More on encoded malware

Published: 2006-08-23
Last Updated: 2006-08-23 21:56:08 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
ISC reader Jan Monsch was sufficiently intrigued by today's diary entry on "Decoding Malware" that he started experimenting on his own. By the simple expedient of saving a Word document with an embedded "EICAR" file in different formats and running the resulting files through VirusTotal was he able to show that ... quite a number of AV programs seem to have BIG problems with decoding even the simplest text based file formats. As Jan correctly writes:

Apart from having lots of up-to-date virus patterns the quality of a virus scanner is to a large extent defined by the number of formats it is able to decode.

As it turns out, only two AV programs were able to spot the EICAR in all seven of the functionally equivalent MSWord formats. The full 15-page PDF with Jan's analysis can be found on http://www.iplosion.com/isc/alternativ_word_formats_v2.0.pdf , or rather, because this box seems to sit on the far end of a very slow connection, as a locally mirrored copy here on http://handlers.sans.org/dwesemann/alternativ_word_formats_v2.0.pdf

[Update 1656UTC: We've had two reports that testing with locally installed AV yielded different/better results than the ones reported by Virustotal for the same AV product]

[Update 2151UTC: The author and we are well aware that in order to _run_, the malware/eicar would have to be unpacked from the Word document, and that  AV would likely catch it then. This isn't about virus detection on the endpoint, it's about evading detection by proxy and email gateway anti-virus filters on the way _to_ the endpoint.]
Keywords:
0 comment(s)

Comments


Diary Archives