Malware-peddling spammers are using a curious variation on the old custom file-extension dodge to evade scanning tools, according to Trustwave. By using the .zipx extension to obfuscate EXE payloads, crooks might be hoping to sneak the elderly NanoCore remote-access trojan through users' email and endpoint-scanning software. …
I run the mail server and any email that arrives with a .zipx file or any one of about another 50 risky attachments is quarantined if it passes the AV tests - so the only serious risks are when people visit websites or use USB drives. At least we only have one computer with a 3.5 disk drive.... (LOL).
"WinZip, starting with version 12.1, uses the extension .zipx for ZIP files that use compression methods newer than DEFLATE; specifically, methods BZip, LZMA, PPMd, Jpeg and Wavpack. The last 2 are applied to appropriate file types when "Best method" compression is selected.". It doesn't explain how clicking on that executed an autoextractor, but maybe I'm overthinking it and people actually did decompress it with a compatible archive program and manually launched the files within. It's a little weird how many people will go to rather extreme lengths to execute code that is so suspicious. Last year, El Reg posted an article describing a partially successful campaign requiring users to download a RAR file and then decrypt it just to open a PDF, which some people in engineering fields actually did.
At conference a few years back, Microsoft reported an exercise they'd carried out. They sent an email to their staff containing text on the lines of "on no account open the attachment to this email" with an attachment that phoned home. They followed up on the "openers" with a questionnaire. The most common reason given was "I wanted to see what would happen".
It doesn't sound like 7zip has a problem. It saw an archive and extracted files from it. It doesn't sound like it ran them. The same feature that lets you run it on an arbitrary file and it will try to find any archives inside it allowed an incorrectly-named archive file to be extracted anyway.
Biting the hand that feeds IT © 1998–2021