Comments on: A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k

By: Quickpost: “An Old IE Trick” Revisited « Didier Stevens

Quickpost: “An Old IE Trick” Revisited « Didier Stevens — Sat, 01 Nov 2008 22:31:28 +0000

[...] Filed under: Malware, Quickpost — Didier Stevens @ 22:30 One year ago I blogged about an old IE trick still being used by malware. What can be said now that I resubmitted my test files to Virustotal [...]

By: storywriter » Blog Archive » When AntiVirus Products (and Internet Explorer) Fail you

Sat, 06 Sep 2008 20:22:18 +0000

[...] Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated [...]

By: Miles

Miles — Fri, 18 Jan 2008 10:02:34 +0000

Actually, considering Microsoft will change their implementation without any notice, it makes far more sense for any AV provider to intercept code just before it is executed by IE and check for malware than it does for them to cover every quirk of IE browsers.

From a security point of view, the exploit is in IE. Provided my AV finds the trojan in it’s native form and the webscanner it has can detect it before it is executed, I am happy.

By: Quickpost: Scanning Scripts « Didier Stevens

Quickpost: Scanning Scripts « Didier Stevens — Sat, 03 Nov 2007 10:34:00 +0000

[...] Scanning Scripts Filed under: Quickpost — Didier Stevens @ 10:32 After reading my zero byte padding post, someone asked me how McAfee intercepted [...]

By: Peter Bosveld

Peter Bosveld — Wed, 31 Oct 2007 12:25:39 +0000

I’ve just read hte article and (with growing amazement) the reactions. The reactions show me a few things:
- People (users/administrators) seem more interested in finding reasons and/or excuses to stick with the av software they currently use. And in the process display a ‘hope’ that eg recent updates will have improved the result.
- Producers of av-software are more interested in showing the proper procedure to follow when dealing with this sort of malware in order for their product to produce a positive result. Which to me does not prove the software will function as required all the time. To me this is like creating a false sense of security, where i personaaly think it would be better to advise everyone NOT to rely on any single product if and when security matters.
- Finally it really is amazing that noone suggests that it may be a good idea to make sure that browser software (ie or any other) behaves in this way. With respect to the av software: what is the reason for ignoring (being fooled by) ANY number of nulls??

With kind regards, Peter

By: Simon Edwards

Simon Edwards — Wed, 31 Oct 2007 10:43:44 +0000

In your video demo you demonstrate that the virus scanner fails to detect the harmful file when running an on-demand scan. However, loading the file into Internet Explorer and allowing the Blocked Content causes the real-time scanner to detect the threat. It might be worth adding to the article that, although anti-virus scanners are being tricked, they are still able to mitigate the threat in a realistic situation such as when a potential victim visits an infected page.
Regards, Simon.

By: An old IE Trick -- Script Obfuscation with null bytes between characters - Harry Waldron - My IT Forums Blog

Tue, 30 Oct 2007 21:13:27 +0000

[...] A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000khttp://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/http://it.slashdot.org/article.pl?sid=07/10/29/1747237 [...]

By: An old IE Trick -- Script Obfuscation with null bytes between characters - Harry Waldron - Microsoft MVP Blog

Tue, 30 Oct 2007 21:12:30 +0000

By: barbecuesteve

barbecuesteve — Tue, 30 Oct 2007 13:19:15 +0000

This really illustrates my fundamental problem with Microsoft’s attitude.

“The data you have is not accurate. Here, let me fix it for you.”

As if Microsoft is the sole determiner of what constitutes accurate data and what doesn’t.

At work, we work with CSV files a lot. I had to threaten one technician with getting fired if he continued to look at CSVs in Excel to determine problems with them. Microsoft would of course strip out whatever it didn’t like, which made diagnosis nigh-on impossible. Opening CSVs in Notepad was better… but ultimately everyone ended up switching to Emacs or PFE.

By: ippimail.com » Blog Archive » When antivirus products (and Internet Explorer) fail you

Tue, 30 Oct 2007 07:56:49 +0000

[...] Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him [...]