SophosLabs blog

Over the last last few weeks SophosLabs have been testing new detection for malware using the ASCII Exploit. With one of our technology partners we have been scanning the murkier areas of the web for malicious HTML pages exhibiting the ASCII Exploit (though calling it an exploit is a misnomer).

What actually happens is that if Internet Explorer (IE) is told that a webpage is US-ASCII then will ignore parts of characters that are not valid under US-ASCII. For example in the following

• The 0×0d 0×0a (carriage return, line feed) are valid end of line characters.
• However, the 0xbc is not a valid ASCII character and so IE throws away the most significant bit of the hexadecimal number. Converting 0xbc to 0×3c the hexadecimal equivalent of <.
• The first piece of code 0xbc 0xe8 0xf4 0xed 0xec 0xbe will translate to <HTML>.

This morning SophosLabs released detection for a whole slew of malware using this ASCII exploit Mal/EncPg-A

Posted on May 10th, 2007 by Pob, SophosLabs, UK
Filed under: Malware

                                         

Windows 7 security - A great leap forward or business as usual?

Related posts

• Internet Explorer: zero-day exploit
• Hail and farewell
• Adobe Flash SWF exploit causes a stir
• Excel exploit squashed by BOPS
• PDF exploit - proactive detection confirmed