funsec mailing list archives
Bad AV, No Biscuit
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 29 Oct 2007 20:23:08 -0400
Wow, just wow.. from: http://www.beskerming.com/commentary/2007/10/29/296/When_AntiVirus_Products_(and_Internet_Explorer)_Fail_you http://tinyurl.com/28vtzh When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0x00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections). When Didier tried adding more null-bytes to the sample he found that the number of successful detections decreased steadily until, with 254 0x00 bytes between each character, McAfee was the last one standing. ---------------------------- Original blog: http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/ http://tinyurl.com/3e2g95 ------------------------------ wow.. McAfee? Really? wow... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Bad AV, No Biscuit Dude VanWinkle (Oct 29)
- RE: Bad AV, No Biscuit David Harley (Oct 30)
- Re: Bad AV, No Biscuit Dude VanWinkle (Oct 30)
- RE: Bad AV, No Biscuit David Harley (Oct 30)
- Re: Bad AV, No Biscuit Dude VanWinkle (Oct 30)
- Re: Bad AV, No Biscuit Dude VanWinkle (Oct 30)
- RE: Bad AV, No Biscuit David Harley (Oct 30)
- Re: Bad AV, No Biscuit Drsolly (Oct 30)