Your browser is obsolete!

The page may not load correctly.

The workshop


Other issues in this category (38)
  • add to favourites
    Add to Bookmarks

Without going into the details

Read: 22320 Comments: 9 Rating: 13

Wednesday, October 7, 2020

We never get tired of repeating the fact that all of an anti-virus’s components are important for system security. But users are confident that it’s enough to just have an anti-virus that scans files when they are being launched or downloaded. It supposedly scans everything worth checking. Unfortunately, hackers also know about this opinion and make sure that their bogus files contain no malicious code when they are being downloaded. The code is planted into them later. Sounds like magic? No, it's a payload construction technique. Here is an example.

Menlo Security published a review describing the HTML smuggling technique being used by attackers to bypass security solutions (including sandboxes).

First, let's explain this phenomenon in technical terms. Attackers use a binary JavaScript blob to bypass security solutions (they deliver the file to the endpoint via a browser). Once the user clicks on the link, there are multiple levels of redirection before the user lands on an HTML page. The landing page invokes a JavaScript onload that initializes data for a blob object from a base64-encoded variable. The archive is transmitted as a data stream and therefore evades security checks. A ZIP file is dynamically constructed from the blob object with the MIME type “octet/stream”.

When invoked (a user visits the webpage), the JSCRIPT file performs the following actions:

- Downloads a ZIP file. And the file has the extension .jpg, but it's a ZIP file. The ZIP file is downloaded to the Public Documents folder, and two files are extracted from the ZIP archive: Avira.exe and rundll.exe. The Avira.exe file is renamed using a random name. The rundll.exe file is also renamed using a random name, and its filename extension changes to .bmp.

The extracted Avira.exe file was digitally signed, and its size was 500MB.


And now, let's render this description in simpler words. A bitstream, rather than a file, is transmitted to the user's end. Actually, any file being downloaded is transmitted as a sequence of bytes. However, in this case security software can be circumvented because the file is smuggled in the guise of a data stream forwarded by a script. Once all the data has been transmitted, it is then converted into an archive from which the files are extracted.

Because of this, should one choose to examine the JavaScript file with a multi-engine scanner, they'll most probably end up with a reply stating that the file is malware-free. The malicious payload is only extracted during execution, and no multi-engine scanner ever launches the files they check (for more on the subject, we highly recommend that users also read this issue). As for this specific file, no user will even be able to upload it to a multi-engine website—because of its bloated 500 MB size, which matches the multi-engine scanners' file size limit.

Is it possible to expose such a trojan? Yes. Actually, it can be done while the data is being downloaded—if the anti-virus you're using can parse bitstreams and assemble them into files. But there's no guarantee of success: a zip-archive can be password-protected, and no anti-virus will be able to extract data from it. However, anti-virus features that monitor running processes and applications can still save the day. For example, if an encryption ransomware trojan starts in a system, Dr.Web preventive protection will most probably detect it.

#Dr.Web #preventive_protection #technologies #trojan

The Anti-virus Times recommends

Don't forget the simple truth: there are no useless components in an anti-virus. Each of them is responsible for maintain their defence line, and they are all important.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.