RE: [ISN] .zip files putting the zap on antivirus products (Three messages)

From: InfoSec News (isn@private)
Date: Thu Feb 12 2004 - 04:44:43 PST

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-7"

    Forwarded from: Cuadros Alvaro <acuadros@private>
    
    I woudn't consider that as a serious problem, Zipping ( Commpressing )  
    a file has its limits you can not compress beyond what the compression
    algorithms allow you to. Just try to zip or rar a file 20 times , the
    result is going to be the same at the end than the one you had in the
    third round.
    
    What does count as an issue, is the fact that you can nest the files,
    not because of the space it will use when uncompressed, but beacause
    of the fact that if you uncompress the file once, you won't see a
    malware pattern there. BUT this is a problem most antivirus have
    already solved.
    
    
    Regards,
    
    -Alvaro
    
    ______________________________________________________________
    Alvaro Cuadros Sagarnaga CISSP
    La Paz - Bolivia
    ______________________________________________________________
    PGP Fingerprint:      D210 2E8E A347 1EAF 7ECF  E5B9 CB60 FE29 D345 6120
    
    
    
    -=-
    
    
    
    Forwarded from: Jeff Meacham <Jeff.Meacham@private>
    
    Ah, yes.... the ZIP of Death! 
    
    Some AV products will happily unzip forever; others will honor a limit
    set by the admin either to a max recursion depth or memory limit.
    
    All it takes is one such message before you CEO calls because his golf
    confirmation hasn't arrived.
    
    As always, your mileage will vary; your swap file + available RAM
    equals how many terabytes?
    
    Jeff Meacham 
    Clearswift USA
    
    
    
    -=-
    
    
    
    Forwarded from: Greg Morgan <Cybie@infinite-elements.com>
    
    I just downloaded and scanned the file w/McAfee.  It detected it as
    "ZIP-Crash" and didn't even have to expand the whole file.  
    
    I wonder if it's just detecting this one file, or if it's picking it
    up huristically(sp?)r.
    
    
    > -----Original Message-----
    > I'd call that a pretty dangerous thing, if you consider the
    > following:
    > 
    > The zipfile you find on this website [1] is a five-level nested
    > zips-in-zips-in-zip archive. It is only 42KB large, but it expands
    > to 4.5 petabytes (that's 4.5 million gigabytes!) fully unpacked.
    > 
    > My guess is that most antivirus programs will happily try to unfold
    > it in all its glory.
    > 
    > Is your machine swapping a lot now?
    > 
    > regards,
    > Remco Brink
    > 
    > [1] http://www.unforgettable.dk/42.zip
    
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 12 2004 - 08:28:20 PST