Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly encoded exe file (windows executable or program file.) It took several iterations of their analysis to uncover the actual file. A followup referred to a study of “hiding” malware in various Microsoft Word supported formats and how successful (or unfortunately UNsuccessful) several antivirus programs tested were able to identify it. This was performed by running the files through virus total and the virus was the EICAR test pattern.
The pdf of this analysis is available here. Basically, only 2 Antivirus programs were able to detect the malware in all 7 file formats. (They used .doc .dot .doc (rtf) .xml .mht .rtf .zip (word document, document template, Word 97-200 and 6/95 rtf, xml, single web page, rich text format and web page (which bundles all files into a zip archive.)))
It looks as though Microsoft and McAfee antivirus products were the only ones to raise an alarm over the file encoded in all 7 formats. Norton and Clamav were members of the 2 of 7 club and AVG (common free antivirus) detected 0 of 7.
So, maybe this should throw down the gauntlet to antivirus scanners to be able to better parse the contents of various files.
Sunbelt blog has skewered the methodology of the above testing. Noting that the EICAR test signature is just a string of characters and nothing more. They even say antivirus programs SHOULDN’T detect this embedded in another file. They do say that this kind of testing is not entirely worthless, but should be done on real, live malware samples. (They note – that’s what VMWare is for…)
Also, on a somewhat related note, the security fix has a few musings on antivirus in wake of a scandal involving consumer reports inventing viruses to test antivirus scanners. in a way, the thinking makes sense – “I can’t test against KNOWN viruses, I need to test against new, unknown viruses…” Unfortunately, genies don’t always stay in the bottle, so that’s not a great idea for a number of other reasons.
He does not an idea that may have some promise – An idea that was presented at Defcon for a huge malware repository. The idea being that different AV vendors could submit their recent samples there, this would give others a chance to test their scanners against the new/emerging viruses. I don’t know how likely that is to happen, but it would seem to have some serious advantages. The biggest argument against is that it might make it easier for the “bad guys” to get at live working viruses, but realistically – they already have pretty easy access – maybe it’s time to give the “good guys” such easy access so that the playing field is level.
After the criticisms of the original “hiding malware inside document files” test which involved the EICAR test signature, Jan Monsch has redone his tests. SunbeltBlog has a summary and the pdf. Really, the results aren’t that much different from the original findings with the test signature. AVG bats 0 for 7 and Microsoft and McAfee do very well at 7 of 7 detected. This time the test was taken with the Netsky virus. Clamav scanning for a postfix mailserver only cauight 2 of 7 of the netsky virus files. So the conclusion is that viruses aren’t usually embedded within a traditional document format in this sense. Could we see more of that in the future? If OpenDocument became THE “one format to rule them all” would it be a common vector? I think most virus writers will tend to follow the path of least resistance to the greatest benefit. In other words if it’s easy to write a networkable worm that will infect LOT’s of PC’s, they’ll do it. If that means embedding a virus within a document and embed the name as something that people will reliably click on, then that will likely work too. There will always be some that will target more niche areas, usually with a personal or monetary motivation. It’s worth it to know what vectors are possible and it would be good if all of the antivirus programs could do a good inspection of any mail attachments contents.
Related PostsRelated Posts
- Serious Symantec Antivirus Vulnerability A few things to catch up on this afternoon, but first up is a Serious vulnerability in Symantec Antivirus. (It's always serious when security software has a vulnerability.) The securityfix is reporting that a vulnerability has been discovered in the way Symantec deals with rar archived files. A specially made......
- How to Remove Antivirus 360 This should not be confused with Norton 360 which is a legitimate antivirus program (although if you need help removing Norton 360 to reinstall it or another antivirus program you may want to visit my antivirus removal tool list.) What we are talking about this time is a rogue security......
- The Blackworm, Nyxem, KamaSutra Worm... Lot's of news following up on the Nyxem worm in the last few days. It's currently going under a number of names, the Kama Sutra Worm, Blackworm are some of the more common names. Sans has a page for information on the worm here. Microsoft has detailed manual removal instructions.......
- What is Bankruptcy? Understand the process of bankruptcy before you file the forms by yourself or with an attorney. To start the process of bankruptcy, a person with an unwieldy amount of debt files for bankruptcy in the nearest court. This process is normally done with the help of attorney, a person is......
- My Take on Windows Vista When I bought my laptop (my first and only laptop by the way...), it came pre-installed with Windows Vista Home Premium. And being a Windows user all my life, I had my qualms and doubts. You probably know of BSOD (blue screen of death) and the many viruses directed at......
- Filing Tips for the Last Minute Filer [The following guest blog post was provided by Manuel Davis, a tax accountant at Back Taxes Help, who has helped thousdands of taxpayers file IRS back taxes and setup IRS Payment Plans.] In the remaining few days before the 2009 income tax deadline, millions of taxpayers will be rushing to......
- Neat grep intro
- Cleaning up after WMF Exploit – summary
- OpenDocument format (ODF) versus Microsoft’s opening of MS XML
- New office suite release
- Good sarc monitoring tip