dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3698
share rss forum feed


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

1 edit

1 recommendation

Researchers warn of malware hidden in .zip files

from
»news.cnet.com/8301-27080_3-20002542-245.html
"..
"The file goes straight through Gmail or Hotmail because it's a trusted format," he added. "Antivirus software can't see the hidden payload. Once the file is opened the payload (or malware) is on the system."
"
that is assuming that the malware itself is unknown to the AV (not that bothered about it not being detected in .zip). And not the mention that a password protected archive will hide malware within as it can't be scanned.

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2010/11


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
It's been my experience with Gmail that any zip with an .exe get's rejected by Gmail's mail servers. That even goes to a password protected archive.
As I recall, the only way I can send a zip via Gmail with an .exe is to create a PGP zip & then send it.


THZNDUP
Deorum Offensa Diis Curae
Premium
join:2003-09-18
Lard
kudos:2
reply to Cudni
The 'article' also doesn't mention that a password protected zip file is/was the prefered method for submitting suspected malware to vendors for analysis.

FUD?
--
one should not increase, beyond what is necessary, the number of entities required to explain anything


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Cudni
There aren't many AVs out there that don't scan zip files, it has been that way for about the last decade. Then they started password protecting them, but you have to really want to get infected then.
--
When will the people realize that with DRM they aren't purchasing anything?


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Cudni
.zip has been an untrusted attachment since about 6+ years back, it seems to me.

File this one under slow news day?
--
My place : »www.schettino.us


Blue2
Premium
join:2004-04-14
France
kudos:1
reply to Kilroy
said by Kilroy:

There aren't many AVs out there that don't scan zip files, it has been that way for about the last decade. Then they started password protecting them, but you have to really want to get infected then.
Why would a user be able enter a password to open a zip file but an AV wouldn't allow you to enter a password to scan that same file? How difficult could it be to have AVs be able to do this?


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
said by Blue2:

said by Kilroy:

There aren't many AVs out there that don't scan zip files, it has been that way for about the last decade. Then they started password protecting them, but you have to really want to get infected then.
Why would a user be able enter a password to open a zip file but an AV wouldn't allow you to enter a password to scan that same file? How difficult could it be to have AVs be able to do this?
I can only assume the zip is pitched as the latest XXX pr0n or cracked software or hey, let's be fair, maybe it says its some business document or its the legal forms from the Nigerian Prince needed to complete the 50 million dollars US transfer, and the email includes the user/pass to "unzip" it.

So the user blindly does so. The AV would need to be pretty smart to scan the email txt for user/pass info. The user just needs to be dumb enough to do what the email says.
--
My place : »www.schettino.us


Blue2
Premium
join:2004-04-14
France
kudos:1
said by JohnInSJ:

The AV would need to be pretty smart to scan the email txt for user/pass info. The user just needs to be dumb enough to do what the email says.
Not quite. Your statement sugests that EVERY passworded zip is a bomb waiting to go off. Is that so?

How about I sent a password protected zip to someone with the password in a separate email for security purposes. As you might know, email isn't always safe. Now how can they scan that zipped archive and know that it is safe before opening it?

So my question (before you decided to present your favorite list of scams) WAS: if a user can manually enter a password for a zip archive, why coulldn't a AV have the ability to ask for a password when it encounters a zip archive that is protected? The AV would not seem to need to be "pretty smart" to permit this option. And if it cannot, than password protecting zips should not be presented as an option since it always means trouble.

Stumbles

join:2002-12-17
Port Saint Lucie, FL
reply to Cudni
And this is news? I guess people really do have short memories.

ctggzg
Premium
join:2005-02-11
USA
kudos:2

1 edit
reply to Cudni
Since when is Gmail the last line of defense? Regardless of what gets into your email, common sense (or antivirus for the less computer-literate) should still be employed. This isn't any more of a "vulnerability" than renaming an .exe to .ex_, sending it as an attachment, and telling the recipient to change it back.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Blue2
said by Blue2:

said by JohnInSJ:

The AV would need to be pretty smart to scan the email txt for user/pass info. The user just needs to be dumb enough to do what the email says.
Not quite. Your statement sugests that EVERY passworded zip is a bomb waiting to go off. Is that so?
Ok, I am NOT trying to be inflammatory here.

I only assume that IN THE CASE OF BAD BAD ZIP FILES with PASSWORDS that the user must (obviously) enter the password to unleash hell.

That implies some form of social engineering is employed in the case of the zip files with malware. That's all I meant.
How about I sent a password protected zip to someone with the password in a separate email for security purposes. As you might know, email isn't always safe. Now how can they scan that zipped archive and know that it is safe before opening it?
They really could not, short of sandboxing the whole operation, if the zip file is a self-executing one. If you send me one, and I was expecting it, I might (reasonably) assume it was safe. It might not be, but the trust is higher because I know you. If you sent me a separate email telling me you were sending the zip, and here is the password the trust would be higher. If you confirmed in a follow-up email you really really sent it, the trust would be even higher.
So my question (before you decided to present your favorite list of scams) WAS: if a user can manually enter a password for a zip archive, why coulldn't a AV have the ability to ask for a password when it encounters a zip archive that is protected? The AV would not seem to need to be "pretty smart" to permit this option. And if it cannot, than password protecting zips should not be presented as an option since it always means trouble.
Not trying to start a fight here. Just pointing out that an AV that has to automatically check attached ZIPs isn't going to be able to enter a password automatically when it encounters a password protected zip file.

This is why such AVs (ClamAV, and several that run under Exchange being a few I have direct experience with) will simply quarantine and/or block any emails with password protected zip files.

Sorry if I raised any flags - not trying to start a fight...
--
My place : »www.schettino.us


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13
said by JohnInSJ:

This is why such AVs (ClamAV, and several that run under Exchange being a few I have direct experience with) will simply quarantine and/or block any emails
block anything password protected

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2010/11

lcnoble

join:2006-11-11
Nancy, KY
reply to Cudni
Take your zip file to your free cloud storage site and then open/extract.


Blue2
Premium
join:2004-04-14
France
kudos:1
reply to Cudni
said by Cudni:

block anything password protected

Cudni
And that's the solution that I'm questioning. If you say "don't open the door to anyone who rings the doorbell", then why have doorbells?

I'm just assuming that password protecting zip archives isn't always for nefarious purposes, and if so, why isn't there a way to scan them before opening them, if you know the password? Is the only way to remove password protection from archives through the process of actually opening the file? And if so, why?


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13
I was talking about the business surround where it is more expedient to block anything that can't be checked until it can be checked (in whatever manner). Just a policy at some companies

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2010/11


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Blue2
said by Blue2:

said by Cudni:

block anything password protected
And that's the solution that I'm questioning. If you say "don't open the door to anyone who rings the doorbell", then why have doorbells?
Because Email is a festering cesspool of malware. That's a sad fact. If we train people to distrust the common infection vectors, then perhaps they have a prayer of going more then 5 minutes out of the box before getting infected.

Orthogonal to that, zip files are great. So is using them to exchange many files, and even protecting that exchange with a password. So, as other suggested, post it up somewhere in the cloud and email a URL. Then the receiver can pull it down and decide how to proceed (assuming web access isn't filtered via content filters and blockers as well.)

Emailing password protected zip files are usually nuked at the door, or always so in corporate settings. These days even renaming the file to something less dangerous sounding (like .jpg) will fail, since the AV scanners can usually determine the actual file type, even if they cannot open the archive.
--
My place : »www.schettino.us


Hytech Act

@cox.net
Password protected encrypted (PGP and otherwise) zip files are common in the health care and health insurance sectors. Ftp is good for regular exchanges, but email is how ad hoc exchanges take place for better or worse. Moreover, blocking and other strategies that make technology useless are simple minded scorched earth solutions to what in reality is a minor and manageable risk. It misses the point of having the technology in the first place.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Hytech Act :

Password protected encrypted (PGP and otherwise) zip files are common in the health care and health insurance sectors.
This is really much different than a password protected zip archive.
It's actually encryption at it's best.
The handling rules should reflect the differences between them.
The PGP zip is going to guarantee who the sender is via the key exchange & that the contents haven't been altered.
It's the way all archives would change hands in a perfect world.


ahulett
Premium,VIP
join:2003-02-02
Kirkland, WA
kudos:2

1 edit

1 recommendation

reply to Cudni
I don't know what exactly the finding was here, but if it's just that ZIPs can hold malware (like other replies here have suggested the finding is), then yeah, boring. However, if there's some vulns in the ZIP format (such as hiding malcode in weird places by mucking with the ZIP file and the end result being a non-standard ZIP, making AV scans miss because they potentially only follow preset scan paths or such, but yet the ZIP decompresses as intended despite being non-standard), then that's interesting.

The "Eight vulnerabilities were found in .zip" statement needs some expanding.
--
Aaron Hulett | Microsoft Malware Protection Center
This post is provided "AS IS" without warranty, and confers no rights.

mysec
Premium
join:2005-11-29
kudos:4

1 recommendation

reply to Cudni
said by article :

"Once the file is opened the payload (or malware) is on the system."



Not here.

Come on... email attachment security procedures have been advocated since Win9x days.

Verify, all attachments, especially executable attachments.


----
rich

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 edit
reply to ahulett
said by ahulett:

However, if there's some vulns in the ZIP format (such as hiding malcode in weird places by mucking with the ZIP file and the end result being a non-standard ZIP, making AV scans miss because they potentially only follow preset scan paths or such, but yet the ZIP decompresses as intended despite being non-standard), then that's interesting.

The "Eight vulnerabilities were found in .zip" statement needs some expanding.
I'm glad I'm not the only one who got from that article that there are vulnerabilities in ZIP format and even MORE vulnerabilities in RAR, 7ZIP, etc formats that allow for hiding malware in places where AV cannot see it. I was eager to read further to find out details (especialy since I use WinRAR which has more vulnerabilities than does ZIP)...but there was nothing more to read!

Why do some here think an AV needs to be able to scan password protected ZIP, RAR, etc. files? On Demand scanner may be too weak to detect. You go to open that file and, if your AV is any good the Real Time scanner is the stronger one, then BAM! its got it! You don't get infected. If your AV scanner doesn't have a signature for the malware, or can't catch it via heuristics, or behavioral pattern, then you still won't get infected as long as you have a classic HIPS. Layered security everyone.

I don't think ISP's should delete or block the sending/receiving of password protected ZIP files attached to emails. I know I can send password protected RARed files that contain malware using my ISP's email because I have sent to all vendors via our Security forum's email submission process using OE and I have received replies from many of the vendors so I know the emails got through intact with a password protected RARed file containing new malware. I have not received any password protected RAR files in awhile but I don't think my ISP blocks them. I used to receive them with no problems and I don't think that policy has changed. But come to think of it, maybe I used my dslr account not my ISP's.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


THZNDUP
Deorum Offensa Diis Curae
Premium
join:2003-09-18
Lard
kudos:2
reply to Cudni
The files are supposed to be modified by methods used by steganography and hidden to the AV scanners. They(Vuksan, Pericin, and Karney) haven't said much about password protection.

They have also allowed the AV vendors and other security related companies time to fix their programs before releasing any in depth information. I'm guessing that release of further details will be, in some small way, influenced by the acceptance of their new scanning engine, NyxEngine.
--
one should not increase, beyond what is necessary, the number of entities required to explain anything

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to ahulett
said by ahulett:

I don't know what exactly the finding was here, but if it's just that ZIPs can hold malware (like other replies here have suggested the finding is), then yeah, boring. However, if there's some vulns in the ZIP format (such as hiding malcode in weird places by mucking with the ZIP file and the end result being a non-standard ZIP, making AV scans miss because they potentially only follow preset scan paths or such, but yet the ZIP decompresses as intended despite being non-standard), then that's interesting.

The "Eight vulnerabilities were found in .zip" statement needs some expanding.
That is what i was wondering. If there where some 8 unique things with the zip format and not just well if you compress a file you need to usually unpack it to scan it.


THZNDUP
Deorum Offensa Diis Curae
Premium
join:2003-09-18
Lard
kudos:2
reply to Mele20
said by Mele20:

[I'm glad I'm not the only one who got from that article that there are vulnerabilities in ZIP format and even MORE vulnerabilities in RAR, 7ZIP, etc formats that allow for hiding malware in places where AV cannot see it. I was eager to read further to find out details (especialy since I use WinRAR which has more vulnerabilities than does ZIP)...but there was nothing more to read!
Per the people that found them(and the OPs article), RAR has LESS vulns than ZIP.

There are eight listed for 'ZIP', three listed for 'RARs', two for '7ZIP', and one each for 'CAB' and GZIP'.
--
one should not increase, beyond what is necessary, the number of entities required to explain anything

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I just read the referenced Cnet article. It said: "Eight vulnerabilities were found in .zip, supported by Microsoft Office, along with seven others in the .7zip, .rar, .cab and .gzip file formats". That said to me that 7zip, rar, cab and gzip had seven additional vulnerabilities which I assumed were in all of the formats since the article did not say. Plus, I read it to mean those were in addition to the other 8. It wasn't very clear. It's good to know RAR has less than ZIP...I guess, but since I don't have any details...maybe the RAR are worse than the ZIP ones.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Blue2
Premium
join:2004-04-14
France
kudos:1

1 edit
reply to JohnInSJ
said by JohnInSJ:

If we train people to distrust the common infection vectors, then perhaps they have a prayer of going more then 5 minutes out of the box before getting infected.
That "common infection vector" is called attachments, not password-protected attachments. And so I return to my original question: Why does zip and rar permit password protection if this means that you implicitly can't trust what the contents are since you can't scan it before executing it? I can imagine plenty of scenarios where this would happen. Here's a simple one: I password protect a zip so my kids/wife/co-worker/etc. can't get at it. Now, when I find it in my files, how do I know that it is safe to open?

I believe like msec and Mele pointed out, your resident scanner will catch it when you enter the password and try to open the zip. In that case, being password protected does NOT make it ANY MORE dangerous, since your resident scanner has the same likelihood of stopping it as if it would were it NOT password protected.

And surely having to resort to cloud solutions isn't that practical unless you have faith in the cloud.


owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
reply to Cudni
Total FUD. When you go to unzip the file and use it, your AV will catch it at that time. No big deal.


HA Nut
Premium
join:2004-05-13
USA
reply to Cudni
IMO, whether or not these archive formats have exploitable bugs should not the focus. All email extensions should be treated as though they are viruses. Unless you asked for a file, you don't need the file. Trash it!

(Where I work, all archive files via email are blocked from getting to a user's desktop. If someone has asked for a file to be sent, it is checked by IT and then forwarded on to the user if it's ok. Seems to work pretty well...)


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Blue2
said by Blue2:

said by JohnInSJ:

If we train people to distrust the common infection vectors, then perhaps they have a prayer of going more then 5 minutes out of the box before getting infected.
That "common infection vector" is called attachments, not password-protected attachments. And so I return to my original question: Why does zip and rar permit password protection if this means that you implicitly can't trust what the contents are since you can't scan it before executing it?
I return to my original answer - people now assume that the common infection vector of email attachments is no longer a vector as long as their AV scans all attachments, and it seems like the article is saying AVs can't scan password protected archives (zip, etc) - so that attachment you got via email could have hidden malware in it.

Your question is a philosophical one - why support hyperlink navigation if some links lead to malware? Why have active web content if some of that content is malicious?

quote:
And surely having to resort to cloud solutions isn't that practical unless you have faith in the cloud.
All security comes down to faith at some point. Or trust, if you prefer that word over faith.
--
My place : »www.schettino.us


Blue2
Premium
join:2004-04-14
France
kudos:1

1 recommendation

said by JohnInSJ:

Your question is a philosophical one - why support hyperlink navigation if some links lead to malware? Why have active web content if some of that content is malicious?
No, it isn't. I don't get this article and I don't think I'm alone in that regard. Having malware hidden in a password protected archive does not seem to make it much different than any other file.

The question I raised, which perhaps eluded you, was simply: how is malware in a password-protected zip archive DIFFERENT than malware in a NON password-protected zip archive? If the AV scanner would have caught it in the NON password-protected archive, why would the AV scanner have any less chance of catching it when you insert the password and try to unpack the archive? (That's hardly philosophical.)

Your hyperlink analogy is rather ridiculous. Cudni stated "block anything password protected" and I suggested that then there would be NO point to having password-protection as a feature in archives. It's akin to saying "Don't open the door to anyone who rings the doorbell". In that case, why have doorbells? Your equivalent analogy should therefore be "why have hyperlink navigation if ALL links lead to malware?" (And I'd agree, why indeed.)

The article Cudni cited seems somewhat misleading: ""Antivirus software can't see the hidden payload. Once the file is opened the payload (or malware) is on the system." That implies that once the ARCHIVE is opened, the payload is on the system. But I believe that they mean that the AV can't scan the password-protected archive, but it WILL scan it once it is opened. So what's the difference?