Re: Bad AV, No Biscuit

[Drsolly <drsollyp () drsolly com>]

On Mon, 29 Oct 2007, Dude VanWinkle wrote:

> Wow, just wow..
>
> from: http://www.beskerming.com/commentary/2007/10/29/296/When_AntiVirus_Products_(and_Internet_Explorer)_Fail_you
> http://tinyurl.com/28vtzh
>
> When Didier Stevens recently took a closer look at some Internet
> Explorer malware that he had found, something surprised him somwehat.
> He discovered that the IE-targeted malware had been obfuscated with
> null-bytes (0x00) and when run against VirusTotal, he found that fewer
> than half of the products identified the sample as malware (15 of 32).
> When all null-bytes were removed, the chances of successful detection
> improved, though not as much as would normally be expected (25 of 32
> detections).
>
> When Didier tried adding more null-bytes to the sample he found that
> the number of successful detections decreased steadily until, with 254
> 0x00 bytes between each character, McAfee was the last one standing.
 
<big grin>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.