An old IE Trick -- Script Obfuscation with null bytes between characters
This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.
A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k
QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch.
When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script? Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down.
And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore. No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script.