10 May 2007 14:51 GMT
Bypassing by using ASCII Exploit
Over the last last few weeks SophosLabs have been testing new detection for malware using the ASCII Exploit. With one of our technology partners we have been scanning the murkier areas of the web for malicious HTML pages exhibiting the ASCII Exploit (though calling it an exploit is a misnomer).
What actually happens is that if Internet Explorer (IE) is told that a webpage is US-ASCII then will ignore parts of characters that are not valid under US-ASCII. For example in the following
- The 0×0d 0×0a (carriage return, line feed) are valid end of line characters.
- However, the 0xbc is not a valid ASCII character and so IE throws away the most significant bit of the hexadecimal number. Converting 0xbc to 0×3c the hexadecimal equivalent of <.
- The first piece of code 0xbc 0xe8 0xf4 0xed 0xec 0xbe will translate to <HTML>.
This morning SophosLabs released detection for a whole slew of malware using this ASCII exploit Mal/EncPg-A
Pob, SophosLabs, UK
