I have an email from an unknown source that is attempting to impersonate UPS. It has an attachment that is a ZIP file. I don’t intend to open it because it’s from a clearly bogus source.
However, I am curious about why anyone would send it. Can a ZIP file can be dangerous? A self-extracting one can be, but it would have a .exe extension, wouldn’t it? I know that in some cases even an image file has been shown to be dangerous (can’t remember the details, maybe an exploit of an old IE flaw). But can a ZIP file execute active content if opened?
The email wants you to print the attached file. ZIP files can’t be printed directly, so of course you’re going to unzip it. Then you double-click the unzipped contents to print it. It could be an innocuous DOC or PDF or a malicious executable. Lots of people don’t pay attention to what they’re clicking. Lots of people don’t even have their file extension set to display.
First off, zips are almost universally allowed via email unlike .exe.
Secondly, its trivial for me to take a .exe file and give it the icon of an Acrobat file, so you think its a pdf. I can also name it document.pdf.exe. By default windows will not show .exe at the end, so it will look just like a pdf to most people.
This is a common vector of attack and its getting pretty popular. To top it off most people have their antiviruses set to not scan compressed files as its a pretty big performance hit. Personally, id like to see all zip implementations request a virus scan before extraction, but so far none do.
I may be way too techy to grasp this, but - by default, will windows show .pdf at the end? Might it not actually register as a danger sign unto the clueless that .pdf actually shows up at the end of the filename?
Of course, I realize that this can be resolved by just naming it document.exe and having it show a PDF-like icon.
Like other people, I insist on seeing file extensions myself.
Generally speaking, opening a file in itself isn’t dangerous. Executing code of unknown origin is dangerous. Of course, some file formats such as .exes and, depending on the configuration of your computer, .docs will cause code to be executed when they are opened. Zip files are not like that, so should in theory been safe to open.
However, it is occasionally possible to get code to run simply when a file is opened, by exploiting things like buffer overruns. A bug in the application that opens files of that type causes code maliciously embedded in the file to be executed. I am not aware of any applications that mishandle .zip files in such a way, though. The attacker has to be aware of the bug and exactly how to craft the file so that the code is successfully executed. It’s a lot harder than just sending someone an .exe and hoping they run it.
I think it works through javascript abilities inside PDFs. Here’s something about it:
I would think that PDFs are actually less safe than DOCs these days, since Microsoft will disable VBAs/macros by default in Word, but I think that Adobe has Acrobat run scripts by default.
Common at one point, but I doubt it’s gaining any popularity. It’s been out there for at least five years, and all mail antivirus scanners check .zip files as a matter of course. Similarly, the double extension exploit is five-year-old news.
This probably got through because it’s a new virus, not because your gateway scanner didn’t check zip files.
In my neck of the woods its used for targeted attacks in my industry. Its not sent via mass mail but to select people in my organization, all of whom deal with money. So its may not make the big “OMG VIRUS” news but its a real threat. As far as checking .zips go, well the attackers wrote a custom virus for us and it was in zero virus databases. I submitted it to all the major vendors that day and didnt see it detected for at least a week. Thats quite of bit of time for it to spread.
I cant vouch for heuristics based scanners, but in my experience theyre pretty lousy and usually that feature is turned off because of false positives.
>Similarly, the double extension exploit is five-year-old news.
I don’t know about you guys, but back when I had Windows, my antivirus automatically ran any time I opened a ZIP file. In fact, it would hide ZIP files that supposedly had viruses in them. This frustrated me when I discovered that one large zip file just had a single virus file in it, but was otherwise clean. I knew the file was a virus, and knew how to avoid it.
Maybe you’re just being cute, but virii has never been a word, in English or in Latin, now or ever. It never had a plural form in Latin, and as a second declension neuter noun, the plural form was unestablished. In Neo-Latin the plural form is vira, following neuter rules, but in English the plural is simply viruses.