Malicious Scripts with Zero-byte Padding can Pass Undetected
According to a warning by security experts, cyber criminals could create insurmountable problems by redesigning the decade-old technique of disguising malware by adding zero-byte padding to malware scripts.
Didier Stevens, IT Security Expert from Belgian, posted that according to a test result, in the absence of zero-byte entries, 25 IT security programs out of a total 32 could easily find out the presence of the malware script. Vnunet published this on October 31, 2007.
With the padding of additional entries to the malware script, however, there was a decline in the rate of detection to 254 zero-bytes in the between the scripts' individual characters.
The technique of code obfuscation first appeared ten years ago, when malware authors tried to conceal their code from anti-virus software designed for Windows 98, said Geoff Sweeney, chief Technology Officer for Tier-3. Vnunet published this on October 31, 2007.
The situation calls for companies to deploy detection software for as many vectors as possible with a preference for a technology that would analyze real time activity. This would help to safely detect less conventional and unknown threats.
Vendor Tier-3 suggests that IT administrators need to be familiar with the innovation on the traditional technique of disguising malware by the process of padding scripts with zero-byte entries where the scripts still manage to bypass most of the anti-malware and anti-virus tools.
In around 2005, Heise Security carried out similar tests on fully functional exploit codes whose results revealed that all the anti-virus products under the test could not discover the exploits.
The report therefore suggests that a number of anti-virus tools are still unable to recognize malicious scripts that have zero-byte padding. By joining zero-byte entries to the script's first 32 characters, the malicious code could pass the signature-based anti-malware software, undetected.
The capability of padding a malicious script with zero-byte entries indicates that today's script can fly under the detection radar and possibly bring to halt a computer system running Windows.
Related article: Malicious Ads on Prominent Sports Sites Affect Visitors
» SPAMfighter News - 20-11-2007