Careful! Those zip files in your inbox can zap your computer

Old method of attack resurges; more email attachments again carry viruses

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

You’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Sud­den­ly, there are a lot of them around.

That advice is near­ly as old as email, but as they say, every­thing old is new again. And the inter­net is new­ly awash in spam send­ing out boo­by-trapped zip file attach­ments. My inbox has seen a steady trick­le of the stuff for the past cou­ple of months, but I didn’t think much of it until I chat­ted with Sophos Chief Tech­nol­o­gy Offi­cer Joe Levy this week. Zip archives that con­tain mali­cious JavaScript files are on the rise, he said.

Relat­ed video: Scam­mers exploit Gmail

Users who fall for the trick and decom­press a zip attach­ment by click­ing on it don’t see an exe­cutable file—but rather a .js file or similar—and run the code. The two-step tech­nique is obvi­ous­ly work­ing for crim­i­nals. Sophos has been track­ing a dra­mat­ic rise in zip-javascript spam.

In fact, zip files with poi­so­nous javascript have pret­ty much com­plete­ly replaced Office attach­ments (infect­ed Word doc­u­ments or spread­sheets) as the attack tech­nique pre­ferred by spam­mers. So if you’ve received spam recent­ly, you’ve prob­a­bly received an infect­ed zip attachment.

The emails arrive in typ­i­cal fash­ion. One promised me a “con­fir­ma­tion let­ter.” A more clever ver­sion offered a trav­el expense sheet. The most believ­able says, “voice mes­sage from out­side caller.”

Well-con­fig­ured spam and secu­ri­ty soft­ware should pro­tect orga­ni­za­tions from this attack. So why are spam­mers sud­den­ly adopt­ing the tech­nique again?

Accord­ing to secu­ri­ty train­ing cen­ter and think tank The SANS Insti­tute, spam­mers real­ize that many orga­ni­za­tions, by now, have effec­tive fil­ter­ing prac­tices that min­i­mize the chance of an employee’s com­put­er get­ting infect­ed by this type of attack. How­ev­er, the spike in .js malspam indi­cates enough of this bad stuff is leak­ing through to make it prof­itable for criminals.

Akin to the IRS scam, which just keeps work­ing and work­ing, infect­ed zip attach­ments are pop­ping up all over because they work.

Here are the essen­tials of the SANS analysis:

  • This malspam appears to tar­get Win­dows computers.
  • The extract­ed file is Javascript-based, and the infec­tion requires user action.
  • The user must open the zip attach­ment, extract the .js file, and man­u­al­ly run the .js file.
  • A prop­er­ly admin­is­tered Win­dows host using soft­ware restric­tion poli­cies should pre­vent an infection.
  • A prop­er­ly admin­is­tered spam fil­ter will pre­vent this type of malspam from reach­ing the recipient’s inbox.

More sto­ries relat­ed to email:
Most busi­ness­es unpre­pared for email-based attacks
When it comes to email, shar­ing isn’t caring
Major secu­ri­ty threats lurk in your inbox


Posted in Cybersecurity, Featured Story