New attack method uses .ISO and .TAR files to evade security warnings

Posted 08 January 2019 23:43 CET by Jan Willem Aldershoff

Cybercriminals distribute emails with files attached in a specific Linux/Unix compressed file format. By using that format they are able to bypass Windows security warnings and infect systems with malware. The attack was discovered by Belgian security researcher Didier Stevens.

The specific compressed file format is .TAR and Windows users are unable to unpack TAR files by default. It’s however possible to unpack .TAR files with a file archival application such as WinRAR or 7Zip. For attackers this is  partly a disadvantage, as a user needs to have special installed, but it also has an advantage. Windows normally marks files that are downloaded from the internet as “mark-of-the-web”, but it doesn’t mark files that originate from an unpacked file.

Applications like Outlook also adds the mark-of-the-web to attachments when they are opened or saved. However, when a .TAR file is unpacked, the resulting file doesn’t have the mark-of-the-web. Users who then execute the resulting file, therefore don’t see a security warning.

Besides .TAR, the attackers also use other compressed and/or archival formats such as .ISO, .JAR and .ARJ.

“Using less popular container formats on Windows allows malware authors to evade detection and reduce the number of alerts, at the risk of ending up on a Windows machine that can not open the container”, Stevens explains.

Related content

There are 1 forum posts on this story

We don't show comment's on news stories, instead you are very welcome to join the discussion on this topic on our forum.

Discuss this story here