‘Zombie ZIP’ slips malware previous 98% of antivirus engines | information – Cyber Tech

A proof-of-concept exploit known as “Zombie ZIP” might allow malware to be smuggled previous antivirus (AV) software program in a crafted ZIP archive.The exploit, developed by Chris Aziz of Bombadil Programs, makes use of Python to generate a ZIP file with a manipulated header that declares the compression methodology is STORED (0) whereas the contents are literally compressed utilizing the DEFLATE methodology (8).This causes antivirus engines to scan the file as if it had been uncompressed, processing the compressed noise and failing to detect any malware signatures. Aziz examined the Zombie ZIP on 51 AV engines through VirusTotal and solely Kingsoft detected the malicious signatures: a 98% success charge.As a result of malformed header, specifically the truth that the CRC is ready to the checksum of the uncompressed payload regardless of the compression methodology being set as 0, normal archive extraction instruments like 7-Zip and WinRAR can not open Zombie ZIP recordsdata.Nonetheless, the proof-of-concept uploaded to GitHub additionally features a easy loader that may extract the recordsdata, providing another methodology for malicious payload supply and extraction.The exploit is tracked as CVE-2026-0866 and was reported by Aziz to the CERT Coordination Middle (CERT/CC), which issued a Vulnerability Word on Monday tracked as VU#976247.CERT/CC recommends antivirus and endpoint detection and response (EDR) options validate the compression methodology for archive recordsdata in opposition to content material traits slightly than trusting the archive metadata.The vulnerability be aware lists Cisco as the one vendor to this point that has confirmed it’s affected by the difficulty, saying its ClamAV can not scan Zombie ZIP recordsdata.“Nonetheless, this isn’t thought of a vulnerability, however slightly, a hardening suggestion. It will likely be considered for future releases,” the corporate stated.CERT/CC famous that CVE-2026-0866 is much like CVE-2004-0935, a 22-year-old vulnerability in ESET Anti-Virus variations earlier than 1.020 that allowed a compressed file to bypass antivirus safety by way of using headers set to 0. This vulnerability was assigned a excessive CVSS Model 2.0 rating of seven.5.Earlier this yr, attackers had been discovered to be utilizing a distinct sort of malformed ZIP archive to distribute the Gootloader malware loader. These ZIP archives contained a number of anomalies together with mismatched metadata, lacking bytes from the Finish of Central Listing, and using as much as 1,000 equivalent ZIP archives concatenated collectively.This prompted unarchiving instruments like 7-Zip and WinRAR to fail, doubtlessly stopping automated extraction and evaluation of the archives, whereas the default Home windows unarchiving software might nonetheless be used to extract the malicious contents for payload supply.