Viruses Zipped into clever disguises

American security firm iDEFENSE has discovered a loophole in most popular antivirus software that would let viruses in cleverly written ZIP files slip under their radar
Written by Munir Kotadia, Contributor on

Security researchers have discovered that most consumer antivirus programs contain a vulnerability that allows malware writers to construct a virus file in such a way that it is undetectable by many of the most common antivirus applications, according to US-based security Intelligence firm iDEFENSE.

According to iDEFENSE, the problem stems from the method used by antivirus software to scan compressed files and affects applications from McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

By manipulating the physical size of a compressed malicious file, without affecting the file's functionality, virus writers can send users an infected file that will not be detected by many antivirus programs.

"An attacker can compress a malicious payload and evade detection by some antivirus software by modifying the uncompressed size within the local and global headers… Successful exploitation allows remote attackers to pass malicious Payloads … without being detected," the advisory warns.

According to iDEFENSE the biggest problem is that users will be more likely to open an attachment if the antivirus software has scanned it and pronounced it safe.

"Users with up-to-date antivirus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus," the advisory said.

All companies mentioned except Sophos and RAV have confirmed their products are vulnerable and have either already published or are close to publishing an update to fix the problems.

iDEFENSE said the latest products from Symantec, Bitdefender, Trend Micro and Panda are not vulnerable.

However in a separate advisory by security Web site Secunia, a number of Symantec's products were found to be vulnerable to an alternative threat.

ZDNet Australia's Munir Kotadia reported from Sydney. For more coverage from ZDNet Australia, click here.

Editorial standards