Hello and welcome to the Thursday, March 12, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording day from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in incident response.

Well, let's get started with a vulnerability and a script by DDA.

So in DDA's diary today, DDA writes about Zombie SIP.

Zombie Sip has sort of made the news a little bit yesterday, today.

It's really a stupid vulnerability in something.

I'll explain a little bit why.

So the root issue here is when you're having a compressed file, like a SIP file,

you typically have, as an indicator, what kind of compression is being used and then the content.

Now, two of the methods that can be used with SIP is one is stored, which actually means

it's not compressed at all, and then you have deflated, which is, yes, it's compressed.

Well, what the attacker is doing here is just using the stored indicator and then still

including a deflated file, meaning that it's now an invalid SIP file and it cannot be opened

as is. That's really all it comes down to. Of course, since it can't be opened, antivirus tools

can't open it as well

and can not sort of by default and inspect the content of the file.

However, while this sounds cool overall, it's definitely nothing sort of new to concept.

We have seen this a lot with, you know, some of the compressed file formats and such being abused,

like with bad checksums and the like. That is like decades old. But this is actually sort of a

not very useful vulnerability in this particular case because no standard unsip program

will be able to actually unsip the file. So the attacker

...