Chrome now asking for ZIP archive passwords to help detect malicious files


Cybercriminals are increasingly using encrypted and password-protected files to deliver infostealers and other malware while slipping through security defenses. Google Chrome has introduced a solution, which, while not elegant, should still be effective.

When a user downloads a suspicious encrypted archive, such as .zip, .7z, or .rar, automated systems cannot deeply scan the files until it’s too late.

Attackers make passwords obvious to their victims, adding them to spam emails, pages from which the file can be downloaded, or even in the download name. They want users to download the infected file and enter the provided password for the malware to deploy.

ADVERTISEMENT

To combat this evasion technique, Google Chrome has introduced two protection mechanisms.

Users who have Enhanced Protection enabled will be prompted to enter the file’s password. Google’s Safe Browsing, a service that warns about dangerous websites and files, will then upload both the file and the password to the cloud for a deep check.

chrome-asks-password

Google assures that uploaded files and file passwords are deleted shortly after they're scanned, and all collected data is only used by Safe Browsing to provide better download protections.

“A current trend in cookie theft malware distribution is packaging malicious software in an encrypted archive – a .zip, .7z, or .rar file, protected by a password – which hides file contents from Safe Browsing and other antivirus detection scans,” Google warned.

If a user hasn’t enabled Enhanced Protection, and uses Standart Protection mode on Chrome instead, which is the default one, downloading a suspicious encrypted archive will also trigger a prompt to enter the password.

However, in this case, the file and the password will stay on the local device, “and only the metadata of the archive contents are checked with Safe Browsing.”

In this case, if Google’s service had previously observed and categorized the malware, users would still be protected.

ADVERTISEMENT

Tech giant explains that suspicious files are a small fraction of overall downloads and file contents are only scanned for security purposes

“We've found these additional scans to have been extraordinarily successful – they help catch brand new malware that Safe Browsing has not seen before and dangerous files hosted on brand new sites. In fact, files sent for deep scanning are over 50 times more likely to be flagged as malware than downloads in the aggregate,” Google said.

Enhanced Protection users should also note that from now on, all suspicious downloads will be automatically deep-scanned, instead of prompting each time.

“This will protect users from risky downloads while reducing user friction,” Google explains.

Should users embrace this new Chrome feature?

“It is optional. If you’re downloading shady and untrusted files, it is a positive addition. You can provide the password that is usually already publicly available for a quick malware scan. However, for trusted encrypted files, you can and you should use the “download anyway” button to receive the file, and not let Google scan its contents. This way, the confidentiality of the file’s contents would remain intact,” the Cybernews Research Team suggests.

There are some other redesigns of the Chrome downloads. Google replaced previous warning messages with more detailed ones that convey “more nuance” about the dangers and help inform the users.

Chrome will have two-tier warnings based on malware checks: suspicious files, that carry unknown risks, and dangerous files, that carry a known high risk of user harm.

two-tier-prompts

Warnings are distinguished by iconography, color, and text, to make it easy for users to make the best choice.

ADVERTISEMENT