As a professional forensic guy, you can not be too careful to anlyze the evidence. Especially when the case is about malware or hacker. Protect your workstation is your responsibility. You are a professional forensic examiner, so don't get infected when examining the evidence file or network packet files.
A friend of mine, she is also a forensic examiner, became victim yesterday. It's too ridiculous!!! She was very embrassing. The reason why she got infected was that she extracted a zip file from a suspicious network packet file and "accessed" that zip file. Then something happened. What a tragedy~
You guys could take a look at my blog to see what's going on.
http//
I've had these concerns myself when extracting executable/script content from PCAPs. The same goes for harddrives.
Long ago, i asked Netwitness how well their software ran in a VM and they asked why. NW also rendered live content in the embedded browser (no scripts though), i don't know if RSA (who bought Netwitness) keeps doing this today. Opening a modified zip file like described can trigger an execution of the file, this is why training and experience is important.
Always make sure your analysis environment is recoverable and segmented - even within the analysis environment. Give the analyst a way to disconnect from the system if needed. It's especially important if you analyse malware and let the analyst do away with Sandboxes/Antivirus software to be able to do their job.
A friend of mine, she is also a forensic examiner, became victim yesterday. It's too ridiculous!!! She was very embrassing. The reason why she got infected was that she extracted a zip file from a suspicious network packet file and "accessed" that zip file. Then something happened.
Are you telling me that a .zip file infected a system only because it was "accessed"? 😯
(or as you show in the given link, the folder in which it resides was just opened in Explorer?)
It must have been an exceptionally DANGEROUS archive. roll
Last time I checked something needed to be "executed" on a machine to initiate an infection…
As a side note, I would be interested in the time machine you used to have the file which is dated either 3 or 4 September (and that infected your friend's machine yesterday) submitted to VirusTotal and anayzed on the 27th of August.
jaclaz
It must have been an exceptionally DANGEROUS archive. roll
Last time I checked something needed to be "executed" on a machine to initiate an infection…
Zip files can be crafted to execute code when opened, any infosec professional worth a salt would know this.
Zip files can be crafted to execute code when opened, any infosec professional worth a salt would know this.
Yes and no 😯 (it greatly depends on OS, file associations, system settings and often on the specific ZIP tool/library in use), however the blog shows accessing the folder containing the file in Explorer.
Of course disabling zipfldr.dll is like the first thing one should do on Windows systems.
jaclaz
Zip files can be crafted to execute code when opened, any infosec professional worth a salt would know this.
Yes and no 😯 (it greatly depends on OS, file associations, system settings and often on the specific ZIP tool/library in use), however the blog shows accessing the folder containing the file in Explorer.
Of course disabling zipfldr.dll is like the first thing one should do on Windows systems.jaclaz
I know what i wrote. Bugs like these appear periodically and have for over a decade in various products. Just by EXISTING on a file system they can be executed by something like an indexing service or an antivirus engine
Known documented attacks that has appeared
- Long file names triggering buffer overflow (CVE-2006-3890, related CVE-2006-5198)
- Malicious crafted content autotriggering vulnerable (pre)viewers (MS04-028) - Mostly theoretical, but not dismissable.
Specific products being pwned by just opening the archive - without clicking or previewing any file inside the compressed archive
- Lotus notes
http//
- CuteZip
https://
Other unpackers that has had the same problem
- 7Zip (CVE-2016-2335 + CVE-2005-3051)
http//
https://
- WinRAR
https://
- LibArchive (CVE-2016-4300 + CVE-2016-4302)
http//
Similar bugs that didn't require any user interaction
- Turbo Searcher (CVE-2005-3051)
http//
- Microsoft Outlook (CVE-2000-0567)
"In some cases, the message does not even have to be read for the code to be executed"
http//
Summing up There are bugs out there that does not require user interaction, parsers can be tricked into running code just by opening the enveloping file. Some forensics software have built in viewers in them, they not immune to such attacks. Neither are products that use 3'rd party libraries from software manufacturers to unpack these formats.
There was a reason why i mentioned virtual machines…
I know what i wrote.
Undoubtedly ) , and I am not at all saying anything much different from what you wrote.
The examples you posted are all about known, several years old vulnerabilities, the only recent ones are about 7-zip (and are BTW related to parsing UDF or HFS+ filesystem, not .zip archives) and to Libarchive (BTW related to parsing 7-zip archives and not .zip ones), the issue - generically - is widely known and - as you correctly said, using a VM is strongly advised.
In any case, each of the mentioned examples affect the one or the other specific tool/program (as I hinted there was a Windows OS "generic" one several years ago).
I was instead commenting the specific report, as - currently - there are no known vulnerabilities that could create this kind of issue, and the fact that the file has been analyzed on VirusTotal BEFORE infecting the system is - to me at least - a bit hard to digest.
Now, it is entirely possible that a new, mysterious way to craft a malicious .zip file was created lately and by pure chance happened to be in the network packet under analysis, but if this is the case, then it would be a whole new discovery that should have been properly analyzed and reported, particularly if it is an OS "system wide" issue.
So if we want to say that good practice is
1) setup a VM to analyze unknown files
2) pass *anything* having even a remotely chance of containing a virus or malware through one or more antivirus checks
(because "you never know") we are fully agreeing ) .
jaclaz