bytes with value zero, 0×00 how does NOD react?

I have a question reading on the problem with antivirus and the zero byte issue I wanted to know how does NOD32 react with those kind of malware that from what I can see seem to be popular.

The complete description of the problem can be read over there dated on the 23 of October.

http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/

How does NOD32 react when rendering html page that contain byte with a value of zero?

 

Not sure, except to say that VT is not a definitive indication of NOD32's detection...

EDIT: Testing with 'Exploit for ADODB hole (MS03-04' at http://www.heise-security.co.uk/services/browsercheck/demos/ie/null/ it seems that the null obfuscation may be a detection issue for NOD32 v2.7

live link removed

Cheers

 

The link you provided is detected by IMON as:
VBS/TrojanDownloader.Psyme.F.trojan

signature version: 2627

-John

 

Hi John,

That's the point - the original is not picked up by IMON but what Internet Explorer renders is when it is re-checked (as attached).

Still, with the public release of v3 only hours away our discussion about NOD32 v2.7 is purely academic.

Any EAV or ESS RC-Final users want to try the tests at http://www.heise-security.co.uk/services/browsercheck/demos/ie/null/ and let ESET know if it is any different for them?

Cheers

 

Since 3.0 is a major upgrade (it sounds like a huge rewrite), we will be staying with 2.7 for awhile. If there are no 3.0 reports of instability or bugs, then I would consider upgrading our 300 PCs to 3.0. However, 2.7 is really great, so I am in no hurry to upgrade.

-John

 

No such thing like instability in v3 . Bugs - no major bugs . Tested with all betas and RC1.