This article aims to show you how to protect yourself in case you are sent an e-mail or message containing links to SFX Self-Extracting .exe Archive.
Also known by many in brief as SFX Archives, the Self-Extracting archives are executable applications that have compressed files within them and have the SFX module which is usually displayed as a Microsoft Windows EXE executable file. Their main purpose is to be able to extract the files that are archived within then similar to what a setup installer wizard does. This is done to give the ability to users who do not have the adequate program to open an archive on their PC, to be able to extract files without a hic-up. Since most SFX files are executable, they are sometimes regarded as high-risk applications by antivirus programs. This is primarily because SFX files are used to infect users by executing a malicious script when being opened by the victim, as the situation with CERBER and other ransomware viruses.
SFX Archives – More Information
An SFX Archive can be very easily created by one of it’s supported programs which are the following:
- WinRAR
- Corel WinZip
- 7-Zip
- ESTSoft
- ALZp
- Smart SFX Pro
- RARLAB
- Incredible Bee Archiver (For MacOS)
The archives can also be created on Linux-based operating systems with multiple commands if the right modules are installed to them. The creation process is not complicated:
Why Malware Authors Use SFX Files to Infect
In cyber-security, these types of files are often associated with malware, and this is why some antivirus programs go as far as running the SFX archive in a sandbox to avoid infection via a script. Some security software and e-mail services are reported even to block all SFX files passing through their servers to completely avoid infection.
The primary reason for this is the effectiveness which the SFX archives bring to the table for the crooks. They are executable files, which means that a program known as File Joiner can combine them with malicious code which will automatically infect the user PC, simply by being opened. This is why cyber-criminals keep developing newer and newer methods to spread them.
One method which results in the successful spread of these files by e-mail is uploading the SFX archives in cloud accounts that do not check them. This is similar to the latest strategy used by Cerber ransomware – a web link is uploaded in the e-mail message which then leads to a dropbox account page, where the SFX .exe file can be downloaded and started by the misled victim. Like the figure below demonstrates, once the file has been executed, the used does not even have to extract it to become infected – the script automatically sets off with the execution of the file by the user:
There are numerous advantages and disadvantages of working with SFX archives from a user perspective:
Advantages
- The ability to convert the content and the compression tools into smaller segments of data.
- Simple extraction process – requires only opeining the files and running them through simple steps(choosing folder and extracting) instead of having to install a program that opens the archives.
Disadvantages
- Most antivirus programs and e-mail servers, as well as cloud platforms, may sometimes block the files because they are regarded as a very effective method to infect systems with malware.
- They can be started only if the operating systems that support them have the SFX module pre-installed in them, meaning some non-mainstream operating systems may have difficulties in opening them.
- The extraction module responsible for automatically unpacking the files may add memory to the archive regarding kilobytes, which may be disadvantage when small archives are being created.
How to Check Self-Extracting Archives Before Opening Them
It is very important to know what to do to know whether or not an SFX type of executable should be opened or not. Fortunately, now there is an online service with which you can check the file before even opening it and risking infecting your computer.
Most malicious files contained in archives are harmless if they are compressed within the SFX archive. And if it is not automatically opened, it cannot infect your computer. This is why you can take advantage of the first online scanner for archives exclusively, called ZipeZip.com. It lets you select a file up to 200 MB and scan it without even having to open the SFX file in question.
To select a file using ZipeZip, simply follow the steps below:
Go to the official ZipeZip website and then click on the blue button after which select the SFX file in question from your computer:
The archive can be scanned by just clicking on the “Select File” button and locating it. As soon as the file is selected, it can be quickly uploaded by clicking the “Upload” button.
From there, the system of Zip-E-Zip starts scanning, It begins to check its advanced database to detect the malicious files within the SFX file. Shortly after uploading the file, you will receive an answer to the question “Is this archive malicious?”:
Then, you can safely make an informed decision what to do with the malicious e-mail. You can send it to malware researchers for further analysis or just delete it without ever having to open it.
ZipeZip and SFX File Protection – Conclusion
As a bottom line to this, archive usage is becoming more and more common, because e-mail services tend to block suspicious files since they have embedded protection configured to scan the types of files being sent and deny their upload or block them. This is why cyber-criminals are looking for newer methods of infection which are undetected and can still trick inexperienced victims. This is a great investment on their side, and if you, the user know how to protect your PC and your important files, this can save you a lot of headaches.