Security researchers have uncovered a technique that allows malware to hide inside corrupted ZIP archives and bypass antivirus detection. The discovery highlights a weakness in how many security tools process compressed files. By altering archive metadata, attackers can trick scanning engines into skipping the malicious content inside the file.
The method is known as Zombie ZIP malware. It relies on manipulating the ZIP header so that security tools misinterpret the structure of the archive. The malicious payload remains intact, yet most antivirus engines fail to detect it during analysis.
How the Zombie ZIP Technique Works
ZIP archives contain metadata that explains how files inside the archive are stored and compressed. Antivirus engines often rely on this metadata to determine how to analyze the contents. The Zombie ZIP technique exploits that assumption.
Attackers modify the compression method field inside the archive header. The manipulated file claims that its contents are stored without compression. In reality, the data remains compressed using the standard Deflate algorithm. When antivirus engines trust the header information, they avoid decompressing the file and instead scan meaningless compressed data.
Because the real content is never examined, the embedded malware remains hidden. The archive may also appear corrupted to many extraction tools, which further disguises the malicious payload.
Detection Rates Drop Significantly
Testing showed that the technique can dramatically reduce malware detection rates. In one experiment, a malicious ZIP archive was detected by most antivirus engines before modification. After the ZIP header was altered, detection dropped sharply.
Only one antivirus engine detected the modified archive during testing. The payload itself remained unchanged. The difference came entirely from a small modification in the container metadata.
This demonstrates how heavily many security tools depend on accurate archive headers during scanning. When those headers are manipulated, detection systems can fail to analyze the real file contents.
Why Archive Parsing Is a Security Risk
The Zombie ZIP technique highlights a broader issue in cybersecurity. File formats such as ZIP archives rely on complex parsing rules that many applications interpret differently. Security tools must process these structures correctly in order to inspect compressed files.
Attackers can exploit inconsistencies between parsers to create files that appear harmless to scanners but still contain functional malware. In this case, the manipulated archive confuses security software while remaining usable by specially crafted extraction tools.
Similar archive parsing weaknesses have appeared before in security research. The difference here lies in how simple the modification is. A single change in metadata can hide malware from most antivirus systems.
Conclusion
Zombie ZIP malware demonstrates how attackers can bypass traditional detection methods by manipulating archive metadata. Instead of changing the malicious payload itself, the technique hides the file behind misleading ZIP header information.
The discovery shows that antivirus systems must verify archive structures more carefully and avoid relying solely on metadata when scanning compressed files. As attackers continue to experiment with file format tricks, security tools will need stronger parsing and validation methods to prevent malware from slipping through disguised containers.
0 responses to “Zombie ZIP Malware: Corrupted Archives Evade Antivirus Detection”