.zip files putting the zap on antivirus products

IDG News Service - E-mail users who were slow to update their antivirus software last week may have been surprised to receive a flood of e-mail messages containing .zip files from long-lost acquaintances, business partners and complete strangers.
The e-mail was sent by the recent Mydoom e-mail worm. The zipped attachments were evidence of what antivirus experts say is a new trend in virus-writing circles: using compressed files to hide viruses and elude detection by antivirus engines.
Such files are containers for one or more compact files. Using programs such as WinZip for Windows or Unzip for Unix, users compressed files they want to store or transfer to others. The files must then be decompressed, or "unzipped," before they can be viewed. Long a staple of Internet and office communications, the .zip file has become embroiled in an arms race between virus writers and antivirus technology companies, experts said.
"We're definitely seeing a trend," said Alex Shipp, an antivirus technology expert at MessageLabs Ltd. "It really took off in 2003. As soon as one virus was successful with technology like this, other virus writers took notice."
Virus authors learned long ago to hide their creations in e-mail file attachments, often disguising viruses as Windows screen saver (.scr) files or Windows program information (.pif) files, said Mike Hrabik, chief technology officer at Solutionary Inc., a managed security services company in Omaha.
While .zip files were occasionally used to mask virus payloads, the practice wasn't common in virus-writing circles because .zip files, unlike .scr and .pif files, required separate software to be installed on the receiving system before the files can be opened and run, he said.
All that changed with the release of Microsoft Corp.'s Windows XP operating system, which included native support for opening .zip files. According to Gerhard Eschelbeck, CTO of security vulnerability scanning company Qualys Inc., embedded support for .zip files in modern systems makes them easy targets for worms like Mydoom.

In switching to .zip files, virus authors were also picking up on trends in legitimate e-mail traffic to hide their own malicious creations, Shipp said. "When corporations started blocking .exe [executable] files to prevent viruses from coming into their environment, people who wanted to send .exes back and forth started zipping them before they sent them. Virus writers noticed that and took advantage of it," he said.
Unlike .scr and .pif files, which have no use in legitimate exchanges, .zip files are an important business tool that many individuals and organizations use to transfer large files. That makes it difficult for companies to strip them out of e-mail messages without affecting employees' work, experts said.
"For the most part, .zips are effective ways to send files, so blocking them is not something you want to do, because it will break other functionality," said Craig Schmugar, antivirus research manager at Network Associates Inc.'s McAfee antivirus unit.
The files have other advantages for virus authors, said Vipul Ved Prakash, founder of San Francisco antispam company Cloudmark Inc., where he's chief scientist. For mass-mailing worms like Mydoom, zipping the virus payload makes it smaller, so more copies can be mailed in a given time period, Prakash said. Zipping also changes the unique signature on the virus attachment, making it harder for antivirus engines to detect the malicious program.
According to Prakash, 80% of the Mydoom samples that were submitted to Cloudmark from its SpamNet network of 800,000 users had zipped attachments.
Malicious hackers are also finding other ways to maximize increased .zip file use with viruses. A recent security advisory from AERAsec Network Services and Security GmbH in Hohenbrunn, Germany, found that many antivirus engines are vulnerable to denial-of-service attacks from so-called decompression bombs, in which gigabytes of data are zipped into very small files.

Antivirus engines that try to unzip these bombs often crash when trying to handle the huge amount of data stored in them, AERAsec researchers warned. While decompression bombs have been around since the 1980s, many software products, including antivirus engines, still don't detect such attacks, said Harald Geiger of AERAsec.
But .zip files aren't a magic bullet for virus authors. Most antivirus programs can open and analyze the contents of zipped files, flagging anything that matches known viruses, said Schmugar.
In the end, there are no easy answers to the .zip file problem, experts said.
Solutionary publishes a list of 20 recommended file extensions that should be blocked, including .pif and .scr, Hrabik said. For others, such as Microsoft Word .doc files and Adobe .pdf files, companies should block specific file names that are known to be associated with virus payloads, he said.
Best practices for companies should include scanning inside of .zip files and using extension blocking on files contained in the archives, said NAI's Schmugar.
"Security is always a trade-off," said Prakash. "You can't just stop receiving .exe and .zip files from people, because most of them are useful."
Companies need to balance business needs with security when setting up policies for files such as .zips, he said.
Security policies that attach a trust level to certain e-mail senders outside and inside the company could be effective at blocking malicious .zip attachments. Better user education that addresses bad habits like forwarding executable attachments could also help, Prakash said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.