QUESTION & ANSWER

Dangers of .zip files

By Shawna McAlearney, News Writer 04 Mar 2004 | Security Wire Perspectives

Digg This!     StumbleUpon     Del.icio.us

We've seen a number of worms lately that have entered networks through .zip files. What can you tell us about that?
Bruce Hughes: In the past, .zip files were thought to be "safe," so many people think they're getting them for a legitimate reason. Virus writers will continue to use .zip and other file types perceived as safe to bypass gateway filtering because they know that most medium to large corporations are now blocking executable file attachments.

Virus writers will continue to use .zip and other file types ... because they know that most medium to large corporations are now blocking executable file attachments. Bruce Hughes Moderator, Wild List

What other kinds of threats do .zip files pose to enterprise networks? Other users?
Hughes: Most corporations block files like screen savers (.scr) and Visual Basic Scripts (.vbs) at the e-mail gateway. Antivirus scanners can scan .zip files and stop them if a virus is detected. Unfortunately, if they don't detect something known to be malicious they allow it to go through. If the .zip format wasn't used, it would have been blocked like other unsafe file attachments. It's worse if the .zip file is password protected because AV scanners can't scan inside a password-protected file.

Is stripping .zip files at the gateway the best way to mitigate these threats? Are there less severe measures?
Hughes: A default-deny approach at the gateway is the best approach, permitting only file types that are needed to do business. Always block attachments that are unsafe, i.e. .exe, .scr, .pif, .vbs, .zip, etc.

Other measures enterprises can take include:

• Rename files that contain .zip or other executable or blocked extensions.
• Delay .zip files for a short period of time.
• Inspect the contents of .zip files and deny, delay or rename attachments that are unsafe.

You've alluded to .zip files as being a longstanding threat; if that's the case, why don't more enterprises filter them at the gateway?
Hughes: I think it hasn't been a big enough problem and is just now reaching the boiling point. I believe we'll start to see more and more corporations filtering .zip files from this point on.

How long will it take enterprises to learn to filter them?
Hughes: It will take some time; however, the companies that can do this quickly will benefit. Companies that block zips don't have to worry about one bypassing their antivirus scanners or other filters they have in place.

Tags: Malware, Viruses, Trojans and Spyware,  Vulnerability Risk Assessment,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary