Didier Stevens

Saturday 1 November 2008

Quickpost: “An Old IE Trick” Revisited

Filed under: Malware,Quickpost — Didier Stevens @ 22:30

One year ago I blogged about an old IE trick still being used by malware. What can be said now that I resubmitted my test files to Virustotal (VT)? Not much, because VT is not an anti-virus test tool (it’s a virus test tool).

More AV products detect my test files now; and test files with longer zero byte sequences, that weren’t detected a year ago, are getting detected now. So I’m not really going out on a limb here when I say that the detection has improved. But there’s no way to quantify this improvement with VT results alone.

My test file with 255 contiguous zero bytes, which wasn’t detected by VT one year ago, is being detected by 6 AV products now. But it must be clear that I can’t conclude from this that only 6 AV products have been improved in the past year.

First of all, we can’t know if all AV products that have been improved in the past year, have been upgraded on the VT site. It’s very likely that some new engines have not been installed on VT yet.

Second, this improvement might not come to expression on VT. VT uses command-line scanners, and many AV protection features are not present in the command-line versions.

Third, the improved detection could just be the result of new signatures for the very same test files I submitted. Just out of curiosity, I created a new file with 543 contiguous zero bytes. It gets detected by some AV products.

If you’re interested in the detailed detections, here are the links to the VT results:

Quickpost info


  1. The one thing about BD from VirusTotal is that the engine it’s using is the freebie one. Of course, that’s an old engine…not exactly what I would call up to the task. I would love to test this out with the current version…

    Comment by sidephase — Friday 7 November 2008 @ 17:31

  2. There is this little thing called “The Halting Problem”. No algorithm will detect all possible variants regardless of the technique it uses – whether signature based or pattern based.

    Comment by Anonymous CS Guy — Saturday 8 November 2008 @ 0:50

  3. What do you mean with “signature based or pattern based”? Are those 2 terms the same or different for you?

    And I assume you’re referring to the proposition that an algorithm that has to decide if a program is a virus or not, can be mathematically proved to be a special case to the Halting Problem, for which Turing proved it was undecidable?

    I don’t know the exact details of Fred Cohen’s proof, but are you sure that this applies to signature based detection? Because signature based detection means that an algorithm has to decide if a file contains a given sequence or several sequences of bytes (i.e. the signature). I don’t believe this particular algorithm is undecidable.

    With signature based detection, it’s the virus analyst defining the signature (I’m excluding automatic signature generation here) that decides which samples are viruses.

    Comment by Didier Stevens — Monday 10 November 2008 @ 18:18

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.