Monday, April 17, 2006

"Hiding additional files in a ZIP archive"

The Code Project - Hiding additional files in a ZIP archive

"A ZIP archive consists of local file headers, local files, and at the end of the zip file the central directory. When a zip application like WinZip or FilZip opens an archive, it first reads the directory. Only when you actually extract a file, it reads the offset from it’s directory entry, then the local file is read and uncompressed. Something that is not listet in the central directory will not be listet in the zip application.

ZIP archives can contain lots of single files, each of them has two sizes: Compressed size and uncompressed size. Have you ever calculated the expected archive size from the compressed file sizes and compared it to the size of the zip file? No? Well, that’s why a few additional bytes - additional compressed text files - won’t be found by chance.
..."

From the EDD perspective, this is an interesting project. And one I need to think about. Combine hiding files in ZIP’s and zip encryption and you have pretty good protection scheme.

This is the whole defense in depth thing (or hiding in depth, etc). First rename the zip to *.dll or something, so you need a signature analysis to even find the file. Then zip encryption, which is hard to break just by itself. Then hide a file in the zip (say another encrypted zip).

I wonder how email attachment/AV scanners work? If they work off of the zip’s catalog, since that’s the fastest method... Na, I’m sure the take the more secure approach and examine the zip header chain...

Anyway I’m going to need to test this and see how our unzipping library handles this (it’s reasonable to assume it would skip the files not listed in the catalog.)

Isn’t EDD cool?

Technorati Tags:

1 comment:

Alex said...

I worked with similar tool some days ago-check corrupt zip. Program helped me quite good,it is free as is known,besides that software has many other capabilities:it repair corrupted archives with *.zip extension and check repair zip file can check why zip file is corrupted and work with password protected archives.