Spammers love them, and that’s a clue.
The ZIP file is the spammer’s, phisher’s, and hacker’s best friend.
ZIP files are everywhere, and have many valid uses. Unfortunately, with that ubiquity comes the potential for abuse.
And that’s exactly what spammers like to do.
That’s why the answer to your question isn’t really yes or no, but rather “It depends.”
Become a Patron of Ask Leo! and go ad-free!
Are ZIP files safe?
ZIP files are useful for compressing and bundling files but can be exploited by hackers and spammers. Always be extra careful with ZIP files in email you don’t expect, especially those requiring a password, as they may contain malware. Make sure it’s safe before unzipping; if you can’t be sure, don’t do it.
What is a ZIP file?
A ZIP file is a container for other files.
At their most basic, ZIP files solve two problems in a simple way.
- By bundling multiple files and even folders into a single container file, the distribution, archival, and organization of lots of files become simpler. Rather than sending 50 separate documents as 50 separate files, you can create a ZIP file containing them all and send that single file.
- ZIP files are also compressed. That means that even when a ZIP file contains only a single file, it can be smaller than the file it contains. Naturally, compression varies dramatically based on the compressibility of the original files.
Those two features — bundling multiple files into one and compressing them as it does so — make the ZIP file format one of the most common ways to share files and collections of files around the internet. Add optional password-based encryption, and it gets even better.
It’s also one of the oldest archive and compression formats still in use, dating back to 1989.1
ZIP is everywhere
One reason ZIP files are so appealing is that support for creating and opening them (typically called zipping and unzipping) is built into every current operating system. Windows Explorer understands ZIP files, and Mac and Linux both come with the “zip” and “unzip” command-line tools.
Given that ubiquity, it’s safe for a software vendor — or anyone else — to assume that if they make something available as a ZIP file, the recipient will be able to use it.
ZIP as obfuscation
Knowing you have a ZIP file doesn’t tell you what you have. You have to look inside the file to understand what files it contains and what format they’re in. As a result, ZIP files are often used to hide or at least obscure the contents.
For example, many email systems do not allow attachments of files that end in “.exe”. In Windows, .exe files are programs. When you double-click on an .exe file, it tells Windows to run whatever program that .exe file happens to be. Since malware is often distributed as a program file, email providers prevent all programs from being emailed in this fashion. The risk of someone opening the attachment to see what it is and inadvertently running a malicious program is high.
ZIP files, however, are not blocked. As I said, ZIP files are useful for many legitimate purposes, not the least of which is transferring collections of documents from one person to another by email.
So one approach to sending an .exe file from one person to another via email is to zip it first, email the resulting .zip file, and then have the recipient unzip it on their end.
Hackers and phishers love that. But it gets better. (Or worse, depending on your perspective.)
Scanning ZIP files
Because ZIP files are a convenient way to spread malware, many security scanners scan what’s inside. That’s great if someone tries to send you a virus within a ZIP file. All the scanner needs to do is unzip the file and scan the results…
…except if the ZIP file is encrypted. Then the malware scanners can’t look inside. That’s the point of encryption.
And scammers leverage this.
ZIP as phishing bait
Let’s say you get an email from your bank.
The email says there’s an issue with your account, and to please open the attached file for more information.
The attached file is in ZIP format. Since this is supposedly sensitive, the ZIP file might be protected with a password, which is conveniently included in the email. (That there is a password means the file is encrypted.)
Chances are, to quote the over-quoted Admiral Ackbar: It’s a trap! Especially if a password is involved.
Whoever sent you that email probably used the ZIP file format to thwart anti-malware scans and other restrictions to deliver a malicious package. If you open the zip file, you’ll probably find what appears to be a document. Double-click to open that document and you could instead run a program delivering malware to your machine.
I recommend not doing that.
When to trust ZIP files
Banks, governments, delivery services, the postal service, and almost all other companies should never send you a ZIP file. Either the information they want to get to you will be in the body of the email, or they’ll direct you to log in to your account with their service directly (ideally without clicking on a link), where you’ll find the important information.
Naturally, there are exceptions. If you purchase a software download, it could be delivered via email as a ZIP file, though more commonly it should be a direct download from the website on which you purchased it.
Do this
If you receive an unexpected email, particularly from some kind of “official-looking” source, and it has a ZIP file attached, be very wary, particularly if that ZIP file requires a password. I would go so far as to say never open unexpected ZIP files until or unless you can absolutely confirm they are legit by some other means.
ZIP files are useful, but because spammers and scammers can so easily use them to trick you into installing malware, it’s worth always being sure of exactly where they come from.
I won’t send you a ZIP file! Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Ref: Zip (file format) – Wikipedia
Most “archive files” (e.g. ZIP, 7-zip) can be scanned with anti-virus programs and other anti-malware tools (e.g. Malwarebytes). I heartily recommend doing so, even when you THINK you know what the archive (ZIP) file is.
This varies dramatically based on the anti-malware tool, but basically I agree.
Just to be clear…presumably you’d have to unzip (but not open) the file first, no?
That depends on your anti-malware tool. Some have an option to scan inside archives. Those ones will scan a zip file by actually scanning the contents of the zip file without you having to unzip the files.
By now, I believe all antimalware programs scan .zip files.
Unless they’re password protected.
Newly minted viruses in emails may not have been picked up by the AV companies yet, and there are always delays in getting the newest definitions out.
Example: I’ve gotten several of these, obvious phishes with zip attachments holding exe files, usually with double extensions, e.g. statement.pdf.exe. (If you don’t display file extensions you could be fooled.) They often even come with an Adobe Reader icon; again, trying to fool you that it’s just a innocent PDF.
With that pedigree, I know for sure it was virus – but decided to check it anyway. Surprise, all the usual virus checks show negative. So off to totalvirus.com it goes; this is a site that tests files against 50-some antivirus programs. On the first day, only 5 of the 50 tests said virus, 3 days later 20 of them said so, and a week later, 45 of them.
Bottom line: if it waddles like a duck, looks like a duck and quacks like a duck .. it’s a duck. Even if it says it’s a kitten video.
“If you don’t display file extensions you could be fooled”
If you don’t display file extensions then wouldn’t seeing suddenly the PDF extension show up (as only the “.exe” would be hidden) tip you off?
IF, and only if, you were paying attention and thought about it. In my experience most people (rightfully) are thinking about other things.
Gmail won’t send or receive emails with zipped attachments containing a .exe file, or any executable file. I would get around it by either changing the extension of the .exe file to something like file.exe.xxx or sending a link to a Dropbox file.
Sometimes an email with a zip file or other unknown, and possibly unwanted files, such as pictures or links, may be spoofed as coming from someone you do know and trust. I have sent a separate email back to the sender, to verify that they did indeed send it to me, and why before opeinng it. Once I get their answer then I know what to do with the files.
One of the first benefits to a compressed (single) file relates to disk cluster size. If you write 100 1byte files into an OS with a 1K cluster size (I am just making these numbers up as I go) the OS will happily eat 100,000 clusters. If you write 100 1byte files into one Zip file and save that, the OS will use one 1K cluster. ( I hope my math is correct. )
Many files shorter than about 200 bytes will very probably get inlined in the folder itself. In fact, under Windows using NTFS, your shortcuts ,*.lnk files, are all inlined. All modern file systems actualy support inlining, but FAT did not.
This mean that those short files don’t actualy have any allocated cluster, but use some space within the folder itself.
I think you meant the OS will eat 100,000 bytes, not 100,000 clusters.
GMail will neither allow you to send or receive .zip files which contain .exe or other executable files. I believe .rar bypasses this.
Another solution as has been mentioned elsewhere it to zip the zip file again.
Or, password protect the ZIP? I don’t like the idea of gmail looking in my ZIP file anyway.
If you encrypt the files using the zipping program, the file names will still be visible to Gmail or anyone opening the .zip file. If you encrypt the .zip file after it has been zipped, even by using zip encryption, this would obscure the file names.
Theres also some email that will tell you a password to an attached zip file, which you have to input, to open. Zip files with passwords cannot be scanned by anti-malware as they are considered encrypted.
Not completely true. The contents of the password protected zipped files cannot be read, but the listing of files that are within the zip file CAN be seen.
Double zipping hides the file names. Zip the highest level Zip file and all they’ll see it the inner Zip file.
> The contents of the password protected zipped files cannot be read, but the listing of files that are within the zip file CAN be seen.
Depending on the program used: 7-zip, for example, offers the option to encrypt file names.
Unfortunately that option may not be compatible with the program used to unzip the file at the other end.
I guess you have seen it before, but…
REAL programmers type C:/ copy con >MyProg.zip
Yeah, I know… few will understand.. ;-)
REAL programmers type # tar -cvfz archive.tgz directory_name
Yeah, I know… even fewer will understand..
IF an agency OR someone you know NEEDS to send you a ZIP file, FOR ANY REASON, they should password protect the ZIP file and provide you with the KEY over the phone, NEVER provide KEYS by email! With 7zip the following key/password examples (in quotes) are all stronge, legit and acceptable: “SweeT cHerry w1ne t01let w@teR”, “porcupineapples”, “Paperclip 0n 1c3” etc they really don’t need to be all that complicated to be secure. Do Not Use any of these examples lol.
Working in the medical and other sensitive fields I’ve set up keys that are changed monthly, at minimum, or weekly to provide the best security. No password, it’s deleted!
I like your approach, though I might not necessarily insist on phone key exchange only. What’s important is that the password be sent by a different channel – IM, text message, Dropbox and so on.
Agreed, thanks for the addition to my comment!
I received a zip file in an email yesterday, purporting to contain e-tickets for a show in Bournemouth in December for which I had apparently already paid, using a credit card with the last 4 digits shown, which didn’t match any of my cards.
I saved the file to disc and scanned it with McAfee, which didn’t find any problems, but I shredded it anyway.
Today’s Telegraph ran a story about this, saying that if the attachment was opened it would install a virus.
Is there really any risk in opening a zip file to see the contents? Is it possible for the zip file itself to actually install the virus if opened? I would have thought not, but could the .zip extension itself be a spoof?
Technically, no, opening a zip will not install a virus. HOWEVER there are techniques hackers use to make you think you’re opening a zip file when instead you are running a program. This is the change I recommend everyone make to resolve the most common way they fake you: http://askleo.com/one_change_you_should_make_to_windows_explorer_right_now_to_stay_safer/
Yes, but when checking zipped files received for malware or viruses with Malwarebytes, SuperAntiSpyware or your anti-virus program, which do you check? The zipped folder itself or the contents after unzipping it???
Both. You scan the .zip, just in case it’s not really a .zip file, and you scan the contents of the .zip file, in case the contents contain malware.
Some anti-malware programs give you an option to scan inside archives. This option will scan both the .zip and the contents at the same time.
If your current AV solution can’t look into and scan inside of zip files then it’s time to get another AV solution
the only exception is encrypted zip files which most if not all AV still cannot scan
you also want an AV that can look inside of stacked / nested zip files,
> that’s file(s) inside of a zip, inside of a zip, inside of a zip, inside of a zip, inside of a zip …
also encrypted zip files are a quite a bit less useful to the malware distributor, because they also have to supply the password. adding extra steps and complexity for the users they are trying to exploit, and sometimes windows exploder won’t let you take the files out of a password encrypted zip file
which then requires using an actual zip file utility or distribution of a self extracting zip.
case in point:
> I sent a friend a zip file that contained the files I recovered for them from their old PC they gave me before they moved away
I used winzip 16 with 256-bit AES encryption and a reasonably sized complex password to encrypt the zip file
I also made a self extracting zip file using of the same archive which also required the password
I had to explain 3 times how to get the files out of the encrypted zip using the password supplied
but in the end they had to use the self extracting zip with the supplied password because windows exploder wouldn’t accept the password for the encrypted zip file
The best practice with financial institutions, banks, credit cards, shipping companies (DHL, UPS) etc. is never supply them your email address
every time I go in to the bank they try to get my email address and I tell them No!
for the following reason:
when you get an email supposedly from the financial institution, you know immediately it’s fake because they don’t have your email address
with banks etc. if there is a problem with your account they are supposed to freeze the account / halt any irregular transactions, call you by phone and send you letter mail
if a bank insists they have my email address to continue using the bank, I will close the account and cease to do business there
It’s also useful to minimize the number of banks you use. Because I deal with two banks, I always laugh when I get emails from other banks. It’s easy to tell the fakes apart when 10 emails are from banks you don’t deal with and 1 is. And my banks never email me anyways, unless it’s to tell me that I should log in to my account (no link in the email) to read an important message.
Going back to the original question, I know exactly what was meant by “I’m getting financial questions and attachments with a .zip extension” as I have been getting two or three of these a week over the summer. The last one claimed to come from “Superior of Missouri Department of Revenue” and the subject was “Unpaid taxes. Notice #126147”. Like the others, a small zip file of about 60KB was attached; this one was called “Notice_8.04.2014.xls.zip”, so as described above it was masquerading as a spreadsheet. Others claim to be invoices, bills, etc.
I scanned the attachment online with Virus Total, and 39/51 scans detected malware, generally a Trojan downloader of some sort. It is a bit disappointing that Hotmail is letting so many of these through, given that it does scan messages for viruses. I have had one or two containing infected macros for Word documents, indicating the value of not allowing MS Word to open macros from the Web without permission.
As I noted in a reply above, scanning attachments in zip files should *never* be one’s first line of defense. If it’s a new virus (and email is a great way to get new viruses in circulation quickly) your anti-virus will not flag it. To be safe(r) just say no and don’t open .zip files in emails.
Another trick that I’ve recently seen in malware-bearing .zip files (attached to emails): the .zip file contains 2 files; one is the malware program (probably between 10 kB and 50 kB in size) but renamed from something.exe to something.dat, and the other is a batch (name.bat) file (contents only a few tens of bytes) that contains commands to rename the file back to something.exe and then execute it.
What can I do if I opened a .zip file with a protected password from a phishing email? I did a search on what my next steps are to protect myself after opening a .zip file, but I can’t find one. They all say “DO NOT OPEN IT.” But the problem is I already did. What do I do now?
Are you suspecting that you got a virus? If so, this article is very useful: http://askleo.com/how_do_i_remove_malware/
No A.V. scanner truly “scans inside of zip files”. They all have to be temporarily extracted to memory to scan the true string of bits.
You have to quickly “re-build the house” from a pile of bricks to catch someone hiding in the bedroom closet.
Our computer network was infected with the Dyre virus/trojan. It was sent as an attached zip file. Inside the zip file was a .scr file. How do you know if you are infected by simply opening the .zip file or if you had to open the .scr file? Our IT people are telling us if we opened the zip file we are infected, but I think that is just them pulling out the hammer because they really don’t know. I opened the zip, saw the scr attachment, and then promptly deleted it. How would you proceed. Is there a good free scanner out there that can tell me if I’m a ‘carrier’?
Generally just unzipping a file with a .scr extension shouldn’t cause it to execute.
An .scr is a screensaver file. That might sound harmless, but it is like an .exe file. It’s not uncommon for a virus to be disguised with a .scr extension to fool people into running it. Most antimalware programs scan ZIP and some other archive files.
Gmail blocks EXE files even when they are zipped. I used to get around this by using RAR compression but that format isn’t understood by the average user.
I forget if it’s gmail, but some services only look at the filename, so simply renaming the .exe could be enough (with instructions to rename back accompanying). Other email services only look one level deep in a zip file, so zipping the zip file into another zip file is another way to get past. Once again with accompanying instructions. Depending on what’s promised people will jump through some mazing hoops to get at what’s inside.
I’ve also renamed files to send them. It always worked in the past and probably still does.
If you want to check the contents of a zipfile safely, the way to do this is to open your zip/unzip utility program (“WinZip,” for example), click on “open,” navigate to the suspect zipfile then select it and click “open.”
This guarantees that the zipfile is opened, but not executed. If it turns out to be an “*.exe” file in disguise, the worst you’ll get is an error message.
With zip support built into Windows File Explorer many people don’t bother with “your zip/unzip” utility — they don’t have an additional one to do this with.
Even though Windows “understands” Zipfiles, all Windows users should have a separate Zip utility they can resort to. The reason for this is simple — opening a Zipfile within a Zip program is much safer than opening it with Windows. Unless you’ve badly misconfigured it, a Zip program won’t automatically execute anything it finds within a Zip archive… but Windows just might do that!
A separate Zip utility is, therefore, both indispensable, and invaluable, for checking out suspect Zipfiles. Without any such separate Zip utility, all a user has is Windows itself, and good luck with that! :(
Windows won’t automatically execute a ZIP file. You’d have to double-click or manually execute the file to have it execute.
In days of yore, there was a ZIP drive. It used its own file format and diskettes. We have a lot of those from when my partner (an MD) was using them to store patient files before we had electronic medical record software . They look like the 3 1/2″ hard case floppies but are about 4″ square. They hold 100MB!
ZIP drives are completely unrelated to ZIP files.
Couldn’t a questionable ZIP file be opened in the “Sandbox”?
I have Windows 11 Pro, which offers a virtual computer
For those people that don’t have the “Pro” version of windows a similar program can be downloaded from the net.
A sandbox might not protect against malware. a true virtual machine plus adequate caution can protect you.
As long as you don’t double-click or otherwise execute .exe, .scr, or other executable fles looking at a .zip file should install any malware.
A complete list of executable file extensions,