Hiding malware may evade antivirus
Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly encoded exe file (windows executable or program file.) It took several iterations of their analysis to uncover the actual file. A followup referred to a study of “hiding” malware in various Microsoft Word supported formats and how successful (or unfortunately UNsuccessful) several antivirus programs tested were able to identify it. This was performed by running the files through virus total and the virus was the EICAR test pattern.
The pdf of this analysis is available here. Basically, only 2 Antivirus programs were able to detect the malware in all 7 file formats. (They used .doc .dot .doc (rtf) .xml .mht .rtf .zip (word document, document template, Word 97-200 and 6/95 rtf, xml, single web page, rich text format and web page (which bundles all files into a zip archive.)))
It looks as though Microsoft and McAfee antivirus products were the only ones to raise an alarm over the file encoded in all 7 formats. Norton and Clamav were members of the 2 of 7 club and AVG (common free antivirus) detected 0 of 7.
So, maybe this should throw down the gauntlet to antivirus scanners to be able to better parse the contents of various files.
–Update 8/30/06–
Sunbelt blog has skewered the methodology of the above testing. Noting that the EICAR test signature is just a string of characters and nothing more. They even say antivirus programs SHOULDN’T detect this embedded in another file. They do say that this kind of testing is not entirely worthless, but should be done on real, live malware samples. (They note – that’s what VMWare is for…)
Also, on a somewhat related note, the security fix has a few musings on antivirus in wake of a scandal involving consumer reports inventing viruses to test antivirus scanners. in a way, the thinking makes sense – “I can’t test against KNOWN viruses, I need to test against new, unknown viruses…” Unfortunately, genies don’t always stay in the bottle, so that’s not a great idea for a number of other reasons.
He does not an idea that may have some promise – An idea that was presented at Defcon for a huge malware repository. The idea being that different AV vendors could submit their recent samples there, this would give others a chance to test their scanners against the new/emerging viruses. I don’t know how likely that is to happen, but it would seem to have some serious advantages. The biggest argument against is that it might make it easier for the “bad guys” to get at live working viruses, but realistically – they already have pretty easy access – maybe it’s time to give the “good guys” such easy access so that the playing field is level.
–Update 9/5/06–
After the criticisms of the original “hiding malware inside document files” test which involved the EICAR test signature, Jan Monsch has redone his tests. SunbeltBlog has a summary and the pdf. Really, the results aren’t that much different from the original findings with the test signature. AVG bats 0 for 7 and Microsoft and McAfee do very well at 7 of 7 detected. This time the test was taken with the Netsky virus. Clamav scanning for a postfix mailserver only cauight 2 of 7 of the netsky virus files. So the conclusion is that viruses aren’t usually embedded within a traditional document format in this sense. Could we see more of that in the future? If OpenDocument became THE “one format to rule them all” would it be a common vector? I think most virus writers will tend to follow the path of least resistance to the greatest benefit. In other words if it’s easy to write a networkable worm that will infect LOT’s of PC’s, they’ll do it. If that means embedding a virus within a document and embed the name as something that people will reliably click on, then that will likely work too. There will always be some that will target more niche areas, usually with a personal or monetary motivation. It’s worth it to know what vectors are possible and it would be good if all of the antivirus programs could do a good inspection of any mail attachments contents.