Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2019-08-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Compressed ISO Files (ISZ)

Published: 2019-08-19
Last Updated: 2019-08-19 18:44:08 UTC
by Didier Stevens (Version: 1)
0 comment(s)

While researching a user submitted Direct Access Archive file (DAA), I learned about another file format I too had never heard of before: compressed ISO files, or .isz files.

ISZ files are similar to DAA files: insofar they also contain an ISO file, split in chunks that are then compressed. Like DAA, it's a proprietary format, however, the ISZ specification is available publicly.

I highlighted the zlib header in the screenshot above.

My tool search-for-compression, that I showed in yesterday's video and that can be downloaded from my beta github repository, is also able to decompress this format:

We have not yet received malicious ISZ files submitted by readers, and I've not read reports about malicious compressed ISO files. The future will tell if we will see ISZ files created by malware actors.

If you do encounter them, please submit a sample.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: iso isz
0 comment(s)
ISC Stormcast For Monday, August 19th 2019 https://isc.sans.edu/podcastdetail.html?id=6626
Diary Archives