E-mail users who were slow to update their anti-virus software last week may have been surprised to receive a flood of e-mail messages containing ZIP files from long lost acquaintances, business partners and complete strangers.
The e-mail was sent by the recent Mydoom e-mail worm. The ZIP attachments were evidence of what antivirus experts say is a new trend in virus writing circles: using compressed ZIP files to hide viruses and elude detection by anti-virus engines.
ZIP files are containers for one or more compressed files. Using programs like WinZip for Windows or Unzip for Unix, users compact files they want to store or transfer to others. The files must then be decompressed, or "unzipped", before they can be viewed.
Long a staple of Internet and office communications, the compressed ZIP file has become embroiled in an arms race between virus writers and anti-virus technology companies, experts say.
"We're definitely seeing a trend," said Alex Shipp, anti-virus technology expert at MessageLabs. "It really took off in 2003. As soon as one virus was successful with technology like this, other virus writers took notice."
Virus authors learned long ago to hide their creations in e-mail file attachments, often disguising viruses as Windows screen saver (SCR) files or Windows program information (PIF) files, said Mike Hrabik, chief technology officer of Solutionary, a managed security services company in Omaha, Nebraska.
While ZIP files were occasionally used to mask virus payloads, the practice wasn't common in virus writing circles. That was because ZIPs, unlike SCR and PIF files, required separate software to be installed on the receiving system before the files could be opened and run on ubiquitous Windows machines, he said.
All that changed with the release of Microsoft's Windows XP operating system, which included native support for opening ZIP files. That allowed virus writers to count on users being able to unzip their attachment and open the virus file stored inside, Shipp said.
Gerhard Eschelbeck of security vulnerability scanning company Qualys agrees, saying that embedded support in modern systems for ZIPs makes them a rich target for worms like Mydoom.
In switching to ZIPs, virus authors are also picking up on trends in legitimate e-mail traffic to hide their own malicious creations, Shipp said.
"When corporations started blocking EXE (executable) files to prevent viruses from coming into their environment, people who wanted to send EXEs back and forth started zipping them before they sent them. Virus writers noticed that and took advantage of it," he said.
Unlike SCRs and PIFs, which have no use in legitimate exchanges, ZIP files are an important business tool that many individuals and organizations use to transfer large files. That makes it difficult for companies to strip them out of e-mail messages without affecting employees' work, experts say.
"For the most part, ZIPs are effective ways to send files, so blocking them is not something you want to do because it will break other functionality," said Craig Schmugar, anti-virus research manager at Network Associates's (NAI's) McAfee anti-virus unit.
The files have other advantages for virus authors, as well, said Vipul Ved Prakash, founder and chief scientist at anti-spam company Cloudmark of San Francisco.
For mass mailing worms like Mydoom, zipping the virus payload makes it smaller and enables the worm to mail out more copies of itself in the same length of time than it could with uncompressed SCR, PIF or EXE files, Prakash said.
Zipping also changes the unique signature on the virus attachment, making it harder for anti-virus engines to detect the malicious program, he said.
Eighty percent of the Mydoom samples that were submitted to Cloudmark, from its SpamNet network of 800,000 users, had ZIP attachments, Prakash said.
Malicious hackers are also finding other ways to maximise increased ZIP file use with viruses.
A recent security advisory from AERAsec Network Services and Security GmbH in Hohenbrunn, Germany, found that many anti-virus engines are vulnerable to denial of service attacks from so-called "decompression bombs," in which gigabytes of data are zipped into very small files.
Anti-virus engines that try to unzip these bombs often crash when trying to handle the huge amount of data stored in them, AERAsec researchers warned.