Article

Bombed again: Dangerous new compressed file attacks

Shawna McAlearney, News Editor

Organizations now blocking the popular .zip file extension to prevent virus and worm attacks within compressed files now have a new challenge -- .rar files. That extension and others like it made headlines last week by providing malware writers with a new avenue of attack.

".Rar is based on a more efficient compression algorithm and so can deliver more effective attacks," said Yoz Grahame, a technology analyst with Business Data Quality Ltd. in London. "And gzipped HTML is somewhat more dangerous. This is the common technique of modern Web servers compressing HTML pages using the gzip algorithm before serving them to save bandwidth.

"If there's an enterprise-wide Web proxy in place that scans incoming content -- a very common situation -- then a bomb delivered that way could knock out Web access for the entire network," Grahame added. "This isn't quite as threatening as an e-mail attack, as an html.gz file must be requested from within the network, but it's still very possible."

Two different threats have plagued organizations that permit the use of compressed files: first viruses and worms smuggled past perimeter security defenses; then antivirus programs that crashed when unpacking files to scan them.

Peter Bieringer, a security consultant at Germany-based network security company AERAsec, last April analyzed a threat he labeled "decompression bombs," which caused many popular antivirus engines to crash when they attempted to decompress gigabytes of data and

    Requires Free Membership to View

scan hundreds and thousands of files for viruses. The result can be a denial-of-service attack against applications or systems because of the heavy processing load.

Then the most widely discussed threat was posed by popular .zip file formats, prompting many organizations to block .zip files but allowed other compressed formats to pass the gateway.

Read more on compression bombs

Malware: Bombs away
Compression formats, such as the popular .zip, are the bane of the antivirus industry, as unsuspecting users unleash worm after worm hidden within compressed files. Now, they pose a new threat.

"Decompression bombs create a denial-of-service condition by consuming available resources (CPU, memory and/or disk space)," Randy Bartels, a consulting manager at Calence Inc. in Tempe, Ariz., said in an e-mail interview. "These attacks are targeted at SMTP and, to a lesser extent, HTTP. However, this risk is elevated given the ubiquitous nature of Internet connectivity, the anonymous nature of e-mail/HTTP sessions and the data flow process of gateway-based antivirus solutions. The latter ensures that all attachments are decompressed so that they can be examined for malicious content."

Recent examples of .rar used in malicious code include some early variants of the Netsky worm, as well as a recent virus that purported to be a Microsoft patch, according to recent news reports.

"Decompression bombs exploit bugs in network services rather than specific IT strategies, so switching between .zip and .rar as an enterprise's chosen archive format will have no effect," Grahame said. "It's malicious files rather than file formats that do the damage, and there's little an enterprise can do to defend against these attacks other than upgrading or replacing those services."

"Several of the major antivirus products can now specifically detect these attacks, and some others fail gracefully, but as of late last year most products were still considered vulnerable," Grahame said. His recommendation? "Enterprise customers of all sizes should ascertain if their antivirus systems are immune from such an attack, and if not, what the vendor is doing about it."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: