started referring to malware more and more lately because the term virus doesn't exactly describe the pests I see on peoples machines and the terms spyware or adware aren't doing justice to some of these pests either. (There are many pieces of what I would consider malware that......
- How to Remove Eco Antivirus 2010 | Eco Antivirus 2010 Removal Guide Eco Antivirus 2010 is a slight twist (renaming) of the recent Eco Antivirus rogue that has made the rounds. These rogues pretend to be antivirus, or antispyware software, but in reality are not much more than a scam trying to squeeze money out of unsuspecting computer users. These rogue applications......
- How to Remove ProtectSoldier | ProtectSoldier Removal Guide ProtectSoldier followed right on the heels of ProtectDefender as another entry of rogue antivirus software in the notorious and prolific wini family of rogues. Like all of them it is installed via trojan horses and pushed via flash player updates and video codec downloads. Once installed on a system it......
Related Websites - How to Get Help Preparing & Filing Your 2010 Income Taxes - for Free! The process of filing annual income taxes is overwhelming enough without having to worry about costly tax preparation fees and frequently changing IRS guidelines. If denial and procrastination are your coping mechanisms of choice, please be aware that filing taxes late or not at all can be far more expensive......
- My Take on Windows Vista When I bought my laptop (my first and only laptop by the way...), it came pre-installed with Windows Vista Home Premium. And being a Windows user all my life, I had my qualms and doubts. You probably know of BSOD (blue screen of death) and the many viruses directed at......
- Filing Tips for the Last Minute Filer [The following guest blog post was provided by Manuel Davis, a tax accountant at Back Taxes Help, who has helped thousdands of taxpayers file IRS back taxes and setup IRS Payment Plans.] In the remaining few days before the 2009 income tax deadline, millions of taxpayers will be rushing to......
Similar Posts
- Neat grep intro
- Cleaning up after WMF Exploit – summary
- OpenDocument format (ODF) versus Microsoft’s opening of MS XML
- New office suite release
- Good sarc monitoring tip