Malicious Logic in ZIP Files?

  • Thread starter Thread starter royrodgers
  • Start date Start date
R

royrodgers

Hello. I am fairly ignorant to the nature of computer viruses and their
cousins, but I have taken up an interest in learning more. I just
recieved an email with a faked return address, bearing a zip file as an
attachment. Obviously somebody is up to no-good. It has made me curious
though.

It is my intention to examine this file. I am not aware that the action
of uncompressing a zip archive will enable any code execution. Is this
correct?

If the compressed file(s) contain any executable code then I will
decompile it and examine the binary. I am under the immpression that
the only types of files that can hurt you are:
1. executables (.exe, .com, etc...)
2. documents with embedded scripting (i.e. MS Office)
3. files of types 1 & 2, occluded by false or extra file name
extension.

Is that correct?

Thanks!

Eric
 
Hello. I am fairly ignorant to the nature of computer viruses and their
cousins, but I have taken up an interest in learning more. I just
recieved an email with a faked return address, bearing a zip file as an
attachment. Obviously somebody is up to no-good.
Click to expand...

Assume all unsolicited attackments are malicious and delete them.
It has made me curious
though.
Click to expand...

You know what they say about curiosity and cats :) If you want to know
the malware name(s) av vendors have assigned to it, upload it for
scanning here:

http://www.virustotal.com/flash/index_en.html

Then Google up descriptions.
It is my intention to examine this file.
Click to expand...

On a test machine, I hope. With a fully cloned backup drive.
I am not aware that the action
of uncompressing a zip archive will enable any code execution. Is this
correct?
Usually.

If the compressed file(s) contain any executable code then I will
decompile it and examine the binary. I am under the immpression that
the only types of files that can hurt you are:
1. executables (.exe, .com, etc...)
Click to expand...

Windows has dozens of "executeable" file types and extensions. Take
a htm or html file for example. It will "Open" in the default browser.
If that default browser is IE and the security settings allow
scripting and activex you could be in deep doodoo. There are invisible
executeable file extensions for so-called scrap files (shs and shb).
The list goes on and on.
2. documents with embedded scripting (i.e. MS Office)
Click to expand...

And macro viruses and embedded Trojans made with OLE.

Lotsa luck :)

Art

http://home.epix.net/~artnpeg
 
Thanks for your reply.



Usually? Could you please ellaborate on this?
Click to expand...

aside from the compression bombs mentioned, there have also been other
issues... in the distant past there was something called an ansi bomb
that could be inserted into the comment header of compressed archives
and get executed by displaying that header upon decompression of the
archive (a default behaviour that had to be changed)... that was before
windows, of course...

aside from that there are also occasional vulnerabilities discovered in
various applications and decompression tools like winzip are not immune
to that... i imagine there have been some that resulted in code
execution but i can't think of any specific instances off the top of my
head...

if you're using the most up to date version of your decompression
software then that's a good start to keeping yourself safe from the
possibility of code execution on decompression... another thing you can
try is not being too curious about suspect archives, don't bother
looking at content you don't have some expectation you can trust (stay
away from those from questionable sources)...
 
Unzipping a zip bomb won't lead to code execution, but might fill up
your hard disk.
Click to expand...

How do you fill a hard disk without executing code? :) See my point?
It doesn't matter how the code is executed or by what. All that
matters is that undesirable consequences may result from decompressing
archives.

Art

http://home.epix.net/~artnpeg
 
Hello. I am fairly ignorant to the nature of computer viruses and their
cousins, but I have taken up an interest in learning more. I just
recieved an email with a faked return address, bearing a zip file as an
attachment. Obviously somebody is up to no-good. It has made me curious
though.

It is my intention to examine this file. I am not aware that the action
of uncompressing a zip archive will enable any code execution. Is this
correct?
Click to expand...

No. A zip archive is a data file that the de-archiving application uses to
recreate the files that were archived. Unzipping may be perfectly safe if
you happen to use a safe de-archiving application, and unsafe if not. It
all depends on the integrity of the software around the use of the data
file including the OS.
If the compressed file(s) contain any executable code then I will
decompile it and examine the binary. I am under the immpression that
the only types of files that can hurt you are:
1. executables (.exe, .com, etc...)
2. documents with embedded scripting (i.e. MS Office)
3. files of types 1 & 2, occluded by false or extra file name
extension.

Is that correct?
Click to expand...

Only if you limit the "only types of files that can hurt you" to executables
and some known extensible non-executables that can 'contain' executable
code can you even begin to hope for a small list. Since much malware has
been written to exploit broken software through user supplied data, even
simple data filetypes can be unsafe to "open" with some applications.
 
How do you fill a hard disk without executing code? :) ...snipped...
Art
Click to expand...

Just thinking out loud: A huge file consisting of an extremely simple binary
pattern, such all zeros, or a 1 and seven 0's over and over, would probably
compress to a very small file.
 
Back
Top