Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly encoded exe file (windows executable or program file.) It took several iterations of their analysis to uncover the actual file. A followup referred to a study of “hiding” malware in various Microsoft Word supported formats and how successful (or unfortunately UNsuccessful) several antivirus programs tested were able to identify it. This was performed by running the files through virus total and the virus was the EICAR test pattern.
The pdf of this analysis is available here. Basically, only 2 Antivirus programs were able to detect the malware in all 7 file formats. (They used .doc .dot .doc (rtf) .xml .mht .rtf .zip (word document, document template, Word 97-200 and 6/95 rtf, xml, single web page, rich text format and web page (which bundles all files into a zip archive.)))
It looks as though Microsoft and McAfee antivirus products were the only ones to raise an alarm over the file encoded in all 7 formats. Norton and Clamav were members of the 2 of 7 club and AVG (common free antivirus) detected 0 of 7.
So, maybe this should throw down the gauntlet to antivirus scanners to be able to better parse the contents of various files.
Sunbelt blog has skewered the methodology of the above testing. Noting that the EICAR test signature is just a string of characters and nothing more. They even say antivirus programs SHOULDN’T detect this embedded in another file. They do say that this kind of testing is not entirely worthless, but should be done on real, live malware samples. (They note – that’s what VMWare is for…)
Also, on a somewhat related note, the security fix has a few musings on antivirus in wake of a scandal involving consumer reports inventing viruses to test antivirus scanners. in a way, the thinking makes sense – “I can’t test against KNOWN viruses, I need to test against new, unknown viruses…” Unfortunately, genies don’t always stay in the bottle, so that’s not a great idea for a number of other reasons.
He does not an idea that may have some promise – An idea that was presented at Defcon for a huge malware repository. The idea being that different AV vendors could submit their recent samples there, this would give others a chance to test their scanners against the new/emerging viruses. I don’t know how likely that is to happen, but it would seem to have some serious advantages. The biggest argument against is that it might make it easier for the “bad guys” to get at live working viruses, but realistically – they already have pretty easy access – maybe it’s time to give the “good guys” such easy access so that the playing field is level.
After the criticisms of the original “hiding malware inside document files” test which involved the EICAR test signature, Jan Monsch has redone his tests. SunbeltBlog has a summary and the pdf. Really, the results aren’t that much different from the original findings with the test signature. AVG bats 0 for 7 and Microsoft and McAfee do very well at 7 of 7 detected. This time the test was taken with the Netsky virus. Clamav scanning for a postfix mailserver only cauight 2 of 7 of the netsky virus files. So the conclusion is that viruses aren’t usually embedded within a traditional document format in this sense. Could we see more of that in the future? If OpenDocument became THE “one format to rule them all” would it be a common vector? I think most virus writers will tend to follow the path of least resistance to the greatest benefit. In other words if it’s easy to write a networkable worm that will infect LOT’s of PC’s, they’ll do it. If that means embedding a virus within a document and embed the name as something that people will reliably click on, then that will likely work too. There will always be some that will target more niche areas, usually with a personal or monetary motivation. It’s worth it to know what vectors are possible and it would be good if all of the antivirus programs could do a good inspection of any mail attachments contents.
Related PostsRelated Posts
- How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it's been out at least since June......
- How to Remove Eco Antivirus 2010 | Eco Antivirus 2010 Removal Guide Eco Antivirus 2010 is a slight twist (renaming) of the recent Eco Antivirus rogue that has made the rounds. These rogues pretend to be antivirus, or antispyware software, but in reality are not much more than a scam trying to squeeze money out of unsuspecting computer users. These rogue applications......
- Serious Symantec Antivirus Vulnerability A few things to catch up on this afternoon, but first up is a Serious vulnerability in Symantec Antivirus. (It's always serious when security software has a vulnerability.) The securityfix is reporting that a vulnerability has been discovered in the way Symantec deals with rar archived files. A specially made......
- Protecting Your Computer with Free Antivirus Software - A Good Deal ? If you're like many college students today, you depend on your computer for your education. Papers are planned, researched , and written with it. Group project assignments are broken down and delegated online. Without a computer, you'd probably have a hard time getting things done efficiently. Your computer is a valuable tool for......
- World Wide Web Security Essentials Is Not A Real Spyware Remover. It Resembles The Functions And Looks World wide web Security Essentials is not a real spyware remover. It resembles the functions and looks of genuine spyware removal software but has no capacity to eliminate any virus, trojan or malware. Web Security Essentials is the newest addition to the growing list of rogue Antivirus programs. Internet Security......
- 10 Easy Tips To Improve Computer Performance Many computer problems can be solved with free or low-cost products or just by using a few common sense tips to improve performance and keep your PC running for a long time.Computers often freeze or crash when one needs them the most; in the middle of an important presentation, a......
- Neat grep intro
- Cleaning up after WMF Exploit – summary
- OpenDocument format (ODF) versus Microsoft’s opening of MS XML
- New office suite release
- Good sarc monitoring tip