Information Security News: .zip files putting the zap on antivirus products

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,89897,00.html

By Paul Roberts
FEBRUARY 05, 2004
IDG NEWS SERVICE

E-mail users who were slow to update their antivirus software last 
week may have been surprised to receive a flood of e-mail messages 
containing .zip files from long-lost acquaintances, business partners 
and complete strangers. 

The e-mail was sent by the recent Mydoom e-mail worm. The zipped 
attachments were evidence of what antivirus experts say is a new trend 
in virus writing circles: using compressed .zip files to hide viruses 
and elude detection by antivirus engines. 

Such files are containers for one or more compressed files. Using 
programs like WinZip for Windows or Unzip for Unix, users compact 
files they want to store or transfer to others. The files must then be 
decompressed, or "unzipped," before they can be viewed. Long a staple 
of Internet and office communications, the compressed .zip file has 
become embroiled in an arms race between virus writers and antivirus 
technology companies, experts said. 

"We're definitely seeing a trend," said Alex Shipp, an antivirus 
technology expert at MessageLabs Ltd. "It really took off in 2003. As 
soon as one virus was successful with technology like this, other 
virus writers took notice." 

Virus authors learned long ago to hide their creations in e-mail file 
attachments, often disguising viruses as Windows screen saver (.scr) 
files or Windows program information (.pif) files, said Mike Hrabik, 
chief technology officer at Solutionary Inc., a managed security 
services company in Omaha. 

While .zip files were occasionally used to mask virus payloads, the 
practice wasn't common in virus-writing circles because .zip files, 
unlike .scr and .pif files, required separate software to be installed 
on the receiving system before the files can be opened and run, he 
said. 

All that changed with the release of Microsoft Corp.'s Windows XP 
operating system, which included native support for opening .zip 
files. According to Gerhard Eschelbeck of security vulnerability 
scanning company Qualys Inc., embedded support for .zip files in 
modern systems makes them a rich target for worms like Mydoom. 

In switching to .zip files, virus authors were also picking up on 
trends in legitimate e-mail traffic to hide their own malicious 
creations, Shipp said. "When corporations started blocking .exe 
[executable] files to prevent viruses from coming into their 
environment, people who wanted to send .exes back and forth started 
zipping them before they sent them. Virus writers noticed that and 
took advantage of it," he said. 

Unlike .scr and .pif files, which have no use in legitimate exchanges, 
.zip files are an important business tool that many individuals and 
organizations use to transfer large files. That makes it difficult for 
companies to strip them out of e-mail messages without affecting 
employees' work, experts said. 

"For the most part, .zips are effective ways to send files, so 
blocking them is not something you want to do, because it will break 
other functionality," said Craig Schmugar, antivirus research manager 
at Network Associates Inc.'s McAfee antivirus unit. 

The files have other advantages for virus authors, said Vipul Ved 
Prakash, founder of San Francisco antispam company Cloudmark Inc., 
where he's chief scientist. For mass-mailing worms like Mydoom, 
zipping the virus payload makes it smaller, so more copies can be 
mailed in a given time period, Prakash said. Zipping also changes the 
unique signature on the virus attachment, making it harder for 
antivirus engines to detect the malicious program. 

According to Prakash, 80% of the Mydoom samples that were submitted to 
Cloudmark from its SpamNet network of 800,000 users had zipped 
attachments. 

Malicious hackers are also finding other ways to maximize increased 
.zip file use with viruses. A recent security advisory from AERAsec 
Network Services and Security GmbH in Hohenbrunn, Germany, found that 
many antivirus engines are vulnerable to denial-of-service attacks 
from so-called decompression bombs, in which gigabytes of data are 
zipped into very small files. 

Antivirus engines that try to unzip these bombs often crash when 
trying to handle the huge amount of data stored in them, AERAsec 
researchers warned. While decompression bombs have been around since 
the 1980s, many software products, including antivirus engines, still 
don't detect such attacks, said Harald Geiger of AERAsec. 

But .zip files aren't a magic bullet for virus authors. Most antivirus 
programs can open and analyze the contents of zipped files, flagging 
anything that matches known viruses, said Schmugar. 

In the end, there are no easy answers to the .zip file problem, 
experts said. 

Solutionary publishes a list of 20 recommended file extensions that 
should be blocked, including .pif and .scr, Hrabik said. For others, 
such as Microsoft Word .doc files and Adobe .pdf files, companies 
should block specific file names that are known to be associated with 
virus payloads, he said. 

Best practices for companies should include scanning inside of .zip 
files and using extension blocking on files contained in the archives, 
said NAI's Schmugar. 

"Security is always a trade-off," said Prakash. "You can't just stop 
receiving .exe and .zip files from people, because most of them are 
useful." 

Companies need to balance business needs with security when setting up 
policies for files like .zips, he said. 

Security policies that attach a trust level to certain e-mail senders 
outside and inside the company could be effective at blocking 
malicious .zip attachments. Better user education that addresses bad 
habits like forwarding executable attachments could also help, Prakash 
said. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.