Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly encoded exe file (windows executable or program file.) It took several iterations of their analysis to uncover the actual file. A followup referred to a study of “hiding” malware in various Microsoft Word supported formats and how successful (or unfortunately UNsuccessful) several antivirus programs tested were able to identify it. This was performed by running the files through virus total and the virus was the EICAR test pattern.
The pdf of this analysis is available here. Basically, only 2 Antivirus programs were able to detect the malware in all 7 file formats. (They used .doc .dot .doc (rtf) .xml .mht .rtf .zip (word document, document template, Word 97-200 and 6/95 rtf, xml, single web page, rich text format and web page (which bundles all files into a zip archive.)))
It looks as though Microsoft and McAfee antivirus products were the only ones to raise an alarm over the file encoded in all 7 formats. Norton and Clamav were members of the 2 of 7 club and AVG (common free antivirus) detected 0 of 7.
So, maybe this should throw down the gauntlet to antivirus scanners to be able to better parse the contents of various files.
Sunbelt blog has skewered the methodology of the above testing. Noting that the EICAR test signature is just a string of characters and nothing more. They even say antivirus programs SHOULDN’T detect this embedded in another file. They do say that this kind of testing is not entirely worthless, but should be done on real, live malware samples. (They note – that’s what VMWare is for…)
Also, on a somewhat related note, the security fix has a few musings on antivirus in wake of a scandal involving consumer reports inventing viruses to test antivirus scanners. in a way, the thinking makes sense – “I can’t test against KNOWN viruses, I need to test against new, unknown viruses…” Unfortunately, genies don’t always stay in the bottle, so that’s not a great idea for a number of other reasons.
He does not an idea that may have some promise – An idea that was presented at Defcon for a huge malware repository. The idea being that different AV vendors could submit their recent samples there, this would give others a chance to test their scanners against the new/emerging viruses. I don’t know how likely that is to happen, but it would seem to have some serious advantages. The biggest argument against is that it might make it easier for the “bad guys” to get at live working viruses, but realistically – they already have pretty easy access – maybe it’s time to give the “good guys” such easy access so that the playing field is level.
After the criticisms of the original “hiding malware inside document files” test which involved the EICAR test signature, Jan Monsch has redone his tests. SunbeltBlog has a summary and the pdf. Really, the results aren’t that much different from the original findings with the test signature. AVG bats 0 for 7 and Microsoft and McAfee do very well at 7 of 7 detected. This time the test was taken with the Netsky virus. Clamav scanning for a postfix mailserver only cauight 2 of 7 of the netsky virus files. So the conclusion is that viruses aren’t usually embedded within a traditional document format in this sense. Could we see more of that in the future? If OpenDocument became THE “one format to rule them all” would it be a common vector? I think most virus writers will tend to follow the path of least resistance to the greatest benefit. In other words if it’s easy to write a networkable worm that will infect LOT’s of PC’s, they’ll do it. If that means embedding a virus within a document and embed the name as something that people will reliably click on, then that will likely work too. There will always be some that will target more niche areas, usually with a personal or monetary motivation. It’s worth it to know what vectors are possible and it would be good if all of the antivirus programs could do a good inspection of any mail attachments contents.
Related PostsRelated Posts
- Nyxem.E virus delete files payload F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this virus seems to be spreading fairly well (not the blockbuster spread of older email viruses, but it is......
- How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it's been out at least since June......
- How to Remove Antivirus 360 This should not be confused with Norton 360 which is a legitimate antivirus program (although if you need help removing Norton 360 to reinstall it or another antivirus program you may want to visit my antivirus removal tool list.) What we are talking about this time is a rogue security......
- Filing Tips for the Last Minute Filer [The following guest blog post was provided by Manuel Davis, a tax accountant at Back Taxes Help, who has helped thousdands of taxpayers file IRS back taxes and setup IRS Payment Plans.] In the remaining few days before the 2009 income tax deadline, millions of taxpayers will be rushing to......
- How to Get Help Preparing & Filing Your 2010 Income Taxes - for Free! The process of filing annual income taxes is overwhelming enough without having to worry about costly tax preparation fees and frequently changing IRS guidelines. If denial and procrastination are your coping mechanisms of choice, please be aware that filing taxes late or not at all can be far more expensive......
- World Wide Web Security Essentials Is Not A Real Spyware Remover. It Resembles The Functions And Looks World wide web Security Essentials is not a real spyware remover. It resembles the functions and looks of genuine spyware removal software but has no capacity to eliminate any virus, trojan or malware. Web Security Essentials is the newest addition to the growing list of rogue Antivirus programs. Internet Security......
- Neat grep intro
- Cleaning up after WMF Exploit – summary
- OpenDocument format (ODF) versus Microsoft’s opening of MS XML
- New office suite release
- Good sarc monitoring tip