On Wed, Sep 15, 2010 at 8:21 PM, Herbert Graf wrote: > As for the issue, yes, it's common practice by malware to multiply zip > the payload, the assumption being that the anti-malware software will > only "unzip" a certain number of times. I can't confirm that mail > servers reject emails because of this. > Attackers know that all modern AV scanner has sophisticated decomposer that does recursive unpacking. There are though many issues that raises. First o= f all on-demand and on-access scanners are working different. without going into too much details, unpacking is one of the main differences. An on-access scanner is running on the background as a service or daemon and detects whenever a file modified or created on the system. When it happens it scans the file. That slows down the computing performance of course whic= h is annoying sometimes. And if it was even decomposing all ZIP and other compound formats then it would have slow down the computer even more to an unusable stage. For example someone downloads a huge ZIP or Installation file, then it would take several minutes(!) to fully decompose all elements of it and scan them through with the AV scanner. So simply they do not do that... That's one of the many reasons why an on-access version might have different detection rate than an on-demand one from the very same vendor. On a mail server they might though check if the ZIP contains an executable just by checking the extensions of the files from the archive header. That is quick and dirty but effective. If for example there is an EXE in it, the= n the MTA blocks the ZIP. They can do that most cases even when the ZIP is password protected (as most cases the headers with the file and directory names are not encrypted, only the content of the files). That's why they might wrap the archive into another archive, so that it could go through th= e ail server... Not necessarily by malware but also by angry users who just want to use their system sending legit files to colleagues... Also of course bad guys are trying to do everything to push through their malicious code on the mail server. So they may try to crash the AV scanner as many times as the can so they hope that the mail server admin gets annoyed at some point when he/she turnes the scanner off. Even if it happen= s only for few minutes the bad guys can have a chance to pushing through thei= r badware on the system. So yes, they might try to use malformatted ZIp files as well as 'too deeply nested' ones. Tamas > TTYL > > -- > http://www.piclist.com PIC/SX FAQ & list archive > View/change your membership options at > http://mailman.mit.edu/mailman/listinfo/piclist > --=20 int main() { char *a,*s,*q; printf(s=3D"int main() { char *a,*s,*q; printf(s=3D%s%s%s, q=3D%s%s%s%s,s,q,q,a=3D%s%s%s%s,q,q,q,a,a,q); }", q=3D"\"",s,q,q,a=3D"\\",q,q,q,a,a,q); } --=20 http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .