Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft is Scanning the Inside of Password-protected Zip Files for Malware

posted by hubie on Wednesday May 17, @09:40PM   Printer-friendly

upstart writes:

If you think a password prevents scanning in the cloud, think again:

Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday.

Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected files in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected."

[...] Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of an email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list.

"If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote.

[...] The practice illustrates the fine line online services often walk when attempting to protect end users from common threats while also respecting privacy. As Brandt notes, actively cracking a password-protected zip file feels invasive. At the same time, this practice almost surely has prevented large numbers of users from falling prey to social engineering attacks attempting to infect their computers.

One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files.

Original Submission

 
This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Microsoft is Scanning the Inside of Password-protected Zip Files for Malware | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Funny) by DadaDoofy on Thursday May 18, @12:30AM (4 children)

    by DadaDoofy (23827) on Thursday May 18, @12:30AM (#1306776)

    What is Mastadon?

    Starting Score:    1  point
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Thursday May 18, @01:05AM

    by Anonymous Coward on Thursday May 18, @01:05AM (#1306779)

    le fed-iverse [wikipedia.org]

  • (Score: 5, Informative) by istartedi on Thursday May 18, @03:44AM

    by istartedi (123) on Thursday May 18, @03:44AM (#1306796) Journal

    You know how a lot of people, myself included, have been saying that Twitter should have been a protocol not a company? Mastodon is the embodiment of that.

    It's still kind of rough around the edges, but it's very promising. Filters aren't perfect, but compared to Twitter they rock. I use them to filter out "rage bait" and it's a fairly happy experience. I use Twitter a lot less now. The downside is that it hasn't reached critical mass, so there are still some independent news sources, especially related to California fires that are easier to follow on Twitter. A lot of those are on WatchDuty, but that sucks on a PC.

    It's interesting times in social media. Twitter was already circling the drain for me. Musk's mucking around with it helped push me to Mastodon.

    Now, if I could just figure out how to follow Iran news without all the German language coming through. It looks like it's supposed to be able to filter that too, but it's either not obvious or not really capable--like I said, rough around the edges; but so far it hasn't been corrupted.

    I strongly suggest giving it a shot. Because it's distributed, there isn't just one to chose. Imagine you're back in the 90s and your ISP didn't have mail servers. It's like that, so you went out looking for some other mail provider like HotMail. Each instance is it's own Hotmail, but because of federation they exchange toots (their word for tweet), the way USENET servers all shared stories.

    The instance I use is Universeodon [universeodon.com]

    --
    Appended to the end of comments you post. Max: 120 chars.

  • (Score: 2) by driverless on Thursday May 18, @05:10AM

    by driverless (4770) on Thursday May 18, @05:10AM (#1306803)

    What is Mastadon?

    It's what Vulgaris Magistralis rides around on on Sundays [youtube.com].

  • (Score: 2) by hendrikboom on Friday May 19, @08:28PM

    by hendrikboom (1125) on Friday May 19, @08:28PM (#1307063) Homepage Journal

    It's actually spelled 'Mastodon', with a central 'o' instead of 'a'.
    Here [joinmastodon.org] is some information about it [mastodon.social].