back to article ZIPX files that aren't: Keep a weather eye out for disguised malware in email attachments

Malware-peddling spammers are using a curious variation on the old custom file-extension dodge to evade scanning tools, according to Trustwave. By using the .zipx extension to obfuscate EXE payloads, crooks might be hoping to sneak the elderly NanoCore remote-access trojan through users' email and endpoint-scanning software. …

  1. Mike 137 Silver badge

    Security 101

    This is just one more example of a massive ancient problem. The solution: never run unknown code that arrives unexpectedly. BTW that should include pretty much all javascript arriving in the browser.

    1. Version 1.0 Silver badge
      Happy

      Re: Security 101

      I run the mail server and any email that arrives with a .zipx file or any one of about another 50 risky attachments is quarantined if it passes the AV tests - so the only serious risks are when people visit websites or use USB drives. At least we only have one computer with a 3.5 disk drive.... (LOL).

  2. DwarfPants
    Coat

    There was almost a standard here

    .docx = Zipped xmls representing a word doc

    .xlsx = Zipped xmls representing an Excel doc

    .lnconfigx = Zipped xmls representing a LaserNet configuration

    .zipx = Zipped xmls representing a zipped document?

    1. doublelayer Silver badge

      Re: There was almost a standard here

      From Wikipedia:

      "WinZip, starting with version 12.1, uses the extension .zipx for ZIP files that use compression methods newer than DEFLATE; specifically, methods BZip, LZMA, PPMd, Jpeg and Wavpack. The last 2 are applied to appropriate file types when "Best method" compression is selected.[27][28]". It doesn't explain how clicking on that executed an autoextractor, but maybe I'm overthinking it and people actually did decompress it with a compatible archive program and manually launched the files within. It's a little weird how many people will go to rather extreme lengths to execute code that is so suspicious. Last year, El Reg posted an article describing a partially successful campaign requiring users to download a RAR file and then decrypt it just to open a PDF, which some people in engineering fields actually did.

      1. Mike 137 Silver badge

        Re: There was almost a standard here

        At conference a few years back, Microsoft reported an exercise they'd carried out. They sent an email to their staff containing text on the lines of "on no account open the attachment to this email" with an attachment that phoned home. They followed up on the "openers" with a questionnaire. The most common reason given was "I wanted to see what would happen".

        1. Michael Wojcik Silver badge

          Re: There was almost a standard here

          on no account open the attachment to this email

          Maybe some users assumed the text was an exception handler, and they were no-account types?

          Those no-account users opening attachments ... it's a self-fulfilling prophecy, really.

      2. David 132 Silver badge
        Coat

        Re: There was almost a standard here

        There was going to be a .zipy extension too, but the standards committee bungled it.

  3. Wempy

    > Despite Huddleston's jailing, NanoCore has continued to lurk online.

    Now wouldn't that be nice, as soon as you take someone off the board their footprints disappear.

    1. Throatwarbler Mangrove Silver badge
      Thumb Up

      Old and busted: summary execution

      New hotness: worldline erasure

      I would definitely support that punishment for malware writers.

      1. Michael Wojcik Silver badge

        But we'd never know if it worked.

    2. Roland6 Silver badge

      Shows he wasn't lying when he said he had sold the ownership of it to somebody else in 2016.

  4. YetAnotherJoeBlow Bronze badge

    Of course we all know that filename extensions mean absolutely nothing and that any file is hostile.

  5. Steve Jackson

    Any word on the vulnerable version of 7Zip?

    19.00 is long in the tooth and 21.01 in alpha, no mention of the vulnerability on the forum....

    1. Roland6 Silver badge

      Re: Any word on the vulnerable version of 7Zip?

      Is it a vulnerability or is it just that 7-zip is treating the file as a damaged archive and so tries to recover something from it. Obviously, need to understand just how the malware attachment abuses the .zipx format.

    2. doublelayer Silver badge

      Re: Any word on the vulnerable version of 7Zip?

      It doesn't sound like 7zip has a problem. It saw an archive and extracted files from it. It doesn't sound like it ran them. The same feature that lets you run it on an arbitrary file and it will try to find any archives inside it allowed an incorrectly-named archive file to be extracted anyway.

  6. Anonymous Coward
    Anonymous Coward

    Solution?

    Use a read-only, no Internet VM with Linux to unzip suspicious files. That way you're safe from Windows nasties, and you don't really care about Linux ones since your VM will be reset on shutdown. VirtualBox + some Linux distribution = $0 cost and 15 minutes work to set up,

    1. ortunk
      Paris Hilton

      Re: Solution?

      Get a tinfoil hat and live underground where 5G cannot reach you

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021