ZIPs putting the zap on antivirus products
E-mail users who were slow to update their antivirus software last week may have been surprised to receive a flood of e-mail messages containing ZIP files from long lost acquaintances, business partners and complete strangers.
The e-mail was sent by the recent Mydoom e-mail worm. The ZIP attachments were evidence of what antivirus experts say is a new trend in virus writing circles: using compressed ZIP files to hide viruses and elude detection by antivirus engines.
ZIP files are containers for one or more compressed files. Using programs like WinZip for Windows or Unzip for Unix, users compact files they want to store or transfer to others. The files must then be decompressed or "unzipped" before they can be viewed.
Long a staple of Internet and office communications, the compressed ZIP file has become embroiled in an arms race between virus writers and antivirus technology companies, experts say.
"We're definitely seeing a trend," said Alex Shipp, antivirus technology expert at MessageLabs Ltd. "It really took off in 2003. As soon as one virus was successful with technology like this, other virus writers took notice."
Virus authors learned long ago to hide their creations in e-mail file attachments, often disguising viruses as Windows screen saver (SCR) files or Windows program information (PIF) files, said Mike Hrabik, chief technology officer of Solutionary Inc., a managed security services company in Omaha, Nebraska.
While ZIP files were occasionally used to mask virus payloads, the practice wasn't common in virus writing circles because ZIPs, unlike SCR and PIF files, required separate software to be installed on the receiving system before the files could be opened and run on ubiquitous Windows machines, he said.
All that changed with the release of Microsoft Corp.'s Windows XP operating system, which included native support for opening ZIP files, allowing virus writers to count on users being able to unzip their attachment and open the virus file stored inside, Shipp said.
Gerhard Eschelbeck of security vulnerability scanning company Qualys Inc. agrees, saying that embedded support for ZIPs in modern systems makes them a rich target for worms like Mydoom.
In switching to ZIPs, virus authors were also picking up on trends in legitimate e-mail traffic to hide their own malicious creations, Shipp said.
"When corporations started blocking EXE (executable) files to prevent viruses from coming into their environment, people who wanted to send EXEs back and forth started zipping them before they sent them. Virus writers noticed that and took advantage of it," he said.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
