KAV detect malicious programs spreading in password protected ZIP files

Kaspersky Labs, a leading information security software company, presents a brand new technology protecting against Internet worms spreading in password protected ZIP compressed files.

Malicious programs that spread in protected ZIP files are particularly difficult to detect. Firstly, a password scanning module is necessary to scan these archives. Secondly, scanning ZIP files requires additional system resources and can significantly impair system performance.

Fearso, an Internet worm that appeared in the summer of 2003, was the first malicious program to spread in protected ZIP files. However, despite the fact that 24 versions of Fearso exist, this particular worm has never been detected in the wild. The recent outbreak of Bagel worms, specifically version F through J, amply demonstrated the real danger of this propagation method.

Kaspersky Labs has responded with a completely new technology to deflect malicious programs spreading in password protected ZIP files: a technique which guarantees reliability and speed. Kaspersky® Anti-Virus can now detect protected ZIP archives, scan the email body for the password and then unpack and check the attachment for viruses.
"This new technology protects users from new generation worms, specifically worms that hide in password protected ZIP files. 5 worms using this technique appeared within only 4 days - a new trend has been set in the computer underground", commented Eugene Kaspersky, head of anti-virus research at Kaspersky Labs.

Currently, Kaspersky® Anti-Virus is the only antivirus offering effective protection against malicious programs spreading via password protected ZIP files. Registered users of Kaspersky Anti-Virus will be fully protected once they download the latest antivirus database updates.

 

Thanks for the info, Izi !


Oops, there is something I don't understand, I'm afraid
What harm can a (password protected) zip-file do?

OK, at one hand I can understand that people don't want any malware -even in a zip-file- on their system.
So this feature is surely nice in that aspect.

But at the other hand the malware in that zip-file cannot do anything.
And once it is unzipped, by what ever means, then your resident AV should jump in.

I guess I'm really misunderstanding something here

 

Here's some info along the same lines. If I'm off base please forgive me.

WinZip 9.0 Fixes a Security Issue with MIME-Encoded Files

WinZip 9.0, released in February 2004, contains a fix for a recently-discovered security vulnerability affecting earlier versions of WinZip. The vulnerability does not affect .ZIP files. Instead, it affects the MIME-encoded files that WinZip is also able to work with.

Q: What is the vulnerability that is fixed in WinZip 9.0?
A: The problem involves a buffer overflow that can be triggered by invalid data in a MIME-encoded file, with one of the extensions listed below, that is opened by earlier versions of WinZip.
An attacker could attempt to use this buffer overflow to create a file that would execute malicious code of their choice when the file was opened by an earlier version of WinZip. The attacker would have to give the file one of the affected extensions, and would then have to trick you into opening the file, for example by sending it to you as an e-mail attachment.


Q: What types of files are affected?
A: Files with the following extensions, which are by default associated with WinZip and which are used in connection with MIME-encoded data, are affected: .MIM, .UUE, .UU, .B64, .BHX, .HQX, and .XXE.
Other filetypes associated with WinZip, such as .ZIP, .TAR, and .CAB, are not affected.

Any file whose extension begins with the letters .UU could also be affected, although with the exception of the .UU and .UUE extensions, these files would not normally be associated with WinZip and are therefore not likely to be opened by WinZip.

Merely including files with one of the affected extensions within a ZIP archive, or extracting files with these extensions from a ZIP archive, will not cause a problem. Instead, an invalid file with one of these extensions must be directly opened by WinZip; this would normally happen only if you double-click on an invalid file having an extension of .MIM, .B64, .BHX, .HQX, .XXE, .UU, or .UUE.


The only reason I know anything about this is I just updated my compression utility. Hope it helps. (And hope it's on track with this thread )

 

fanj no need for sarcasm:-most of us know that viruses are safe inside uncrompressed archives,but I for one would prefer my AV to catch it before decompression rather than relying on it being caught on opening

 

sorry meant to say :-safe in compressed(zipped)archives

 

Been giving this some thought how about this for a senario:- a file inside an archive that the nod scanner cannot scan(by the way:- this file is a virus that nod can only identify with AH enabled) cos nod doesn't detect anything by scanning this archive you open it,now you are relying on amon to catch this virus:-but amon doesn't/cannot use AH so are you now protected?
Steve

 

Nonsense,
Kaspersky was very slow here. 2 days after MC Afee and AntiVir they did detect it in the encrypted ZIP File. However, MC Afee and AntiVir are the only 2 programs which can detect this worm without the email text in the encrypted ZIP File.

MC Afee uses here a plain and simple way; it checks the size of the ZIP-File (must be smaller than 30 KB) and looks for well known EXE - Names (such as Picture.Exe) in the encrypted ZIP. Just compress a File into a encrypted ZIP with a size of 23 KB, name it Picture.exe and MC Afee flags it ( false positive by the way... )

Antivir uses here the most advanced technologie - it is be able to scan the true entrys.

Regards,
Godzilla

 

This worm is easy to detect - they just need to add a signature for AMON; That's all.

Regards,
Godzilla

 

It was not aimed at this worm,but any in the future that may rely on AH for detection,having the on demand scanner able to use AH but the resiident monitor not able to seems to be a potential weakness that could be exploited
Steve
(but then again most other AVs rely on def updates,its just something I'd like to see "fixed")

 

godzila:-what happens with McFee if the bloat the zip to be bigger than 30K?

 

Hi Steve,

There was not ANY intention to sound sarcastic when I wrote that posting!
If I did give that impression, then I really do apologize.
Please keep in mind that English is not my native language.

And just for the record:
I DO have both KAV and NOD32.
And I DID pay for them.

Regards, FanJ

 

Hi Fanj:your english seems better than mine and I am english!
Cheers Steve

 

Well such worms with password encrypted archives do not have a good chance to alive.
Most users are to lazy to unpack this with password

--- kidding on ---
Just imagine this - a worm comes into your inbox and tells you in the plaintext that you have to install PGP and DriveCrypt first, because the worm needs this to run and to encrypt your HDD because the author of this worm was to lazy to code this payload byself

Or think about a worm in a plain textfile. It could look like this:

From: *******************
To: ******************
Subject: Hello, i am a new internet worm !

Unfortunely the author of this worm was to lazy to code a real worm - please forward this worm to a few friends and at the 23th march please delete a few files in your Windows Folder.

Thank you for your help,
The Worm

--- kidding off ---

*lol*

 

Hello,
I've many password samples and NOD also detect it without the body of the message like Panda.
KAV need the body of the message to scan NOD NOT.

 

DrWeb also announced a patch for this.

"DialogueScience, Inc. announces the release of the second patch to version 4.31 of Dr.Web® antivirus for Windows. The most important impovement was implemented in the antivirus engine and enables the detection of Win32.HLLM.Beagle-family worms in password-protected archives that are sent via e-mail. Igor Daniloff's Antivirus Labs have found and outstanding solution to detect 100% of those new generation worms so far inaccessible for regular antivirus software."

http://www.dials.ru/english/inf/news.php?id=738

Do you mean NOD and Panda are able to detect malware inside password protected zip or rars? When you say "samples" do you only mean samples that are from the family of this latest worm or other samples as well?

 

To some worms.

 

I tested the above matter, to rename certain .exe files into picture.exe, though the exe file size ranging from 5kb --- 24kb and after compression become lesser in file size and not exactly 23kb, but i can't get the macfee false positive while scanning the encrypted zip picture.exe renamed files?

Should the zip file be exact 23kb in size? thanks

 

For sir_carew:

Only KAV detect protected ZIP archives. Password must be in body of mail where this ZIP is. I have NOD and NOD didn't detect protected ZIP archives.

Izi

 

Scanning for viruses inside archives is a lame resource wasing "feature" thought up by advertising men.

It has no value in the real world.