zipped malware confusion

hi guys, my colleague thinks that if you EXTRACT a zip file which contains malware then you can get infected, i dont think thats the case, i do know that if you RUN the contents of the zip file then you can get infected.

does anyone have any insight on this matter? if i am wrong then i would like someone to send me a pm of a zip archive which can do this and i will run it on my own machine

thanks

 

Not by simply extracting the contents, I would think.

 

Last year, several researchers noted the LNK vulnerability being exploited via email and a ZIP attachment:

More Malware Families exploits LNK Vulnerability
http://spamnews.com/The-News/Latest/More-Malware-Families-exploits-LNK-Vulnerability-2010080913563/

If the victim does so, then just viewing the LNK file (with no clicking) causes the DLL to run.

Also:

ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon
http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/

There wasn't evidence that this particular trick was exploited very successfully in the wild.

You can ZIP the POC for this LNK exploit and go through the motions to see how an unsuspecting victim could be tricked, assuming the computer does not have the patch.

----
rich

 

I would have gotten infected many, many times over if it were true. With exception to the far from normal circumstances that Rmus brought up, it just isn't going to happen.

 

please could you PM me a sample for testing? POC or real malware.

 

and if the user also needs to copy the dll to the root of C drive then my original statement still stands true, the fact that you cant get infected just by unzipping a zip file, if any more steps are involved then thats fair game.

 

Yes, it's possible, a recent example: CVE-2010-3970
and POC:
http://www.metasploit.com/modules/exploit/windows/fileformat/ms11_006_createsizeddibsection

fixed last patch Tuesday, in the wild for at least 1 month.

 

Example involving Adobe Reader shell extension: Quickpost: /JBIG2Decode Trigger Trio

 

Also related were the WMF exploits (on various critical vulnerabilities on windows shell graphics rendering) can do the same arbitrary code execution. Uncompressing the file/s, and just merely browsing with windows explorer and you don't even have to click any file, shellcode will be spawned most likely to download and execute malware/s. Also patched a lot of times already.

Edit:

@treehouse786: I know StevieO, a forum member but inactive for the past months, had samples of WMF POCs and exploits/malwares. Perhaps, Rmus still has those samples. Just PM him.

 

There is also the infamous zip bomb. Not directly malware but it can crash an AV or entire system.

www.en.wikipedia.org/wiki/Zip_bomb

 

Does anyone know if Acrobat X does anything to prevent this?

 

Obviously the sandbox in the Reader can't sandbox the shell extension.
The only way to harden that is full ASLR. I don't know if they are already doing it but you could verify it yourself with process explorer.

 

I thought Adobe fixed this particular vulnerability, but I could be mistaken.

From Protected Mode FAQ:

 

I think it's CVE-2009-0658. Fixed for two years now. But it wasn't the first and surely not the last. However:

You are correct. I just tested it and here's how it works: The shell extension itself can't run in a sandbox for as I said obvious reasons. Windows Explorer needs full access to the files so it can't be put into a sandbox. All shell extensions run under the explorer.exe process. The trick is, the sell extension, pdfshell.dll, calls AcroRd32.exe, running in medium IL like explorer. It spawns another AcroRd32.exe which is confined by its sandbox.
Since the shell extension is very small and doesn't have to interact with untrusted files it's pretty secure. Also, ASLR is enabled.