8

I recently advised someone to share (publish) a bunch of files by just posting a .zip somewhere, but realized this may look malicious to a recipient. This suspicion might be driven from Windows 95 or 98 era, where zip files were frequently associated with viruses (and even using Gmail in 2005 or so I remember naming a file from .zip to .piz so I could use email to store it...)

How have zip files been used as an attack vector?

  • The simplest attack would be just compressing a malicious executable file (Windows, Mac, Linux, whatever) and hoping the user is unlucky enough to execute it, e.g. by double-clicking on it.
  • Some media files can execute code upon reading it in certain OSes (I learned on Superuser just now).
  • But it's also likely enough that a decompressor would have a memory bug in it that can lead to malicious content being executed.

Which of these have historically (in the last 20 years or so) been the reason .zip is seen as dangerous? Even sending a compressed malicious executable is a more difficult attack vector than it used to be, since OSes like Mac OS make it "annoying" for the user to execute an arbitrary downloaded file.

Community
  • 1
djechlin
  • 278
  • 2
  • 9

2 Answers2

7

I still get a lot of email virus that use Zip archives as payload. Initially, virus authors would use Zip archives to evade detection by antivirus software that merely looks for executable files. Antivirus authors adapted and began to recognize the Zip archives and scan their contents.

Some virus authors tried some things such as nesting Zip archives in Zip archives, counting on the human user to keep on clicking while the antivirus would not be as thorough. Some have began to use Zip bombs. As usual, malware and antimalware developers are engaged in a neverending hide-and-seek game.

The real killer is when virus authors began to send encrypted Zip archives, with the decryption password being written as simple text (or a picture, or some other mechanism) in the accompanying email. This relies on the human user trying to open the Zip, then dutifully typing the password that was provided in the email "for security reasons". Some people really do that ! This effectively prevents antivirus software from scanning the Zip contents, so some antivirus simply declare all Zip files to be terminally evil and shoot them on sight.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • How can a .zip file infect you by just opening it? Even if you manually wrote the password but executed nothing? Hopefully (good) antivirus should have algorithms running in real time for events like this, and OS by now makes it pretty hard to anything get executed or done without yelling at the user especially if they require privileges. I remember now all the times my AV excluded many zips that were inoffensive but were suspicious(with reason) to their algorithms as soon I downloaded – Freedo Nov 12 '15 at 02:01
  • @Freedo: don't place too much trust in AV, because they often can be easily bypassed (polyglot attacks, malware requiring user interaction...). And users are actually trained the open files from within a ZIP file, because that's they way they use to share their files without getting bothered by overly sensitive AV. So they are used that the AV yell at them and ignore the yelling. Never underestimate the ability of a human to ignore seemingly unrelated problems if they need to do their job. – Steffen Ullrich Nov 12 '15 at 06:41
  • Hey, when are you going to draw something more acceptable on your web page instead of the bolet? http://www.bolet.org/~pornin/ – Memet Olsen Nov 27 '15 at 08:10
  • @Freedo In theory, a malicious zip file can infect you upon opening by abusing an exploitable bug in the decompression utility. This is a rather advanced attack though and is unlikely to be used by malware authors all that much. – forest Dec 19 '17 at 09:28
0

The SecureList Q3 2015 Spam and Phishing report says that zips are still alive and well.

The text informed recipients that the attachment contained an e-ticket. In fact, the ZIP archive contained Trojan.Win32.Xtrat Trojan and the DDoS bot Nitol (the module used to organize DDoS attacks).

...

In July, fraudsters tried to trick users by sending fake notifications on behalf of hotels. The message thanked the recipients for staying in their hotel and asked them to view the attached bill. The attached archive actually contained Trojan-Downloader.Win32.Upatre.dhwi, which in turn downloaded and ran Trojan- Banker.Win32.Dyre (viewed as 98. ***. **. 39/cv17.rar) by clicking the links written in the body of the downloader.

...

The text in the email could easily be seen as a legitimate request from a client; however, the ZIP attachment contained Trojan-Downloader.JS.Agent.hhi that downloaded Backdoor.Win32.Androm.

schroeder
  • 123,438
  • 55
  • 284
  • 319