According to antivirus vendors, this particular strain (Bagle.J, or .H or .K, depending on vendor) appeared in the wild on March 2nd. Besides the password protected zip "feature", it is in no way special as it uses well known techniques to spread via SMTP. However, only hours after it's been found in the wild, customers at many large enterprise sites began to notice Bagle carrying zip files slipping through their gateway defenses. Of course, the AV vendors had probably a hard time explaining why this was happening to an increasingly nervous IT personnel.
To an antivirus scan engine password protection is in essence, encryption. The purpose of encrypting is to avoid prying eyes, including those of technology. And AV technology must have the key, that is password, to decompress the zip archive and scan it. No password, no scanning - simple as that.
The idea is so simple and straightforward that it's really surprising it hasn't been exploited more often up until now.
In fact, the same principle is used for example when submitting a suspicious file to a virus analysis center. You compress the file, protect it with a password and thus ensure no content/AV filter will change it during the transit to destination. And there, the folks can analyze it by unzipping it with the password you provided.
Of course, a password protected zip dramatically decreases the distribution potential of an e-mail worm. But two factors can probably compensate for this (at least in part). Firstly, the worm can count on bypassing the gateway AV defenses - as it did in this case. And secondly, it plays the card of social engineering: apparently, if you send a well crafted e-mail to unsuspecting users, and in addition provide a password, it can trigger a reasoning mechanism that goes something like: "Oh, they've sent me a confidential mail, and it's even got a password - so it must really be for my eyes only. It must be something important and therefore I must open it".
This reasoning may seem far-fetched but something similar is evidently happening since Bagle.J is currently quite active in the wild.
The antivirus vendors have been unusually slow and lethargic to react - which probably indicates they had a hard time in finding a solution that was flexible enough to incorporate into existing pattern files and scan engines. Several hours elapsed before patches were provided to help detect the latest Bagle variant. In the meantime, the only sure bet was blocking all zip files coming in, a draconian policy many were reluctant to implement.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.