Zero Byte scripts are still fooling today’s signature-based malware detection software, according to behavioural analysis IT security software vendor Tier-3.
The company is warning IT administrators to be aware of a rework of the old malware disguising technique of adding zero byte entries to scripts that still get round most of these anti-virus and anti-malware tools.
“The code ‘obfuscation’ technique first appeared more than a decade ago as malware writers attempted to hide their scripts from Windows 98 anti-virus software,” explains Geoff Sweeney, Tier-3’s CTO. “By adding zero byte entries to the first 32 characters of a script, the malware could escape the attentions of most of the signature-based detection software of the mid-1990s.
“Now it appears that malware authors have stumbled on the fact that many of today’s 32 and 64-bit IT security software still limit their signature analyses to the first 256 or 512 bytes of a script. If a script is padded out with a lengthy string of zero byte entries, then it follows that a modern script can pass unnoticed and wreak havoc on a Windows-driven computer system,” he says.
“Questions need to be asked as to why some AV products and Internet browsers are still susceptible to this type of obfuscation technique. Some initial thoughts have centred around the fact that it may be to do with catering for the lowest common denominator in terms of client hardware or an indication of performance issues more generally. The performance degrading relationship between higher bandwidth speeds and larger signature databases is a well known problem to the industry”, he adds.
Sweeney does not claim credit for finding this rework of an old technique. “The industry’s thanks must go to Didier Stevens, a Belgian IT security expert with more than a quarter of a century’s experience in the industry. He recently identified the problem in his blog,” he says.
“Thankfully for today’s computer users, Stevens’ analysis suggests that, without the zero byte padding, 25 out of 32 IT security applications could easily detect his malware script. As more padding is added to the script, however, the detection rate went down. And at 254 zero-bytes between the individual characters of the script, only one AV was still able to detect the obscured script, while at 255 none detected it.”
According to the Tier-3 CTO, Stevens’ analysis is a clear indication that a single vector protection approach to IT security can no longer be relied on to protect a company’s computer resources. “In many ways, we knew the writing was on the wall for conventional IT security software back in the mid-1990s, but IT security software vendors developed more advanced techniques to detect malware, often by extending the signature detection envelope to include heuristic analyses,” he explains.
Sweeney says companies need to move on up to multi-vector detection software, preferably including real time behavioural analysis technology as a safety net to detect unknown, as well as less conventional known, threats.
“Behavioural analysis software is an ideal way of augmenting a company’s existing IT security protection. Because it protects against unknown threats by, for example, in this case looking at the behavioural characteristics of the interaction between the browser and the attacker, it is effectively future-proofed against new generations of malware and IT security threats,” he says.