A 'Zip Bomb' to Bypass Security Controls & Sandboxes

Published: 2022-05-20
Last Updated: 2022-05-20 05:15:50 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday, I analyzed a malicious archive for a customer. It was delivered to the mailbox of a user who, hopefully, was security-aware and reported it. The payload passed through the different security layers based on big players on the market!

The file is a zip archive (SHA256:97f205b8b000922006c32c9f805206c752b0a7d6280b6bcfe8b60d52f3a1bb5f) and has a score of 6/58 on VT[1]. The archive contains an ISO file that, once mounted, discloses a classic PE file. But let's  have a look at the file:

remnux@remnux:/MalwareZoo/20220519$ zipdump.py Order-801273.zip
Index Filename         Encrypted Timestamp           
    1 Order-801273.img         0 2022-05-16 13:32:08 
remnux@remnux:/MalwareZoo/20220519$ zipdump.py Order-801273.zip -s 1 -d >Order-801273.img
remnux@remnux:/MalwareZoo/20220519$ file Order-801273.img 
Order-801273.img: ISO 9660 CD-ROM filesystem data 'DESKTOP'
remnux@remnux:/MalwareZoo/20220519$ sudo mount -o loop Order-801273.img /mnt/iso
mount: /mnt/iso: WARNING: device write-protected, mounted read-only.
remnux@remnux:/MalwareZoo/20220519 $ ls /mnt/iso
Order-801273.exe
remnux@remnux:/MalwareZoo/20220519$ cp /mnt/iso/Order-801273.exe .
remnux@remnux:/MalwareZoo/20220519$ ls -l Order*
-r-xr-xr-x 1 remnux remnux 419430400 May 20 00:34 Order-801273.exe
-rw-r--r-- 1 remnux remnux 419495936 May 20 00:30 Order-801273.img
-rw-r--r-- 1 remnux remnux   2017165 May 20 00:28 Order-801273.zip

Check carefully the size of the different files. The ZIP archive is 2M but the PE file is much bigger: 400MB! Do you remember the "Zip Bomb"[2]? A malicious very small archive that, once decompressed, is very big and consumes a lot of resources to be unpacked.

Let’s start the analysis of the PE file using static analysis techniques. My favorite tool to start investigations is PEstudio[3]. It reports something suspicious:

You can see (highlighted in red) that the file has an "overlay" that uses 99% of the file size! And the first bytes are all zeroes. This overlay starts at offset 0x1B9C00. Let's confirm this:

remnux@remnux:/MalwareZoo/20220519$ xxd -s 1809408 Order-801273.exe |more
001b9c00: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c10: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c20: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c30: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c50: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c60: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c70: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c80: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9c90: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9ca0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9cb0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9cc0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9cd0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9ce0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9cf0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d00: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d10: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d20: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d30: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d50: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d60: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001b9d70: 0000 0000 0000 0000 0000 0000 0000 0000  ................

Microsoft Windows is very permissive regarding data appended to files. For example, it's common to see Word documents containing a macro that extracts a payload located at the end of the file. Here, the PE file has been altered by appending a lot of zeroes to the code. That's the reason why the archive is small. Packing zeroes is very efficient and produces a small file. Let's try this:

remnux@remnux:/MalwareZoo/20220519$ dd if=/dev/zero of=zero.tmp count=10000000
remnux@remnux:/MalwareZoo/20220519$ zip zero.zip zero.tmp
remnux@remnux:/MalwareZoo/20220519$ ls -l zero.*
-rw-rw-r-- 1 remnux remnux 5120000000 May 19 16:06 zero.tmp
-rw-rw-r-- 1 remnux remnux    4969094 May 19 16:07 zero.zip

Let's get rid of the overlay to produce a new PE with a "normal" size:

remnux@remnux:/MalwareZoo/20220519$ dd if=Order-801273.exe of=Order-801273.exe.stripped count=1809408 bs=1
1809408+0 records in
1809408+0 records out
1809408 bytes (1.8 MB, 1.7 MiB) copied, 2.31218 s, 783 kB/s
remnux@remnux:/MalwareZoo/20220519$ ls -l Order-801273.exe.stripped 
-rw-r--r-- 1 remnux remnux 1809408 May 20 01:01 Order-801273.exe.stripped
remnux@remnux:/MalwareZoo/20220519$ file Order-801273.exe.stripped 
Order-801273.exe.stripped: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Now, the file can be analyzed successfully. This is a very nice technique to bypass many security controls. Indeed, for performance reasons, big files are often skipped or can generate timeouts due to the huge amount of data to analyze.

By the way, the PE file is a bitrat sample using the following configuration:

{
  "family": "bitrat",
  "rule": "Bitrat",
  "c2": [
    "kot-pandora[.]duckdns[.]org:24993"
  ],
  "version": "1.38",
  "attr": {
    "tor_process": "tor",
    "communication_password": "d6723e7cd6735df68d1ce4c704c29a04"
  }
}

[1] https://www.virustotal.com/gui/file/97f205b8b000922006c32c9f805206c752b0a7d6280b6bcfe8b60d52f3a1bb5f
[2] https://en.wikipedia.org/wiki/Zip_bomb
[3] https://www.winitor.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Archive Bitrat Bomb Bypass Filesize Malware Zip
0 comment(s)
ISC Stormcast For Friday, May 20th, 2022 https://isc.sans.edu/podcastdetail.html?id=8016

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives