Reported in 2009, a bug residing in compressed archives let users exploit it but went undetected from multiple anti-virus providers. The severity of the bug was not taken seriously until November last year when attackers began exploiting this bug for spreading malware via emails. Top anti-virus providers have finally taken note and fixed it.
Thierry Zoller, Sr. Information Security and Privacy Risk Manager HSBC and Board Member of EC-Council Global Advisory reported this flaw. He explains, this bug is not archive format specific. Multiple archive formats including ISO, ZIP, and Bz2 can be used. “It depends on the user’s ability to alter a compressed archive in such a manner that it becomes inaccessible to the AV (anti-virus) software,” he said.
As per Zoller, it has a low impact on the client side as the engine is only evaded/bypassed on scan time (e.g. scheduled hard disk scan) but not on runtime, when the user extracts the payload. But when it comes to the server side, the impact is high. The anti-virus gateway products (e.g. emails, payment gateways, websites, cloud services) are at a high risk as there is no user that extracts the file, it is impossible for the gateway to inspect the code and the engine is completely bypassed.
Zoller further added that the bug impacts many products from multiple vendors, including Avira, Bitdefender, ESET and Kaspersky, which he contacted in October 2019 to report the flaw and provide proof-of-concept code, so that patches would be released.
The issue was finally addressed by ESET in version 1294 of the archive unpacker module. Similarly, Kaspersky with the release of patch E for four of its products, namely Kaspersky Secure Connection 4.0 (2020), Internet Security 2020, Total Security 2020, and Security Cloud 2020 has also fixed this bug.
Kaspersky said, “We have fixed three bugs in one of the anti-virus engine components that is responsible for work with ZIP archives. The fix for this component corrects its behavior in a situation of the antivirus scanning specially crafted ZIP archives. These malformed archives could be used to circumvent our antivirus scan process. The bugs affected Kaspersky products with antivirus databases.”
On contacting the second time around for this bug, both ESET and Kaspersky quickly patched the flaws in their respective products and credited Zoller for reporting them.