zipped malware confusion

Discussion in 'malware problems & news' started by treehouse786, Feb 16, 2011.

Thread Status:
Not open for further replies.
  1. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    hi guys, my colleague thinks that if you EXTRACT a zip file which contains malware then you can get infected, i dont think thats the case, i do know that if you RUN the contents of the zip file then you can get infected.

    does anyone have any insight on this matter? if i am wrong then i would like someone to send me a pm of a zip archive which can do this and i will run it on my own machine

    thanks
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Not by simply extracting the contents, I would think.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Last year, several researchers noted the LNK vulnerability being exploited via email and a ZIP attachment:

    More Malware Families exploits LNK Vulnerability
    http://spamnews.com/The-News/Latest/More-Malware-Families-exploits-LNK-Vulnerability-2010080913563/
    If the victim does so, then just viewing the LNK file (with no clicking) causes the DLL to run.

    Also:

    ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon
    http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/

    There wasn't evidence that this particular trick was exploited very successfully in the wild.

    You can ZIP the POC for this LNK exploit and go through the motions to see how an unsuspecting victim could be tricked, assuming the computer does not have the patch.

    ----
    rich
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I would have gotten infected many, many times over if it were true. With exception to the far from normal circumstances that Rmus brought up, it just isn't going to happen.
     
  5. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    please could you PM me a sample for testing? POC or real malware.
     
  6. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    and if the user also needs to copy the dll to the root of C drive then my original statement still stands true, the fact that you cant get infected just by unzipping a zip file, if any more steps are involved then thats fair game.
     
  7. katio

    katio Guest

  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Also related were the WMF exploits (on various critical vulnerabilities on windows shell graphics rendering) can do the same arbitrary code execution. Uncompressing the file/s, and just merely browsing with windows explorer and you don't even have to click any file, shellcode will be spawned most likely to download and execute malware/s. Also patched a lot of times already.

    Edit:

    @treehouse786: I know StevieO, a forum member but inactive for the past months, had samples of WMF POCs and exploits/malwares. Perhaps, Rmus still has those samples. Just PM him.
     
    Last edited: Feb 23, 2011
  10. x942

    x942 Guest

  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Does anyone know if Acrobat X does anything to prevent this?
     
  12. katio

    katio Guest

    Obviously the sandbox in the Reader can't sandbox the shell extension.
    The only way to harden that is full ASLR. I don't know if they are already doing it but you could verify it yourself with process explorer.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I thought Adobe fixed this particular vulnerability, but I could be mistaken.

    From Protected Mode FAQ:
     
  14. katio

    katio Guest

    I think it's CVE-2009-0658. Fixed for two years now. But it wasn't the first and surely not the last. However:
    You are correct. I just tested it and here's how it works: The shell extension itself can't run in a sandbox for as I said obvious reasons. Windows Explorer needs full access to the files so it can't be put into a sandbox. All shell extensions run under the explorer.exe process. The trick is, the sell extension, pdfshell.dll, calls AcroRd32.exe, running in medium IL like explorer. It spawns another AcroRd32.exe which is confined by its sandbox.
    Since the shell extension is very small and doesn't have to interact with untrusted files it's pretty secure. Also, ASLR is enabled.
     
Loading...
Thread Status:
Not open for further replies.