Zero byte scripts still fooling today's
software.
Tier-3 has warned companies to be aware of a rework of the old
malware disguising technique of adding zero byte entries to scripts that
can still be used to fool most signature-based anti-virus and
anti-malware software.
"The code 'obfuscation' technique first appeared
more than a decade ago as malware writers attempted to hide their
scripts from Windows 98 anti-virus software. By adding zero byte entries
to the first 32 characters of a script, the malware could escape the
attentions of most of the signature-based detection software of the
mid-1990s," said Tier-3. "Now it appears that malware authors
have stumbled on the fact that many of today's 32 and 64-bit IT
security software still limit their signature analyses to the first 256
or 512 bytes of a script. If a script is padded out with a lengthy
string of zero byte entries, then it follows that a modern script can
pass unnoticed and wreak havoc on a Windows-driven computer
system," he added.
www.tier3.com
COPYRIGHT 2007 A.P. Publications
Ltd. Reproduced with permission of the copyright holder. Further reproduction or distribution is prohibited without permission.
Copyright 2007, Gale Group. All rights
reserved. Gale Group is a Thomson Corporation Company.
NOTE: All illustrations and photos have been removed from this article.