Undetected Malware Code Found in Archive File Formats

Since we are always focused on computer security, we already know that a .ZIP or .RAR archive file is a common place for malware to hide but now researchers have found that the archive file itself has been tampered to mask malware. Not only do these new tampered archive files contain malicious code, but they go undetected by many antivirus applications.

After this new discovery, many antivirus vendors went on to patch their applications so that they may detect archive files that have been tampered with to contain malicious code. The most popular archive files to fall under scrutiny due to the latest tampering are .ZIP and .RAR files. Other archive formats affected may also include .gz and .cab files.

Word about these new malicious files has spread among those attending the Black Hat security conference today through a brief presentation given by researchers explaining how archive file formats can be used to insert malicious code. Surprisingly during the presentation, it was revealed that archive files can be used to spread malware parasites such as the Conficker worm.

Several antivirus and anti-spyware programs may not be able to detect tampered archive files due to hackers compressing the malicious file which sometimes tricks security programs. Security programs are designed to look at attachments to determine if they are malicious. In the case of "packed" or compressed archive files, they may not be detected until they are unpacked and executed which may be too late.

Basically, the seriousness of malicious archive files is that they can be tampered with by hackers to evade security software allowing a remote attacker to have access to the affected system without any implications of an actual infection. Once a system is infected, it is rather too late to take proactive steps to block infection.

One way of thinking about a security product attempting to detect a malicious archive file is to picture a house burglar attempting to steal something they do not expect to find. If the burglar is only looking for jewelry (malicious file inside of a ZIP file) in the jewelry box and you have a stash of cash (tampered ZIP file) in your dresser drawer, then chances are that the cash will not get stolen, only the jewelry that is where it is suppose to be. The way to tackle malicious archive files would be to search for both malicious software and hidden content in an archive file format.