Zero Byte scripts still fooling today’s signature-based malware detection software

Behavioural analysis IT security software vendor, Tier-3, has warned companies to be aware of a rework of the old malware disguising technique of adding zero byte entries to scripts that can still be used to fool most signature-based anti-virus and anti-malware software.

“The code ‘obfuscation’ technique first appeared more than a decade ago as malware writers attempted to hide their scripts from Windows 98 anti-virus software. By adding zero byte entries to the first 32 characters of a script, the malware could escape the attentions of most of the signature-based detection software of the mid-1990s,” said Geoff Sweeney, Tier-3’s CTO.

“Now it appears that malware authors have stumbled on the fact that many of today’s 32 and 64-bit IT security software still limit their signature analyses to the first 256 or 512 bytes of a script. If a script is padded out with a lengthy string of zero byte entries, then it follows that a modern script can pass unnoticed and wreak havoc on a Windows-driven computer system,” he added.

“Questions need to be asked as to why some AV products and internet browsers are still susceptible to this type of obfuscation technique. Some initial thoughts have centred around the fact that it may be to do with catering for the lowest common denominator in terms of client hardware or an indication of performance issues more generally. The performance degrading relationship between higher bandwidth speeds and larger signature databases is a well known problem to the industry”, he explained.

Sweeney does not claim credit for this effective rework of an old code obfuscation technique.

“The industry’s thanks must go to Didier Stevens, a Belgian IT security expert with more than a quarter of a century’s experience in the industry. He recently identified the problem in his blog,” he explained.

“Thankfully for today’s computer users, Stevens’ analysis at suggests that, without the zero byte padding, 25 out of 32 IT security applications could easily detect his malware script. As more padding is added to the script, however, the detection rate went down at 254 zero-bytes between the individual characters of the script, only one AV was still able to detect the obscured script, and at 255 none detect it,” Sweeney said.

According to the Tier-3 CTO, Stevens’ analysis is a clear indication that a single vector protection approach to IT security can no longer be relied on to protect a company’s computer resources.

“In many ways, we knew the writing was on the wall for conventional IT security software back in the mid-1990s, but IT security software vendors developed more advanced techniques to detect malware, often by extending the signature detection envelope to include heuristic analyses,” he said.

“This single vector detection technique is still relied upon by at least one major security software vendor to this day, but Stevens’ revelations clearly show that signature analysis can still be beaten,” he added.