ZIPs putting the zap on antivirus products

For mass mailing worms like Mydoom, zipping the virus payload makes it smaller and enables the worm to mail out more copies of itself in the same length of time than it could with uncompressed SCR, PIF or EXE files, Prakash said.

Zipping also changes the unique signature on the virus attachment, making it harder for antivirus engines to detect the malicious program, he said.

Eighty percent of the Mydoom samples that were submitted to Cloudmark from its SpamNet network of 800,000 users had ZIP attachments, Prakash said.

Malicious hackers are also finding other ways to maximize increased ZIP file use with viruses.

A recent security advisory from AERAsec Network Services and Security GmbH in Hohenbrunn, Germany, found that many antivirus engines are vulnerable to denial of service attacks from so-called "decompression bombs," in which gigabytes of data are zipped into very small files.

Antivirus engines that try to unzip these bombs often crash when trying to handle the huge amount of data stored in them, AERAsec researchers warned. (See http://www.aerasec.de/security/advisories/decompression-bomb-vulnerabili....)

While decompression bombs have been around since the 1980s, many software products, including antivirus engines, still do not detect such attacks, said Harald Geiger of AERAsec.

But ZIPs are not a magic bullet for virus authors. Most antivirus programs can open and analyze the contents of ZIP files, flagging any files in a ZIP that match known viruses, said Schmugar.

In the end, there are no easy answers to the ZIP file problem, experts agree.

Solutionary publishes a list of 20 recommended file extensions that should be blocked, including PIF and SCR, Hrabik said.

For others, such as Microsoft Word DOC files and Adobe PDF files, companies should block specific file names that are known to be associated with virus payloads, he said.

Best practices for companies should include scanning inside of ZIP files and using extension blocking on files contained in the archives, said NAI's Schmugar

"Security is always a trade-off," said Cloudmark's Prakash. "You can't just stop receiving EXE and ZIP files from people, because most of them are useful."

Companies need to balance business needs with security when setting up policies for files like ZIPs, he said.

Security policies that attach a trust level to certain e-mail senders outside and inside the company could be effective at blocking malicious ZIP attachments. Better user education that addresses bad habits like forwarding executable attachments could also help, Prakash said.