RE: [ISN] .zip files putting the zap on antivirus products (Three messages)

From: InfoSec News (isn@private)
Date: Thu Feb 12 2004 - 04:44:43 PST

Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-7"

Previous message: InfoSec News: "Re: [ISN] MyDoom author may be covering tracks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Cuadros Alvaro <acuadros@private>

I woudn't consider that as a serious problem, Zipping ( Commpressing )  
a file has its limits you can not compress beyond what the compression
algorithms allow you to. Just try to zip or rar a file 20 times , the
result is going to be the same at the end than the one you had in the
third round.

What does count as an issue, is the fact that you can nest the files,
not because of the space it will use when uncompressed, but beacause
of the fact that if you uncompress the file once, you won't see a
malware pattern there. BUT this is a problem most antivirus have
already solved.


Regards,

-Alvaro

______________________________________________________________
Alvaro Cuadros Sagarnaga CISSP
La Paz - Bolivia
______________________________________________________________
PGP Fingerprint:      D210 2E8E A347 1EAF 7ECF  E5B9 CB60 FE29 D345 6120



-=-



Forwarded from: Jeff Meacham <Jeff.Meacham@private>

Ah, yes.... the ZIP of Death! 

Some AV products will happily unzip forever; others will honor a limit
set by the admin either to a max recursion depth or memory limit.

All it takes is one such message before you CEO calls because his golf
confirmation hasn't arrived.

As always, your mileage will vary; your swap file + available RAM
equals how many terabytes?

Jeff Meacham 
Clearswift USA



-=-



Forwarded from: Greg Morgan <Cybie@infinite-elements.com>

I just downloaded and scanned the file w/McAfee.  It detected it as
"ZIP-Crash" and didn't even have to expand the whole file.  

I wonder if it's just detecting this one file, or if it's picking it
up huristically(sp?)r.


> -----Original Message-----
> I'd call that a pretty dangerous thing, if you consider the
> following:
> 
> The zipfile you find on this website [1] is a five-level nested
> zips-in-zips-in-zip archive. It is only 42KB large, but it expands
> to 4.5 petabytes (that's 4.5 million gigabytes!) fully unpacked.
> 
> My guess is that most antivirus programs will happily try to unfold
> it in all its glory.
> 
> Is your machine swapping a lot now?
> 
> regards,
> Remco Brink
> 
> [1] http://www.unforgettable.dk/42.zip





-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-7"
Previous message: InfoSec News: "Re: [ISN] MyDoom author may be covering tracks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 12 2004 - 08:28:20 PST