Size matters for the anti-virus products

Release date: 15-02-2009

A very quick but interesting: during the investigation of ZeuS trojan infections, I noticed a strange behavior of the trojan when it was installing itself into the system in the C:\Windows\system32 directory. Well, it copied itself from the installation directory (the place where it was downloaded), and then it appended some kilobytes of random data to the end of the executable. To give the numbers; the installation exe has about 70kb, and the installed exe has around 300kb, so it writes some 200kb of data. Why is it doing it, you might ask ? To fool the AV ? - I would never ever though this, as I always though the AV signatures work the way they check some offsets in the file. But, by accident, I discovered it is not quite true ! There is a lot of the AV products that get fooled JUST BY THROWING SOME RANDOM DATA at the end of the file ...

The first image shows the detection of the downloaded executable, the second image shows the detection of the installed executable. As you can see, the difference is huge: 30 to 17 detections on 41 total AV products. That means 13 AV products got fooled by some random crap at the end of the executable ... Do you guys only check the MD5 sum of the file then ? :-)