Re: .zip files putting the zap on antivirus products

[InfoSec News <isn () c4i org>]

Forwarded from: KUIJPERS Jimmy <myemailaccount () fastmail fm>

*.zip posses no real danger in my opinion. Winzip or similiar software
was installed on many end user systems anyway. Embeding this
functionality with Windows XP doesn't really increase the risk of
virusses spreading at all.

There are virusscanners that automaticly scan e-mails attachment,
including the contents of zip files.

One could also opt to have e-mails with a .zip extention quarantined
so that the exchange admin can look at it and then foward it to the
addressed person if he considers it safe. (An admin is much more
resistant to social engineering as the average. (ofcourse this does
not address the needs of home users)

Zip files aren't self executing when viewed in the previeuw pane as
*.scr and *.exe can be made to be.

The suggestion that some people are starting to make, to block .zip
attachments from outlook e-mail all together by adding it to outlook's
hostile file list sound ridiculous to me. Think of all the practical
applications that become impossible.

Also I don't think that zipping a virus will make it spread that much
faster simply because a few bytes of bandwith are saved. Any e-mail
send is an e-mail send, fine, it's send 0.004246746 miliseconds faster
then it would have been if it's send unzipped. What does it really
matter in this age we're almost every internet user has a high speed
connection and the virus itself is so small it doesn't really matter
at all. Yes, even if you consider the fact that it might save this
small increment of time every time a user opens. The bottle neck of
the spread isn't so much bandwith, since this is plenty full, but
rather the time the virus has to wait before the user decides to open
the e-mails.

What does it matter if the virus is there 0.004246746 sooner or even 5
seconds (oohh gosh!) if the user decides to open his/her e-mail once
every 5 minutes or perhaps even less!

In the end it all comes down to the question on how we reach this
target group of users that remain ignorent and blindly open
attachments from unknown people. In my opinion the ISP's nor the
goverment can be held responsible for this, we, the security community
itself. Should find a way to educate even those users that seem not to
be awakened even when virus alerts reach the 11 o'clock news.


So that's just my 2 cents of ranting on this subject... thanks for
listening

Cheers,
Jimmy


InfoSec News wrote:

> http://www.computerworld.com/securitytopics/security/story/0,10801,89897,00.html
>
> By Paul Roberts
> FEBRUARY 05, 2004
> IDG NEWS SERVICE
>
> E-mail users who were slow to update their antivirus software last
> week may have been surprised to receive a flood of e-mail messages
> containing .zip files from long-lost acquaintances, business partners
> and complete strangers.
>
> The e-mail was sent by the recent Mydoom e-mail worm. The zipped
> attachments were evidence of what antivirus experts say is a new trend
> in virus writing circles: using compressed .zip files to hide viruses
> and elude detection by antivirus engines.
>
> Such files are containers for one or more compressed files. Using
> programs like WinZip for Windows or Unzip for Unix, users compact
> files they want to store or transfer to others. The files must then be
> decompressed, or "unzipped," before they can be viewed. Long a staple
> of Internet and office communications, the compressed .zip file has
> become embroiled in an arms race between virus writers and antivirus
> technology companies, experts said.
>
> "We're definitely seeing a trend," said Alex Shipp, an antivirus
> technology expert at MessageLabs Ltd. "It really took off in 2003. As
> soon as one virus was successful with technology like this, other
> virus writers took notice."
>
> Virus authors learned long ago to hide their creations in e-mail file
> attachments, often disguising viruses as Windows screen saver (.scr)
> files or Windows program information (.pif) files, said Mike Hrabik,
> chief technology officer at Solutionary Inc., a managed security
> services company in Omaha.
>
> While .zip files were occasionally used to mask virus payloads, the
> practice wasn't common in virus-writing circles because .zip files,
> unlike .scr and .pif files, required separate software to be installed
> on the receiving system before the files can be opened and run, he
> said.
>
> All that changed with the release of Microsoft Corp.'s Windows XP
> operating system, which included native support for opening .zip
> files. According to Gerhard Eschelbeck of security vulnerability
> scanning company Qualys Inc., embedded support for .zip files in
> modern systems makes them a rich target for worms like Mydoom.
>
> In switching to .zip files, virus authors were also picking up on
> trends in legitimate e-mail traffic to hide their own malicious
> creations, Shipp said. "When corporations started blocking .exe
> [executable] files to prevent viruses from coming into their
> environment, people who wanted to send .exes back and forth started
> zipping them before they sent them. Virus writers noticed that and
> took advantage of it," he said.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.