Results 1 to 9 of 9

Thread: .zip slips virii past AV scanners

  1. #1
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658

    .zip slips virii past AV scanners

    Yeah...that's a disturbing thought to say the least. Here I was thinking that all was well if I scanned my zip files...with scanning all would be ok. How wrong I was...

    This vulnerability was discovered by Mark Tesla and Chad Loder of Rapid7, a security software and consulting company that has created ZIP files that test how well different products deal with the long filenames the ZIP specification allows--and the news isn't encouraging. "Bzzt! Thank you for playing Security Bingo. Eliminated in this round are Microsoft, Apple, and IBM." All of these companies, and a host of others, make software that could be compromised by ZIP files. The application programmers have all made the same mistake of ignoring how the ZIP format works, using libraries and components that accommodate filenames only up to the OS maximum length (512 bytes for Windows, for example) instead of the 64K limit in the ZIP specification.

    What's really alarming is the vulnerability to e-mail viruses. So far, every mail gateway virus scanner Rapid7 has tested lets a virus test file sneak right through if it's in a ZIP file with long filenames--the gateway scanners only catch the test files that are embedded in a "standard" ZIP file with short entry names.
    The original article I read can be found

    here.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    366
    That is scary, and the article doesn't give a real solution for now. I guess I will have to be more careful and not open zip files with longer filenames.

    Hopefully the manufacturer's will put out a patch for this soon.

    Nice catch allenb.

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    216
    Thanks allenb
    Its always good to learn something new
    Regards
    Mike
    Never miss a good opportunity to shut up.....

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    ok im a little confused on this. the security issue here is that an infected file can be hidden inside a zip file by using an excessivly long name, longer than the systems standard. What about when someone goes to open it, assumming the uncompressing utility can handle file names that long, surely real time protection would kick in then and detect and stop the operation. Nothing is said about this either way.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Junior Member
    Join Date
    Oct 2002
    Posts
    20
    Originally posted here by Tedob1
    ok im a little confused on this. the security issue here is that an infected file can be hidden inside a zip file by using an excessivly long name, longer than the systems standard. What about when someone goes to open it, assumming the uncompressing utility can handle file names that long, surely real time protection would kick in then and detect and stop the operation. Nothing is said about this either way.
    My AV does that, when I unzip something it automatically scans for viruses. if the file can't be unzipped though, the virus can't operate until it is unzipped. So it wouldn't make a difference if the infected zip file remained zipped.

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Originally posted here by l33tp3t3y


    My AV does that, when I unzip something it automatically scans for viruses. if the file can't be unzipped though, the virus can't operate until it is unzipped. So it wouldn't make a difference if the infected zip file remained zipped.
    This is true of any AV scanner, as in general as soon as a new file is created the AV scanner will take a look at it. Depending on your AV options it may just check for executables or doc files of course.

    I guess the issue here is that you would be unaware that you have an infected file hidden in a .zip file, and if you then sent it to someone else who was not aware of security issues, it could infect their machine. Rather like forwarding an attachment to somebody without first examining it

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    167
    Thats an interesting article but I don't beleive there is any need to become paranoid just yet. Most AV scanners worth their salt can scan zip files for a virus signature. From the way they described the vulnerability a simple modification allowing more room in the filename buffer will correct this issue.

  8. #8
    Senior Member
    Join Date
    Mar 2002
    Posts
    238
    Right. This virus can't be executed unless its uncompressed.. because a virus is a file. And just like any file, compressed or deflated, it has to be in its original state before it can be run.


    Regards,
    Silentstalker
    -{[ Joe ]}- (Joe@nitesecurity.com)
    http://www.nitesecurity.com

    [shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Hmm there is a catch,

    I remember a Haxor site claiming to have a ZIP Virus, one that first attacks the "Zip" program on opening, then will "disable" the anti virus and trash the O/S..
    Well if that is true, and this seems to be fact.. I think caution or as someone else said.. "It pays to be parnoid!"


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •