infected computer

infected computerYou’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Suddenly, there are a lot of them around.

That advice is nearly as old as email, but as they say, everything old is new again. And the internet is newly awash in spam sending out booby-trapped zip file attachments. My inbox has seen a steady trickle of the stuff for the past couple of months, but I didn’t think much of it until I chatted with Sophos Chief Technology Officer Joe Levy this week. Zip archives that contain malicious JavaScript files are on the rise, he said.

Users who fall for the trick and decompress a zip attachment by clicking on it don’t see an executable file—but rather a .js file or similar—and run the code. The two-step technique is obviously working for criminals. Sophos has been tracking a dramatic rise in zip-javascript spam.

In fact, zip files with poisonous javascript have pretty much completely replaced Office attachments (infected Word documents or spreadsheets) as the attack technique preferred by spammers. So if you’ve received spam recently, you’ve probably received an infected zip attachment.

The emails arrive in typical fashion. One promised me a “confirmation letter.” A more clever version offered a travel expense sheet. The most believable says, “voice message from outside caller.”

Well-configured spam and security software should protect organizations from this attack. So why are spammers suddenly adopting the technique again?

According to security training center and think tank The SANS Institute, spammers realize that many organizations, by now, have effective filtering practices that minimize the chance of an employee’s computer getting infected by this type of attack. However, the spike in .js malspam indicates enough of this bad stuff is leaking through to make it profitable for criminals.

Akin to the IRS scam, which just keeps working and working, infected zip attachments are popping up all over because they work.

Here are the essentials of the SANS analysis:

  • This malspam appears to target Windows computers.
  • The extracted file is Javascript-based, and the infection requires user action.
  • The user must open the zip attachment, extract the .js file, and manually run the .js file.
  • A properly administered Windows host using software restriction policies should prevent an infection.
  • A properly administered spam filter will prevent this type of malspam from reaching the recipient’s inbox.

This article originally appeared on and was written by Bob Sullivan.