As more padding is added to the script, however, the detection rate went down at 254 zero-bytes between the individual characters of the script.
Only one antivirus application was still able to detect the obscured script, and at 255 none detected it.
According to vendor Tier-3, the technique can still be used to fool "most signature-based" antivirus and anti-malware software.
"The code 'obfuscation' technique first appeared more than a decade ago as malware writers attempted to hide their scripts from Windows 98 antivirus software," said Tier-3 chief technology officer Geoff Sweeney.
"By adding zero byte entries to the first 32 characters of a script, the malware could escape the attention of most of the signature-based detection software of the mid-1990s.
"Now it appears that malware authors have stumbled on the fact that many of today's 32-bit and 64-bit IT security software still limit signature analyses to the first 256 or 512 bytes of a script.
"If a script is padded out with a lengthy string of zero byte entries, then it follows that a modern script can pass unnoticed and wreak havoc on a Windows-driven computer system."
Sweeney added that questions need to be asked as to why some antivirus products and internet browsers are still susceptible to this well-documented obfuscation technique.
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
Digital NSW 2025 Showcase
_(1).jpg&h=140&w=231&c=1&s=0)
