ZIP files are being used to bypass security gateways
Users are targeted through a spam email pretending to be shipping information from an Export Operation Specialist of USCO Logistics. Attached to the email is a ZIP archive that has a file size which is greater than its uncompressed content.
In a new report, Trustwave explained why the size of the ZIP raised suspicions among its researchers, saying:
“The attachment “SHIPPING_MX00034900_PL_INV_pdf.zip“ makes this message stand out. The ZIP file had a file size significantly greater than that of its uncompressed content. Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes.”
Suspicious ZIP files
In addition to a special structure that contains the compressed data and information about the compressed files, each ZIP archive also contains a single End of Central Directory (EOCD) record that is used to indicate the end of the archive structure.
However, when Trustwave researchers examined the ZIP file attached to the spam email, they found that the ZIP archive contained two distinct archive structures that both had their own EOCD record. A ZIP archive should have only one EOCD record and this shows that the ZIP file created by the attackers was altered to contain…