zipdump & Evasive ZIP Concatenation, (Sat, Nov 9th)

Category :

SANS Full Feed

Posted On :

On Friday’s Stormcast, Johannes talks about Evasive ZIP Concatenation, a technique where 2 (or more) ZIP files are concatenated together to evade detection.

This gives me a good opportunity to remind you that my zip analysis tool zipdump.py can handle this type of file.

zipdump uses Python’s zipfile module (or pyzipper if you install it), and if you just run it on this type of file without any opions, you get the listing of the last ZIP file:

But when you use option -f, zipdump will not use Python’s zipfile module, but directly analyze PKZIP records.

When you use option -f l (l stands for listing), you will get a listing of all PKZIP records found inside the provided file:

There are 6 PKZIP records here, making up 2 ZIP files. To analyze the content of the first ZIP file with Python’s zipfile module, use option -f 1:

And use option -f 2 for the second ZIP file:

You can then use zipdump’s other options to analyze the file, for example:

zipdump can also analyze individual PKZIP records, you select one by providing it’s position inside the file, as it appears in the listing (-f l):

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.