myITforum.com

Welcome to myITforum.com Sign in | Join | Help

Site Home

Home

Bloggers List

Blogs

Photos

Downloads

Harry Waldron at myITforum.com

Sharing Security Developments, and Best Practices for corporate and home users

An old IE Trick -- Script Obfuscation with null bytes between characters

This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.

A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
http://it.slashdot.org/article.pl?sid=07/10/29/1747237

QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch.

When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script? Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down.

And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore. No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script.

myITforum.com

Harry Waldron at myITforum.com

An old IE Trick -- Script Obfuscation with null bytes between characters

Comments

This Blog

Syndication

Recent Posts

Archives