For over a week, the unofficial 7-zip.com domain served malware-laden downloads that installed proxy servers, turning victim PCs into botnet nodes while evading basic security scans.
For more than a week, users seeking to download the popular file compression utility 7-Zip were unknowingly installing malware that turned their PCs into proxy servers for a remote-controlled botnet. The attack, which occurred between January 12 and 22, exploited the common practice of downloading software from unofficial sources and demonstrated how even basic security measures can be bypassed by sophisticated attackers.
The Anatomy of the Attack
The malicious campaign centered on the domain 7-zip.com, a copycat website designed to mimic the official 7-Zip project hosted at 7-zip.org. While such copycat sites typically exist merely to generate ad revenue through search engine placement, this particular domain took a more sinister turn during the specified timeframe.
What made this attack particularly insidious was its evasion technique. Upon visiting 7-zip.com, users would initially see legitimate download links pointing to the official 7-zip.org executables. However, after a delay of approximately 20-30 seconds, a JavaScript would execute, silently redirecting these links to malware-laden executables hosted elsewhere.
This timing mechanism was specifically designed to fool automated website scanning tools. Basic security scanners that quickly check a site's links would see clean, legitimate URLs and mark the site as safe. Only users who waited on the page long enough—or who clicked the links after the delay—would trigger the malicious download.
The Malware's Functionality
The malware itself was relatively simple in design but dangerous in effect. Rather than performing destructive actions or encrypting files for ransom, it installed a proxy server on the infected machine. This transformed each victim's computer into a node in a larger botnet infrastructure.
Once installed, the proxy server allowed criminals to route their internet traffic through the compromised PCs, effectively masking their true origins. This technique is commonly used for various illicit activities, including credential stuffing attacks, distributed denial-of-service operations, and accessing restricted content while hiding the attacker's location.
Discovery and Technical Analysis
The malicious activity was first identified by users on SourceForge forums, with the Japanese consortium IISJ-SECT being the first technical organization to spot the threat. Widespread awareness came through a Reddit post where a user described following a YouTube tutorial that inadvertently led them to the malicious website.
Cybersecurity firm MalwareBytes published a detailed technical writeup of the trojan, while security expert Luke Acha provided an in-depth technical analysis of the attack vector and malware behavior. These analyses revealed the sophistication of the timing mechanism and the proxy server's capabilities.
Security Implications
Perhaps most concerning was the fact that even systems with NextDNS-enabled and ad-blocking protection failed to block the malicious script. This suggests the attackers used advanced techniques to evade common security measures, potentially through domain generation algorithms or other obfuscation methods.
The incident highlights a critical vulnerability in how users approach software downloads. File compression utilities like 7-Zip, WinRAR, and PeaZip are considered essential tools that many users install almost reflexively when setting up a new PC. This familiarity and perceived trustworthiness makes them attractive targets for malicious actors.
Prevention and Best Practices
This attack underscores several important security practices that users should adopt:
Verify Official Sources: Always confirm the official website for any software before downloading. In this case, the legitimate domain is 7-zip.org, not 7-zip.com or any similar variation.
Check File Hashes: After downloading any executable, verify its integrity by comparing the file's hash against the official checksum provided by the software developer. Tools like HashTools for Windows or sha256sum and GtkHash/QuickHash for Linux can facilitate this process.
Exercise Caution with Search Results: Be wary of the first search results for popular software, as malicious sites often employ search engine optimization techniques to appear at the top of results.
Monitor Download Behavior: Pay attention to unexpected delays or changes in download pages, which could indicate malicious activity.
Use Multiple Security Layers: While no single security measure is foolproof, combining antivirus software, ad blockers, DNS filtering, and cautious browsing habits provides better protection than relying on any single tool.
The 7-zip.com malware incident serves as a stark reminder that even trusted, everyday software can become a vector for sophisticated attacks when users unknowingly download from unofficial sources. As software continues to be an integral part of both personal and professional computing, maintaining vigilance about download sources and implementing robust verification practices remains essential for cybersecurity.
Comments
Please log in or register to join the discussion