Researchers find bugs in archive file formats

They found it is possible to conceal malware within archive formats such as .rar and .zip

Researchers have found ways to hide malicious software in commonly used archival formats that went undetected until recently by most antivirus programs.

Most antivirus vendors have patched their applications in order to detect the tampered archive file formats, such as ".rar," and ".zip," said Tomislav Pericin, founder of the commercial software protection project RLPack.

Perison gave a presentation at the Black Hat security conference on Thursday with Mario Vuksan, an independent security researcher, and Brian Karney, the COO of AccessData.

The three researchers showed how it is possible to tamper with the archive formats and insert malicious code such as the Conficker worm, which is then executed on a person's computer.

Many corporations use so-called "gateway" security products that analyze file attachments to see if they're malicious. Hackers have found that compressing malicious files -- also known as "packing" -- can sometimes trip up security products, although those products are much better now at that kind of detection.

But the researchers showed that by tampering with different archival formats, it is still possible to evade those gateway products. That's dangerous, since an end user may then open an attachment that could allow a hacker to have remote access to a computer.

"The problem is the AV vendors and the archive vendors have two different solutions. If they don't work in sync, the user can extract an archive on their PC, but the AV won't be able to, and that's a problem," Pericin said.

Most end users do run antivirus software, which means that an executable such as Conficker would be detected when it runs. But the researchers found at least eight vulnerabilities in which security products didn't catch the bad files. Most of the affected vendors have deployed patches, Pericin said.

They've also found at least 30 other potential vulnerabilities in security products, but they're waiting for all vendors to roll out patches to see if those problems persist, Pericin said.

There are no intrinsic problems in the archival file formats themselves, and it will always be possible to modify those files, Pericin said.

The researchers also showed how it is possible to embed secret content within an archive file. The technique is generally known as stenography, or a way to write hidden messages known only to the sender and recipient. There are at least two software tools that can put hidden messages into ".zip" files.

Stenography "has a lot of implications," Pericin said. "If you are a terrorist, for example, and you want to hide communication, if you use encryption, the government can detect that. But if you hide stuff and no one is looking at it, you have this obscure channel of communication that works."

However, the researchers released on Thursday a free, open-source tool that can spot both malicious software and hidden content in archival formats. Called NyxEngine, it preprocesses archive formats, breaking inside and inspecting what's inside. It supports the ".zip," ".rar," ".gz" and ".cab" formats.

Join the CSO newsletter!

Error: Please check your email address.

Tags Archivingblack hatbugsstenographymalware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts