Smart ZIP virus can fool most anti-virus software

Security researchers have discovered that most consumer anti-virus programs contain a vulnerability that allows malware writers to construct a virus file in such a way that it is undetectable by many of the most common anti-virus applications, according to US-based security Intelligence firm iDEFENSE.

Security researchers have discovered that most consumer anti-virus programs contain a vulnerability that allows malware writers to construct a virus file in such a way that it is undetectable by many of the most common anti-virus applications, according to US-based security Intelligence firm iDEFENSE.

According to iDEFENSE, the problem stems from the method used by anti-virus software to scan compressed files and affects applications from McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

By manipulating the physical size of a compressed malicious file, without affecting the file's functionality, virus writers can send users an infected file that will not be detected by many anti-virus programs.

"An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers... Successful exploitation allows remote attackers to pass malicious
Payloads ... without being detected," the advisory warns.

According to iDEFENSE the biggest problem is that users will be more likely to open an attachment if the anti-virus software has scanned it and pronounced it safe.

"Users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus," the advisory said.

All companies mentioned except Sophos and RAV have confirmed their products are vulnerable and have either already published or are close to publishing an update to fix the problems.

iDEFENSE said the latest products from Symantec, Bitdefender, Trend Micro and Panda are not vulnerable.

However in a separate advisory by security Web site Secunia, a number of Symantec's products were found to be vulnerable to an alternative threat.