【Hacker News搬运】黑客现在使用ZIP文件连接来逃避检测

hackernews

Title: Hackers now use ZIP file concatenation to evade detection

黑客现在使用ZIP文件连接来逃避检测

Text:

hn link

Url: https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/

由于我无法直接访问外部链接，我将基于提供的标题和通常这类新闻报道的内容来进行分析和总结。

标题：“黑客现在使用 ZIP 文件连接来规避检测”

分析：
1. **ZIP 文件连接**：ZIP 文件是常用的压缩文件格式，通常用于压缩多个文件以减少存储空间或便于传输。在这个案例中，黑客可能利用 ZIP 文件的特殊性质来隐藏恶意代码或数据。

2. **规避检测**：黑客使用 ZIP 文件连接的目的是为了绕过安全检测工具的监控。传统的安全检测通常关注于已知的恶意软件和攻击模式，而这种方法可能是一种新的逃避检测的策略。

3. **技术细节**：报道可能涉及到黑客如何将多个 ZIP 文件连接起来，以及这种方法如何使得恶意软件在分析时难以被发现。这可能包括使用特殊的文件结构或编码技巧。

总结：
黑客正在采用一种新的技术，即使用 ZIP 文件连接，来规避传统的安全检测。这种方法可能涉及将恶意软件或数据打包成多个 ZIP 文件，然后以某种方式连接这些文件，使得它们在分析时难以被检测工具识别。这种策略增加了攻击的隐蔽性，使得安全研究人员和防御者需要更新检测方法以应对这种新的威胁。对于用户来说，了解这种攻击模式并采取相应的预防措施是非常重要的。

Post by: sandwichsphinx

Comments:

wahern: From a security perspective, and as a programmer, I've never liked ZIP files precisely because there are <i>two</i> mechanisms to identify the contents, the per-file header and the central directory. When you're defining a format, protocol, or w'ever, ideally there <i>should</i> be a single source of truth, a single valid & useable parse, etc; basically, the structure of the data or process should be intrinsically constraining. There shouldn't be a pathway for multiple implementations to produce different functional results, and ZIP archives are in my mind the archetype for getting this wrong. tar files aren't ideal, but in the abstract (ignoring issues with long file names) they don't have this problem. (tar files don't support random access, either, but better to rely on something suboptimal than something that's fundamentally broken.)<p>A similar security problem, though not as fundamentally baked into the format, is MIME parsing. The header section is supposed to be delimited from the body by an empty line (likewise for nested entities). But what if it's not? For better or worse, Sendmail was tolerant of the absence of an empty line and treated as headers everything up to the first line that didn't parse as a header or header continuation.[1] Later systems, like Postfix, originally copied this behavior. But Microsoft Exchange and Outlook are even more tolerant, yet in a much more horrendous way, by parsing as a header anything that looks like a Content-Type or related header immediately <i>after</i> the first empty line. They have similar hacks for other, similar violations. So today, depending on the receiving software, you can send messages that appear differently, including having different attachments. It's a security nightmare!<p>I not a Postel's Law hater, but ZIP archives and Microsoft's MIME parsing behaviors are just egregiously wrong and indefensible. And even if you think the Robustness Principle is inherently bad policy, you still have to design your formats, protocols, and systems to be as intrinsically constraining as possible. You can't rely on vendors adhering to a MUST rule in an RFC, unless it's unquestioningly crystal clear what the repercussions will be--everybody else will (because it's the natural and convenient thing to do) reject your output as trash and drop it on the floor immediately so violations never have a chance to get a foothold.<p>[1] MTAs don't necessarily need to care about MIME parsing, but Sendmail eventually gained features where parsing message contents mattered, setting the de facto norm (for those paying attention) until Microsoft came along.

wahern: 从安全的角度来看，作为一名程序员，我；我从来都不喜欢ZIP文件，因为有两种</i>机制来标识内容，即每个文件的头和中心目录。当你；重新定义格式、协议或w；理想情况下，<i>应该是一个单一的真理来源，一个单一有效的；可用解析等；基本上，数据或流程的结构应该具有内在的约束性。应该有；这不是多个实现产生不同功能结果的途径，在我看来，ZIP档案是出错的原型。tar文件不是；这并不理想，但从抽象意义上讲（忽略长文件名的问题），它们并不理想；我没有这个问题。（tar文件也不支持随机访问，但最好依赖于次优的东西，而不是从根本上损坏的东西。）<p>一个类似的安全问题是MIME解析，尽管它并没有从根本上融入到格式中。标头部分应该用空行与正文分隔（嵌套实体也是如此）。但是，如果它；不是吗？无论好坏，Sendmail都容忍没有空行，并将第一行之前的所有内容都视为标题；t解析为标头或标头延续。[1] 后来的系统，如Postfix，最初复制了这种行为。但Microsoft Exchange和Outlook甚至更宽容，但以一种更可怕的方式，将任何看起来像Content-Type或相关标头的东西解析为标头，在第一个空行</i>之后立即<i>。他们对其他类似的违规行为也有类似的黑客攻击。因此，今天，根据接收软件的不同，您可以发送显示不同的消息，包括具有不同附件的消息。它；这是一场安全噩梦<p> 我不是Postel；他的法律仇恨者，但ZIP档案和微软；MIME解析行为是极其错误和站不住脚的。即使你认为稳健性原则本质上是一个糟糕的政策，你仍然必须设计你的格式、协议和系统，使其尽可能具有内在的约束性。您可以；不要依赖供应商遵守RFC中的MUST规则，除非它；毫无疑问，后果是显而易见的——其他人都会（因为这是自然和方便的事情）把你的输出当作垃圾，并立即扔到地上，这样违规行为就永远没有机会立足<p> [1]MTA不会；不一定需要关心MIME解析，但Sendmail最终获得了解析消息内容重要的功能，在微软出现之前，为那些关注的人设定了事实上的规范。

Jerrrrrrry: Remember, secure encryption, good compression, and truely random data are indistinguishable.<p>It's best to paste that encrypted payload into a JPG with some bullshit magic headers and upload that to a trusted Exfil pivot instead.<p>Or, to get SuperMarioKart.rom to work with your chromeApp-XEMU emulator to play during down-time at work, just rename it to SMB.png, and email it you yourself.

Jerrrrrrry: 记住，安全加密、良好的压缩和真正的随机数据是无法区分的<p> 它；最好将加密的有效载荷粘贴到带有一些废话魔法头的JPG中，并将其上传到受信任的Exfil枢轴<p> 或者，要让SuperMarioKart.rom与您的chromeApp XEMU模拟器配合使用，以便在工作时间休息时播放，只需将其重命名为SMB.png，并亲自通过电子邮件发送给您。

pdp: This attack vector has been known for at least 17 years, if not longer.<p><a href="https://gnucitizen.org/blog/java-jar-attacks-and-features/" rel="nofollow">https://gnucitizen.org/blog/java-jar-attacks-and-features/</a>
<a href="https://gnucitizen.org/blog/gifars-and-other-issues/" rel="nofollow">https://gnucitizen.org/blog/gifars-and-other-issues/</a>

pdp: 这种攻击向量已知至少17年，甚至更长<p> <a href=“https:#x2F；#x2F gnucividen.org#x2F blog#x2F java jar攻击和功能#x2F”rel=“nofollow”>https:&#x2F；gnucident.org；博客&#x2F；java jar攻击和功能</一<a href=“https:&#x2F；/ gnucitizen.org&#x2F-博客&#x2F/GIF和其他问题&#x2F.”rel=“nofollow”>https:&quot&#x2F；gnucident.org；博客&#x2F；GIF和其他问题</一

avidiax: This is sometimes used non-maliciously to concatenate zipped eBooks to a JPEG of the cover art. 4Chan's /lit/ board used to do this, but I can't find any reference to it anymore.<p><a href="https://entropymine.wordpress.com/2018/11/01/about-that-jpeg-zip-shakespeare-hybrid-file/" rel="nofollow">https://entropymine.wordpress.com/2018/11/01/about-that-jpeg...</a><p><a href="https://github.com/Anti-Forensics/tucker">https://github.com/Anti-Forensics/tucker</a>

avidiax: 这有时被非恶意地用于将压缩的电子书连接到封面的JPEG；s■；点亮；董事会过去常常这样做，但我可以；我再也找不到任何关于它的参考了<p> <a href=“https:#x2F；#x2F entropymine.wordpress.com#x2F 2018#x2F 2011#x2F关于jpeg压缩莎士比亚混合文件#x2F”rel=“nofollow”>https:&#x2F；entropymine.wordpress.com；2018年；11*F；01■；关于jpeg</a> <p><a href=“https:&#x2F；/ github.com&#x2F-反取证&#x2F.tucker”>https:&quot&#x2F；github.com；反取证&#x2F；塔克</a>

Retr0id: Related, my two favourite ZIP parser issues:<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1534483" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1534483</a> "Ambiguous zip parsing allows hiding add-on files from linter and reviewers"<p><a href="https://issues.chromium.org/issues/40082940" rel="nofollow">https://issues.chromium.org/issues/40082940</a> "Security: Crazy Linker on Android allows modification of Chrome APK without breaking signature"<p>The big problem with the ZIP format is that although the "spec" says what a ZIP file looks like, it does not tell you in concrete terms how to parse it, leading to all sorts of ambiguities and divergent implementations. Someone needs to write a "strict ZIP" spec that has explicit and well-defined parsing rules, and then we need to get every existing ZIP implementation to agree to follow said spec.

Retr0id: 相关的，我最喜欢的两个ZIP解析器问题：<p><a href=“https:&#x2F；bugzilla.mozilla.org&#x2G；show_bug.cgi？id=1534483”rel=“nofollow”>https:&#x2F；bugzilla.mozilla.org；show_bug.cgi？id=1534483</a>“；模糊的zip解析允许对linter和审阅者隐藏附加文件<p> <a href=“https:&#x2F；issues.cromine.org&#x2F-issues/ 40082940”rel=“nofollow”>https:&#x2F；issues.croman.org；问题；40082940</a>&quot；安全：Android上的Crazy Linker允许在不破坏签名的情况下修改Chrome APK<p> ZIP格式的一大问题是，尽管“；规格”；ZIP文件是什么样子的，它没有具体告诉你如何解析它，导致各种歧义和不同的实现。有人需要写一个&quot；严格ZIP”；规范具有明确和定义良好的解析规则，然后我们需要让每个现有的ZIP实现都同意遵循所述规范。