The Power of the Null Character & How It Could Be Used to Bypass Malware Detection
A bug in the Antimalware Scan Interface (AMSI) could enable a malicious program to go undetected during scans if its code contained a null character. This potentially means that all that attackers need to do to avoid detection is to embed a null character to bypass security scans by Windows 10 AMSI.
AMSI is a security feature that works between the apps and your antivirus on Windows 10. The program essentially allows an application to send a file for checks to the local antivirus program. Any app can request this check and the files will be sent to an AV engine installed on the computer that is compatible with the AMSI – not necessarily Windows Defender. While antivirus programs are supposed to do these checks anyway, AMSI focuses on checks after a program has started, including scripts that are invoked at runtime such as Ruby, PowerShell, etc.
“AMSI is antimalware vendor agnostic, designed to allow for the most common malware scanning and protection techniques provided by today’s antimalware products that can be integrated into applications,” Microsoft explains. “It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques.”
AMSI also supports the notion of a session so that antimalware vendors can correlate different scan requests. For instance, the different fragments of a malicious payload can be associated to reach a more informed decision, which would be much harder to reach just by looking at those fragments in isolation.
The recent “null” problem in Antimalware Scan Interface (AMSI)
The bug reported first by security researcher Satoshi Tanda can enable attackers to push AMSI to truncate a malicious file at a null character. This means that any malicious code could be hidden using this simple trick, since AMSI would never read anything beyond that character.
Tanda wrote that “System.Management.Automation.dll did not take account of that PowerShell contents could include null characters in them and called AmsiScanString, which treated a null character as the end of contents, to forward contents to AMSI providers.”
This results in that AMSI providers not being able to scan all of the contents and detect malicious strings.
Thankfully, Microsoft has fixed the bug with the recent February Patch Tuesday updates. “In theory, no action other than applying the patch should be required,” Tanda wrote. “However, software vendors using AMSI to scan PowerShell contents should review whether it can handle null characters properly should they appear.”