0

I was recently visiting a semi-popular website by just typing the link into the browser. I actually was sure that I typed the right address in there. But what if I typed in the wrong address and then a malicious site was showing up? The website frontend looked the same as the original site showing images, comments, etc. My fear is that I could get a drive-by-download infecting my important ZIP files on my machine. So that everytime on another machine where I open my ZIPs that it executes malware. Not by adding a file to the archive but rather be self-executing when uncompressing the archive.

How realistic is that scenario? Am I too paranoid?

dnyc
  • 1
  • 1
    This is a strangely (overly?) specific question on what a malware could do to your system. Note that if malware is executed it could also completely replace the ZIP files with malware, could replace files inside the ZIP with malware, could make a binary out of the ZIP file which still has ZIP as an icon, could change the program you use to zip files so that newly created zip files are all infected and could do a lot of harm to your system without even touching any zip related stuff. Don't trust anything on your system once it is compromised. – Steffen Ullrich Dec 23 '19 at 08:25

1 Answers1

1

Zip files can be malicious

Just as most other types of files, zip files may be maliciously designed to exploit some security vulnerability in the application that will be opening them. For example, some 'unzipping' programs had directory traversal vulnerabilities that could allow an attacker to overwrite arbitrary system files in order to gain futher access or core execution; there have been buffer overflow vulnerabilities in these programs allowing the attacker to gain arbitrary code execution when the zip file is opened, etc.

Of course, this requires either that you're running known vulnerable software, or that the attacker is exploiting a currently unknown vulnerability i.e. a zero-day exploit; as far as I am aware, there are no currently known unzipping vulnerabilities that aren't fixed in the latest software versions.

Websites don't (usually) get to modify your files

The stated risk of 'a drive-by-download infecting my important ZIP files on my machine' works a bit differently. A malicious website might trick the user into downloading some file - and possibly opening it. However, the attack would not start with infecting 'your important ZIP files'; if you don't intentionally overwrite them with whatever you're downloading, your 'clean' files won't get modified. The risk there is in opening a different, new zip (or other) malicious file downloaded from that website, not the website magically modifying some of your existing files.

There have been some exploits that allow a malicious website to break out of the browser sandbox and get unrestricted code execution on your machine, however, at that point there's still no extra risk in opening your important zip files because the attack has already happened and does not need user involvement in opening some file.

Peteris
  • 8,369
  • 1
  • 26
  • 35