{"id":11282,"date":"2026-03-12T04:04:00","date_gmt":"2026-03-12T04:04:00","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/12\/32786\/"},"modified":"2026-03-12T04:04:00","modified_gmt":"2026-03-12T04:04:00","slug":"32786","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/12\/32786\/","title":{"rendered":"Analyzing &#8220;Zombie Zip&#8221; Files (CVE-2026-0866), (Wed, Mar 11th)"},"content":{"rendered":"\n<div>Analyzing &#8220;Zombie Zip&#8221; Files (CVE-2026-0866), (Wed, Mar 11th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A new vulnerability\u00a0(CVE-2026-0866) has been <a href=\"https:\/\/kb.cert.org\/vuls\/id\/976247\">published<\/a>: <a href=\"https:\/\/github.com\/Bombadil-Systems\/zombie-zip\">Zombie Zip<\/a>.<\/p>\n<p>It&#8217;s a method to create a malformed ZIP file that will bypass detection by most anti-virus engines.<\/p>\n<p>The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required.<\/p>\n<p>The trick is to change the compression method to STORED while the contend is still DEFLATED: a flag in the ZIP file header states the content is not compressed, while in reality, the content is compressed.<\/p>\n<p>I will show you how to use my tools to analyze such a malformed ZIP file.<\/p>\n<p><u>Simple Method<\/u><\/p>\n<p>Just run my tool <a href=\"https:\/\/github.com\/DidierStevens\/Beta\/blob\/master\/search-for-compression.py\">search-for-compression.py<\/a> on the ZIP file (you can download the Zombie ZIP file <a href=\"https:\/\/github.com\/Bombadil-Systems\/zombie-zip\">here<\/a>, it contains an <a href=\"https:\/\/en.wikipedia.org\/wiki\/EICAR_test_file\">EICAR<\/a> file):<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png?ssl=1\" style=\"width: 993px; height: 211px;\"><\/p>\n<p>The largest compression blob is number 2, it is 77 bytes long. Let&#8217;s select it:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-103827.png?ssl=1\" style=\"width: 993px; height: 259px;\"><\/p>\n<p>That&#8217;s the <a href=\"https:\/\/en.wikipedia.org\/wiki\/EICAR_test_file\">EICAR<\/a> file.<\/p>\n<p><u>Complex Method<\/u><\/p>\n<p>We can use the latest version of <a href=\"https:\/\/github.com\/DidierStevens\/DidierStevensSuite\/blob\/master\/zipdump.py\">zipdump.py<\/a> to analyze the file:<\/p>\n<p>Just using the tool fails (because the zip file is malformed):<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-104252.png?ssl=1\" style=\"width: 993px; height: 527px;\"><\/p>\n<p>Using option -f to bypass the Python ZIP library for parsing, and using custom code to look for ZIP records (-f l) shows us this is a ZIP file, containing a file with the name eicar.com:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-104331.png?ssl=1\" style=\"width: 993px; height: 185px;\"><\/p>\n<p>Selecting the FILE record (at position 0x00000000, PK0304 fil) shows us all the meta data:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-104404.png?ssl=1\" style=\"width: 993px; height: 347px;\"><\/p>\n<p>The compressiontype is 0 (STORED), this means that the content of the file is just stored inside the ZIP file, not compressed.<\/p>\n<p>But notice that the compressedsize and uncompressedsize are different (70 and 68). It should be the same for a STORED file.<\/p>\n<p>Let&#8217;s select the raw file content (-s data) and perform an asciidump (-a):<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-104437.png?ssl=1\" style=\"width: 993px; height: 423px;\"><\/p>\n<p>This does not look like the EICAR file.<\/p>\n<p>Let&#8217;s force the decompression of the data: -s forcedecompress:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260311-104458.png?ssl=1\" style=\"width: 993px; height: 419px;\"><\/p>\n<p>This reveals the EICAR file content.<\/p>\n<p>Option forcedecompress is a new option that I just coded in <a href=\"https:\/\/github.com\/DidierStevens\/DidierStevensSuite\/blob\/master\/zipdump.py\">zipdump.py<\/a> version 0.0.35. Option decompress will only decompress if the compression type is DEFLATED, thus it can&#8217;t be used on this malformed ZIP file. Option forcedecompress will always try to decompress (and potentially fail), regardless of the compression type.<\/p>\n<p>\u00a0<\/p>\n<p>Didier Stevens<br \/>\nSenior handler<br \/>\n<a href=\"http:\/\/blog.didierstevens.com\/\">blog.DidierStevens.com<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32786\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Analyzing &#8220;Zombie Zip&#8221; Files (CVE-2026-0866), (Wed, Mar 11th) A new vulnerability\u00a0(CVE-2026-0866) has been published: Zombie Zip. It&#8217;s a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. The trick is to change [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-11282","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11282"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11282"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11282\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}