James Delahunty
15 Apr 2010 21:34
Security researchers have put attention on archive file formats such as RAR and ZIP files because of their potential security vulnerabilities. Up until recently many antivirus programs weren't capable of detecting malicious software in commonly used archival formats, but most antivirus vendors patched their products for better detection.
Tomislav Pericin, founder of RLPack, Mario Vuksan, an independent security researcher and Brian Karney, COO of Access Data, gave a presentation at the Black Hat security conference where they demonstrated how it is possible to tamper with popular archive formats to insert malicious code such as the Conficker worm.
Malware authors had been taking advantage of how packing malicious software in compressed archive files could trick security software, but antivirus companies stepped up efforts in detection of malware hidden in such files. However, the three researchers showed that it is still possible to evade gateway products that analyze file attachments.
"The problem is the AV vendors and the archive vendors have two different solutions. If they don't work in sync, the user can extract an archive on their PC, but the AV won't be able to, and that's a problem," Pericin said.
They found at least eight vulnerabilities in which security products failed to catch malicious files, and at least 30 other potential vulnerabilities.
Also demonstrated at the conference was how archive files can be used to embed secret content.