1

I wonder if this is the right place to ask about the specific functioning of viruses / worms. We all receive fishy mails all the time. And generally I never click on anything, especially not attachments purporting to be quotes, letters, sipping bills, etc.

But I wonder how this ZIP file attachments exploit works? Does it depend on a particular bad version of ZIP, my guess is the built-in ZIP handler of Windows that opens a ZIP file like a folder, and then perhaps tries to create and show thumbnails and things like that? Or does the old PKZIP have vulnerabilities? I generally use 7-zip or just manually UNIX/cygwin unzip or java's jar to open ZIP files (and the command lines generally when I am suspicious).

Do any command line ZIP tools have known vulnerability targeted by these exploits?

Finally, the latest experience with these "Claim Letter" attachment was an HTML attachment, which has a lot of stuff inside, but ultimately another Claim Letter ZIP file.

Adding some details here. Email came with an .html attachment and inside was a bunch of stuff but mostly a ZIP file encoded in base64.

$ base64 -d Claim_Letter#842844\(13Sep2022\).threat-zip.b64 > Claim_Letter#842844\(13Sep2022\).threat-zip

$ unzip -v Claim_Letter#842844\(13Sep2022\).threat-zip
Archive:  Claim_Letter#842844(13Sep2022).threat-zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
  440320  Defl:N   237712  46% 09-13-2022 15:45 405a0e37  Claim_Letter#295370.iso
--------          -------  ---                            -------
  440320           237712  46%                            1 file

$ unzip -p Claim_Letter#842844\(13Sep2022\).threat-zip Claim_Letter#295370.iso |hexdump -c |less

As you can see, I felt secure enough to try to extract this .iso file with cygwin unzip, and then that asks for a password. So what would be the point of that?

Gunther Schadow
  • 111
  • 3
  • *"I felt secure enough to try to extract this .iso file with cygwin unzip"* - an ISO file is a cdrom image, not a ZIP file. You cannot unpack it with unzip. For me this looks like a generic malware (likely) inside archive (ISO) inside archive (ZIP) - nothing special about this and not specific vulnerabilities to exploit to make this working. The main vulnerability here is the user which opens all this stuff since the mail sounded important. – Steffen Ullrich Sep 15 '22 at 12:42
  • @SteffenUllrich if you look again at what I wrote and what I showed, you see that I am not so stupid to believe an ISO file is a ZIP file. I said I extracted that .iso file from the ZIP file and then wanted to look at its content with hexdump. Because I doubt this is an actual ISO file. – Gunther Schadow Sep 15 '22 at 13:06
  • Sorry that I misunderstand this. It is actually pretty common that this is an ISO file since Windows will simply open it - it just another kind of archive format. – Steffen Ullrich Sep 15 '22 at 13:43
  • @SteffenUllrich, so if Windows just opens .iso files, and possibly runs some autostart file, then that might be the vulnerability here. Someone needs to unpack it and then click on it. – Gunther Schadow Sep 19 '22 at 16:40
  • *"and possibly runs some autostart file"* - that's not what I said. Also, someone clicks on the ISO so that it will open. And the someone will click on the file inside the opened ISO container, same as someone clicks on a file opened within WinZip or similar. – Steffen Ullrich Sep 19 '22 at 16:54

0 Answers0