funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Bad AV, No Biscuit

From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 29 Oct 2007 20:23:08 -0400
Wow, just wow..

from: http://www.beskerming.com/commentary/2007/10/29/296/When_AntiVirus_Products_(and_Internet_Explorer)_Fail_you
http://tinyurl.com/28vtzh

When Didier Stevens recently took a closer look at some Internet
Explorer malware that he had found, something surprised him somwehat.
He discovered that the IE-targeted malware had been obfuscated with
null-bytes (0x00) and when run against VirusTotal, he found that fewer
than half of the products identified the sample as malware (15 of 32).
When all null-bytes were removed, the chances of successful detection
improved, though not as much as would normally be expected (25 of 32
detections).

When Didier tried adding more null-bytes to the sample he found that
the number of successful detections decreased steadily until, with 254
0x00 bytes between each character, McAfee was the last one standing.

----------------------------

Original blog: http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
http://tinyurl.com/3e2g95

------------------------------

wow.. McAfee? Really? wow...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: