Slashdot Mirror
New Virus Attacks Via RAR Files
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
...most firewalls do not block the extension yet.
Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...
Code, Hardware, stuff like that.
When the virus is installed, then the virus scanner can find it and kill it.
I haven't seen a (legitimate American) business that uses RAR files for any reason. Any company that prohibits users from installing extra software would thus prohibit their users from installing a RAR decompressor. It would also be very easy to delete all incoming RAR files or reject the message with something like "Please send a ZIP file" instead.
Until people start sending ZIP files (which are rejected after being virus-scanned) this is largely a non-threat.
For more information, click here.
Goatse once came to me in a .REAR file. Close enough to avoid.
Table-ized A.I.
don't accept rar files from people you don't know. And, if you do, don't run random executables inside them?
Le français vous intéresse?
Rar files are most commonly used in the legal archiving of binary files and DVDs.
I've always counted my torrents safe... just don't execute weird .exes... guess I better go download a new virus scanner :-(
Free Sony PSPs. It's real. It's here.
"Most anti-virus software cannot scan a .RAR file"
What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?
Just tested this on AVG and it indeed scans rar archives.
Windows XP or earlier can't open RAR files natively as far as I'm aware, and since the software needed to do so ia a nightmare from 90s compression hell - I'm not sure why this is a major concern
The problems scanning them will be fixed within days, probably
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.
Carry on with the downloading, there's nothing to see here...
Don't buy WoW Gold! Make it yourself!
This would have been more of a threat had it been in .CAB format. Not everyone uses .RAR files. Heck, in my company there are a grand total of 3 computers capable of even opneing a .RAR file...the one I'm posting from is one. On a side note: my wife got this virus emailed to her and she called me at work to ask what a rar file was... Needless to say, this virus will not be long-lived as it's just plain stupid.
Oops....MS used Winzip technology in XP...and i think winzip has become less popular.and rar is increasing slowly(fcking closed...no open version) because winrar can handle *tgz+ man other formats
Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.
"Warez is becoming infected with viruses!"
I find that more technically-abled people are familiar with and have installed WinRAR or the unix-variant based RAR on their system.
.exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.
Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.
Similarly, I suppose virus-writers could rename their
I'm a big tall mofo.
.rar files can be self-extracting like zip files, so they pose the same security risk. I can't belive that nobody's exploited this until now.
And I've always extracted and scanned the contents before executing.
It just makes sense to me.
Hey, it's OK to be gay!
All the common scanners can scan inside a zip archived file. However, most scanners cannot scan inside a rar archive. So you are getting it wrong. A virus scan OF the file will return nothing but a .rar file. The virus can be hidden IN the rar file, which is not scanned.
Hopefully your AV has a good realtime file scan so it if it written to a temp file it will be scanned as soon as it is accessed.
Boredom's not a burden anyone should bear.
Yeah, so they're simply taking the virus and packing it with another archiving tool... In any sense it's not the .rar file itself that's the threat, so rather than having administrators complain about it, they should simply have active protection running on the workstations themselves. The average computer user doesn't even understand how a virus works, so it's stupid anyways to simply rely on e-mail attachments being scanned unless they plan to support all forms of compression. Just my 2 cents...
"A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers."
Computers or Computers running Windows?
ajf
It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.
Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'
... in related news eWeek is able to sell more impressions and generate more revenue by getting coverage on Slashdot for pointless non-news articles such as new Virus hides in compressed files ...
In my opinion theres not much difference between zip and rar... Only a different compression algorithm. Other then that, they both serve as containers that attempt to compress the contents.
.swf files. Its now only the matter of adding the .rar extention to the filter.
Im also sure that most anti-virus programs scan RAR files.
In my opinion, this is nothing special, virus writers are just trying to change their delivery method. Just like how a virus was written for
IMHO doing some filtering at the provider could help. My mail provider uses a Spam/Virus filter that works with black/whitelists for each user and a global blacklist created by the provider (Which can be overridden by my personal whitelist). Haven't seen a virus in my inbox for 2 years and counting.
A new virus is spreading through password-protected .arj files.
.ARJ file is, let alone find a password cracker for it.
Fortunatelly, no one got it, as no one remembers anymore what the heck an
Rumors said the password is "G04TSE.CXR0X".. go now then, have some fun...
how long until
But is it ok to be Sparky?
The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).
AccountKiller
Blocking extensions is pretty pointless ... how hard is it to rename before/after going thru a wall?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
It seems to me this would be the simplest. Just require the virus makers to use the .virus extension and that will give the AV makers more time to perfect RAR scanning.
Is anyone with me?
Boredom's not a burden anyone should bear.
This is great. They have still not all figured out how to avoid bzip2 bombs, how are they supposed to be able to scan RAR files? I mean, heck, they can't adopt a new compression file every 2 weeks! Oh wait...
The good thing is that most people can't open rar files. You must intentionally install software to unarchive rar files.
The only real concern is when kids install rar software and then a click-happy parent opens any attachment and any files inside. (or other multi-user home computer scenarios)
The only news here is that while AV software could help protect the clueless before, there is now a workaround. in a few circumstances. Luckily, this is a small enough percentage that no new epidemic can occur.
at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
someone shouted HQX at me once and I didn't sleep for a week.
In reference to viruses posing as rar archives containing porn:
"Most of these are appealing to lustful young men"
Email gateway anti-virus scanners quite sucky.
If your firewall blocks ZIP files and RAR files, then how are you supposed to exchange groups of files with your friends efficiently?
Isn't the WHOLE POINT of having archive file software on your computer defeated by blocking content with these extensions?
I have known and been using .rar files for about a year. I would think that somewhere along the way, some anti-virus programmer somewhere would notice a security threat and begin working on scanning meathods?
Just a thought/question, if anyone has thoughts or explanations I would appreatiate the information.
WoW: Scheod 70 orc warlock on Shadowmoon
As the article explains it (you do read the articles ,don't you?). The .RAR has to be unpacked, to reveal a file with dual extensions - like "Pron.jpg.exe". .exe without running a virus scanner on it first. No one has made a .rar that somehow executes on its own. .exe's that came packed in .zip's, but this came packed in another compression. Duuh! it must be safe!". .rar or an .exe is, or they won't be fooled.
The user still has to be dumb enough to click on that
The article expresses a fear that there are people out there in cluelessland that will think "Gee, I know I should scan
There may be three people on the whole planet who are actually at that particular mix of clueless and clueful states. The rest either still don't know the first thing about what a
If a journalist tried to make us all afraid of the risk of terrorists that try to sneak through customs by disguising themselves as Mexican Banditos, complete with bandoleers of bullets, some people would probably buy that too.
Who is John Cabal?
And thusly, isn't it a trojan and not a piggybacked virus?
When I was a kid, we only had one Darth.
It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).
Comment removed based on user account deletion
It's sort of an issue if you download a lot of warez. The warez scene uses the RAR format almost exclusively. So now I guess you have to watch what you download. Other than that it's not really an issue. Don't download files of any format, let alone rar, if you don't know the source.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
One of our customers started blocking zip files. So now we either rename them to zi_ or use another kind of compression (rar, gzip, etc.). What on earth is the difference? A virus can latch on to whatever it wants - it would take almost no effort on the part of the author.
What will fix this is more knowledgeable users and up-to-date antivirus software. My own users get viruses from other people, but either the antivirus software catches it, or they simply call and ask what they should do (delete or send it to me first).
Soon our customer will probably start blocking rar files, then zi_ files. It is the probably one of the laziest ways to block viruses, and not really that effective at it.
Vote for global prefs bug
A new version of KaZaa has just been released
Windows doesn't have a .rar viewer built-in as standard anyway. It would be a bigger problem if windows could open .rar files by default.
.rar users to the not-quite-so-dumb crowd, as they had to at least know enough to download a .rar archiver to open the virussed .rar in the first place.
.rar ;-)
This elevates most
Even most l33t h8x0rs use
F.U.D. FEAR UNCERTANTY and DOUBT. This is a ploy to scare the masses. This is not really new. This isn't even that much of a risk to most companies. Rar is not a standard that IT people rely on. This seems to be aimed at generating FUD into the the public. This can happenen in any type of compression tool. .rar file types at the FW. I don't have any problems with blocking any type of attachments.
Yes AV scanners can scan RAR files.
Where does this guy get off saying you can't block
This article is crap and only posted to stir a commotion.
We shouldn't waste anymore time on this post. I am sure we have something important to discuss.
Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).
In other new's pirate's are using the .arr format
i's thi's wrong?
Thank you virus writers. Now there is one more file extention that I will have to rename to .txt before sending to coworkers so that the corporate firewall doesn't automatically delete my attachment.
Thanks a lot assholes...
Maybe that's because firewalls aren't supposed to block files at all? They manage (including blocking) network connections, not files.
Yes, I know many "internet security solutions" comes with web and/or mail filter function, but that's not what you call a "firewall".
Why exactly is hiding part of the filename considered helpful?!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
"Most of these are appealing to lustful young men" :-)
only allow women access to email attachments and downloads. Problem solved
Educate the users not to be morons. At our site, we've had trouble working with a university because our ISP removes .exe files from attachments and their server removes .zip files. Pretty hard to exchange executables in that kind of environment.
Now we use an ftp server. All because idiots click on attachments without thinking.
...and people would activate the files anyway...
Comment removed based on user account deletion
I use TrendMicro's Housecall, because I have a fear of resident AV's. They scan right through Rar's, and recently they added suppourt for modifying a Rar, regardless of if it's locked, passworded or whatever. I'm sure that most other AV companies will follow suit, seeing as how I've used Housecall on my landlady's computer (She had a virus, she wanted me to fix it) and it found some viruses, and Norton didn't. McAfee doesn't even belong in this topic discussion, it's more benign than Iceland.
Housecall @ Trend Micro
There are a lot of archive types out there (zoo, lzh, pkarc, pkpak, pkzip, tar, rar, and probably a bunch I've forgotten). However, the actual libraries required to at least perform a basic read operation are fairly minimal and many are Open Source. It would be trivial to have a generic set of calls in the virus scanner and have pluggable archive support, as new archive systems become popular.
The overheads would be minimal, as the virus scanners around today are much larger than any archive support library. The benefit would be that this kind of extension could be allowed for within days, not years.
As for checking the extension. Sheesh! Even using 'file' to check for magic numbers is an improvement on that. It's possible to trick some browsers into adding or changing extensions, so what extension the file has at time A has no automatic bearing on what extension the file will have at time B, making screening of that kind utterly useless.
Mind you, most virus scanners still don't check dead-space and can't handle stealth viruses, so why am I surprised they don't do a good job on anything else?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Gosh. .
All my household systems come with software to decrypt rars, bzip2s, gzips, tars, etc. .
All this extra functionality results in vulnerabilities, eh?
Oh. Wait. Even when I get the file open, the trojan won't excute. Guess I better fire up Wine, see if I can get it to work.
If only Win32 was better supported in Linux, then I wouldn't have these cross-platform issues.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
use tar -zcf ...
I think the idea here is that people will blindly assume their anti-virus works in all cases, so if they got a .zip virus , it tells them. If they get an .exe virus, it tells them. Having to get winRAR to open it, doesnt change the fact that they assume their antivirus has also checked the file as well. the semantics dont mean anything to these people, a file is a file to them. the ignorant reliance people have of antivirus is probably the reason most viruses propigate, hijacking the consious question; "maybe this is a virus?"
If .rar files work anything like .zip files the solution is simple. Right-click the file and choose Explore. That will let you see the content of the file without opening it. If the content is safe, you can drag it to another folder without going through extraction. (That is, IF .rar files are anything like .zip files.) And for crying out loud, are there still people out there who don't know better than to click on a file with a double extension?!
there is freely availible unrar source but its under nasty license terms and im not sure it supports the latest version of rar
this creates rather a problem for scanning it.
use tar.bz2 or 7-zip instead.
This whole thing of RAR not being in use by corporate IT, that it is used a lot by warez, I wonder if certain industry groups we all know and love, would use this type of delivery method to get back at software pirates?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Don't tell anyone! Now gmail may start parsing RAR files and forbidding anyone from attaching rar files which include executable files :(
:( What next, parsing the exe header?
They already do this with zip files, which is a pity. Many times, I have to send attachments which include EXE files... If this protection is implemented, we'll have to rename the exe files to ex_ or something
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
It's about people clicking on RAR archives said to contain Anna Kournikova pictures, and other women with hot grits? Well what's new there?
:-P (of course a digitally signed one so they get a false sense of security)
It's not a problem with RAR in specific... If they block RAR files, I'm sure they could instead just be guided to a web page and told to install an ActiveX control instead.
If you could only patch the real serious security holes here -- the ones in the users' brains...
Beware: In C++, your friends can see your privates!
I hate RAR archives. I use WinZIP (which seems to be more widely supported) and 7-Zip. I use the latter to open up tar.gz archives.
Debugging? Klingons do not debug. Bugs are good for building character in the user.
That's all fine and dandy. But does it run on linux?
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Buy Steampunk Clothing Online!
most antiviruses have an option that is disabled by default....scan inside archived files, norton antivirus has this and finds trojans and viruses inside rar files.
WinZip now has AES encryption.
This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.
Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
i used windows 98 for 4 or 5 years (on irc and broadband no less) without a virus checker or firewall, and whenever i went to a lan party my friends would always make me install one (or two once) and scan before connecting, and i was always clean. preventive software measures don't solve jack.
they should have educational videos for idiot users, like sex ed. "parite.b, the silent doesnt-actually-do-anything-harmful."
When you're afraid to download music illegally in your own home, then the terrorists have won!
You can disable those.
IHBT.
That's hillarious. I remember back in the day on the boards the tai-pan virus was inside all those .rar files. It didn't do anything to my OS/2 system so I could care less, everything I ran and spread was infected with it. I actually thought it made my system faster.
3l33+3
i had a test system get infected with a virus, and just as a test, I compressed the exe with ZOO, and none of the anti-virus programs would do anything about it, couldnt even detect it.
converted to a self-extracting file, and it was still invisible.
I even sent it off to NAV/SARC and McAfee, never heard a word back from them.
so yes, its possible and very easy to compress viruses in ways the anti-virus engines can't understand and they would slip right by...
Rar is superior to tar+bzip2 in about any regard. Its solid mode can mimic what tar is about, it can store more metadata, its compression beats bzip2 most of the time, and so on. However, if I don't know my audience exactly I don't send rar files. I don't know if people on the other end have a rar application or are willing and able to install one. Zip is the smallest common denominator, and tar.bz2 is fine for all Unix people.
Time to go back to using ARJ
Then they deserve everything they get. I couldnt care less if some idiot messes up their pc, or a company that didnt pay to get the right staff to police their network gets a virius. Simple as that.
I am familiar with only two anti-virus solutions: ClamAV, and Avast! Antivirus. Both of them scan rar files.
Back in the DOS days with BBS systems we used to have software that would determine the real file type of the upload, unpack it by shelling out to zip/rar/arj/lha/ha/arj and then scan it with a couple of virus scanners and heuristics (Thunderbyte AV, McAfee Scan, F-Prot)
Anyway, while you could argue the current RAR approach does get past most email scanning systems anyone running an on-access scanner will get still get the alert it's infected the moment they try to launch/unpack an infected file from within it.
[)amien
I am unaware of any av software I have seen (I have seen and configured most) that cannot extract rar (even embedded levels deep) and scan the enveloped files. It seems like tech news sites are taking a que from american media (and american leadership) by sensationalizing non problems. There are plenty of real issues to deal with and bs problems like these make it harder to sift through all the crap to find what really matters. The command-line virus scanner I used to scan files that were uploaded to my bbs in 1986 could scan within rar (and most other) compressed files. Perhaps the people reporting news on technical news sites should have some sort of technical background and (preferably) experience.
Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus. .rar files. System is safe from virus. .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.
Scenario 1: System cannot unpack
Scenario 2: System can unpack
I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.
Yep, I'll open that freep0rn.jpg.exe.runme using wine and then... omg i got a virus :D
I hereby dub it RARS, and I suggest the authorities begin searching for the perpetrator in China :)
That made me kinda mad. The built in lib does rar up to 2.0, but won't look in 3.0s. What good is clamav with such a glaring hole in it?
Yeah, I could use the command line scanner with arcane options to use the unrar app, but that won't help my 5,000 email subscribers. So I'm bag to suggesting they use something like norton... (which technicall I never stopped recommending for obvious reasons).
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
1) If you think 7z is a trivial algorithm to implement, you REALLY haven't looked at it. Also there isn't (last time I checked) any mac implementation
OK, the pzip people (p7zip project) have ported it to the posix command line. But you'll have to compile it yourself and write your own GUI. But you can at least work with 7zip archives now.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
The compression format of legends. If I remember correctly though, you had to use some annoying ARJ decompressing software cos nothing else would read it!
I also think all porn sites should be hosted on .cum domains.
Celebrate the finer things in life
It's only a matter of time before we see a .TXT virus. Sounds implausible, but virus writers are very good at adapting to people's work habits.
.ZIP at the perimeter (at a firewall or mail server.) People still have work to do -- so they workaround this block by renaming .ZIP files as .TXT files. We have several clients who *REQUIRE* us to send them files us like this.
.TXT -> .ZIP -> unarchive habit, they'll be happy to do the same with a virus.
Many companies block
So, once people get into the
And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.
-ch
You mean they bundle WinRAR with AOL???
Can we say "unrarring" and ".rarred" please? Makes more sense in English this way.
This reminds me of my 2 year old, saying RaR! like a lion.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
If you're using a single file as an archive, you want a TOC, checksums, per-file compression and encryption. Applications still need to be archive aware, but the cost can be very low. E.g., it's common to have something like
ssize_t readArchive(char *buffer, size_t len, const char *url);
struct stat * astat(const char *url, struct stat *);
where the former loads the archive file into the specified buffer and the latter provides Unix style metadata. The URL can be something like zip://zipfile/full/path/to/file. Hardcore developers can even use kernel- or user-space based virtual filesystems and the archive looks like another partition.
Once you have this infrastructure life is _so_ much easier since everything is bundled. It can be taken to self-defeating extremes, but anyone who has had to deal with somebody putting an "equivalent" file into an application's resources can see the benefit in this.
(N.B., configuration information should not be bundled. I'm referring to things like the PHP or Perl scripts for an application, things that the average user won't need to modify.)
TAR is a weird critter. It is a streaming block-oriented protocol since it was designed to work with tape drives, but it sucks on disk because the archive must be searched sequentially to find individual files. Compression was retrofitted and it's easy to transparently handle via standard libraries, but compression blows out blocking. Compression also prevents applications from creating their own meaningful TOC since the archive is unseekable. (Archive creation tools can reset the compression stream for each file, but I think my own implementation is the only one that does so. This makes the archive semi-seekable.) The format is adequate for transport archives, but that's about it.
ZIP is nice but the standard headers don't include all Unix metadata. (There are well-documented extensions that handle this information - and it's a moot point if it's bundled application data.) The format can be streamed for both input and output (which is why the TOC is at the end of the archive), but it's not properly blocked for tape either.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Personally, I found myself quite suprised that support for this wasn't there already.
Commercial antivirus vendors should have implemented this. It seems ludicrous to me that the vendors of these products skipped a popular compression mechanism just because nobody had bothered to release a virus that understood it first. Security companies should be preemptively building in support for things like this. It's not as if it was an unpredictable issue.
The free(speech) ClamAV has support for this already, and I would hazard other compression formats as well. It obviously doesn't take *massive* developer effort to add support for things like this. And it's obviously something that people have already thought about it.
One of the reasons why we have such a problem with these things is that *even vendors of security products* don't seem to want to think proactively about issues that might arise. They wait for something to bite them in the ass before they fix it - leaving everyone vulnerable in the meantime.
"Pokey, are you drunk on love?" "Yes. Also whiskey. But mostly love... and whiskey."
Just about everyone in charge of a corporate firewall has serious problems.
7z is the standard that technically able users are using nowadays, since it's a container and can support multiple compresion/encryption schemes without needing new extentions...
Currently, no anti virus programs scan 7z files, yet 3 popular archivers, plus the 7-zip program, can open them. Why use Rar, when you could use the faster, better, open source 7z format?
Love, AC
I, like almost everyone else on the net use RAR files to compress stuff. They are especially good at compressing various 3D and music projects down to a manageable size. But a few months ago I started getting really curious about Alternate Data Streams (ADSs). For those of you who dont know what an ADS is, its essentially something M$ has worked into Windoze that allows you to attach various files to other files. Sounds harmless with that description until you realize that when a file is attached to another, you can not tell that a file is attached by any means other than running a special command. Even worse, the files you attached are copied to a location somewhere outside of the partition making it harder to detect. Well, it just so happens that RAR compression is the only one that I have found to date that supports compressing these ADSs. Still worse, just like in windows explorer, you cant tell that the file is attached by just looking at the screen briefly. The only way to make sure is to carefully look at the expanded size of the file(s). If they do not match the size given inside WinRar or whatever, then chances are theres a file attached and who knows what it is. Theres some nasty security flaws with RAR compression that I am wishing very much to be fixed in the near future. Just be on the lookout.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
4987867957350+
In WinRAR, the RAR-version is decided by what "features" you use while creating the archive. On a normal archive, the version is either 2.7 or 2.9; I can't remember.. --AFAIK, the version goes up if you embed NTFS metainfo and such; so most people end up making version 2.7/9 -archives, anyway. (Optimizing compression and stuff assumably bumps the version, but many go with the default..)
8758
A horse can't be sick, you know, even if he wants to.
"This just shows that blocking .zip files doesn't do the trick, and only prevents people from doing their jobs. Who is stupid enough to open pornographic material from an unkown sender anyway? Especially at work? They get what they deserve. IT departments need to figure out that they need to be training people instead of just patching Windows. Wait, that's about all the time they have with the state of the Windows world, budget cuts and outsourcing. Even we Mac users are hobbled by the troubles of the PC world. Why should zips from contacts be stripped from emails, just because Windows is far from secure?"
My digital rights don't need management.
Comment removed based on user account deletion
Why even **consider** having to block rar files?
.r4r or something. get real. what are we, a bunch of 3rd grade marketting types?
THEY ARE USEFUL ESPECIALLY OVER A NETWORK, you know, they reduce file sizes.
Instead: educate, and write decent sandboxing / active protection software that will scan on decompress.
OK, don't bothc the job, do it right.
blocking rar files... great then all warez sites will rename to
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Do NOT click the link to TFA.
Rar is a file format? I thought it's the noise gay lions make.
Democracy is two wolves and a sheep voting on lunch.
It just amazes me what works. If there really were topless pictures of Paris Hilton in the file you'd get hundreds of thousands of installs.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Dude, there's already an evil bit for this sort of thing. ;)
http://www.faqs.org/rfcs/rfc3514.html
Hearing that some people are trying to filter at firewalls, is particularly amazing. WTF is the firewall supposed to do, crack every ssl connection that is going through it?
If you are taking the time to d/l instead of actually buy something
Then what about works that are not available for purchase and will not become available for purchase in the foreseeable future, such as for some politically correct BS censorship reason? You try buying a DVD copy of Disney's Song of the South.
why the hell would you care if it was complete? As long as its not infected (which you just scan it to find out) and works then who cares.
But how can you tell whether something "works" without also checking whether it is complete?
For one, Norton AV is a big resource hog. For another, AVG seems to scan files faster than Norton AV. Now AVG can scan RAR files, while Norton AV ignores them. Also the Free version of AVG has free virus definition updates, but Norton AV only gives you a year of virus definition updates and then asks you for a code to unlock that feature. I know of a lot of people still using a Norton AV that had the subscription run out, and I tried to tell them to upgrade it, but they don't know how, and get overun by the latest viruses. So I usually switch them to the Free version of AVG because it is free for personal use. Organizations usually have an IT department that can upgrade subscriptions for them.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Why exactly does putting viruses into .rar's count as a new virus attack technique?
This is the same thing that has been going of for a long time with viruses in compressed files.
What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?
This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.
Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?
F-Prot has been scanning multivolume RAR archives since version 3, WITHOUT USING EXTERNAL UNRAR like ClamAV does.
AFAIK when you decompress a file the "on-access" antivirus should catch it first. Most resident antivirus have an option to scan files on creation and on access, so it's not really a big problem. Some antivirus like Kaspersky scan even the RAR if you put the resident scanner to scan ALL files.
And if you try to execute a file inside a RAR with programs like WinRAR it first creates the file in the windows temporal directory (C:\Windows\temp) prior to execution, and that leads to my first point, the scanner should get it first.
I really think there's nothing to worry with this, just be sure that your antivirus has the latest signature update.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former" - Albert Einstein.
newly discovered! big news!
//'s, commodore 64's, vic 20's. and atari's need apply) and spend 30 minutes while the casette loads.
hackers, desperate to spread their malware and viruses are now distributing them on old audio casette media. they then mail these casettes to unsuspecting foo^H^H^Hpeople telling them they are the latest MP3 songs that the RIAA has yet to discover.
these foo^H^H^Hpeople are then instructed to dig up a old walkman, connect it to their computers (only old apple
they are then surprised that instead of the latest release from brittany spears they have been infected with nasty viruses that can't do much because most of these machines don't have network connections, a tcp/ip stack or even work!
symantic and others said they'd get right to work on it. after paying off the writers for helping them reap in millions in business.
nothing to see here. move along.
abcdefghijklmnopqrstuvwxyz
The icon is also not all that eye-catching when you have your folders set up for "detail view". How people can live with big stinkin icons in their explorer windows I'll never know.
But Amen to that "Hide the file extension for known file types" bullshit. My dad just set up his first Windows box last month after having me do it for years. He about threw the phone through the monitor when I explained that was the reason he couldn't see his extensions.
back in 1997 my computer got infected with a virus from chaos.rar - a program used for swapping battle.net servers.
Same shit, different year. The guy who gave it to me didn't know because he just happened to have it handy on his linux box, I don't think that he even used it.
So much for trusting friends files.
cyn, free software and *nix operating systems enthusiast.
Rar does not compress an entire collection of files as one block, as you suggest, unless you check the option "create solid archive"
Most of the files I get are RARed, ARJed, and then zipped.
I've noticed that GMail won't let me send zips which have exes in them. It will however, allow me to send rars of exes.
Geee, nasty virus writers using RAR files? WOW look out, next we will see viruses in .yz1 or .bza formats. Seriously, most of our users use Winzip or XP's native ZIP (*BaRF*) so most of them will not be able to open the file. But I do like IZarc, I like to send files to people with a .7z extension and see if they can figure it out ;-)
I use the free scanner Avast! and I can scan rars, so I see no probs
These viruses affect users who receive an infected RAR archive, then go out of their way to download WinRAR or some other RAR opener and unpack the executable.
Give me a break!
Conformity is the jailer of freedom and enemy of growth. -JFK
Rar uses a proprietary compression algorithm. It's free to decompress RAR's (as has been pointed out already) but to make RAR's you need to buy a RAR license. This can be a deterrent to OSS proponents like myself. Sure, one can do as the kids do and use a demo of winrar indefinitely, or use a warez winrar, but the right thing would be to register it or seek a free alternative.
RAR is wonderful, there's no doubt, but I use the GPL'd 7z (7-Zip) format for my own personal archiving. It's open, compresses at least as well as (better in many situations) RAR, but can be quite a bit slower.
If I used RAR for work-related archiving as you do, I would definitely register it, because the speed and compression offered by RAR is well worth it in that situation.
I my be a little wrong and confused here, but unless the compressed file is uncompressed and the exe is well....executed then how can this be a problem. Dosen't the user have to take part in this process. Unless you a getting an executable compressed file this really shouldn't be a problem. Well I guess if you send anybody one of those "install this screensaver to help save the whales and recieve $100.00" then we're all screwed.
I tested McAfee and ClamAV with a Eicar.com test file compressed as Eicar.rar, and both of them got it. Since it's the 2 products used at work, we consider ourselves OK as long as the signatures gets updated.. which is done automaticly :)
Menzoberranzan Networks
Other than it compress quite well, the best thing about rar was it allowed you to send file to someone even if they had bid firewall/e-mail security. All that because those files were not scanned or blocked ! I hope it won't change soon. It was already hard enough to explain to the person how to open the rar file, let alone using a ftp client!
It reads as though RAR files are infected when they're not, they're just a container. Doesn't anyone who cares about virus security actually scan the files after they extract them but before they run them?
Next thing we'll be getting complaints about ARJ files, or ACE files or UUE files containing viruses.
As a technical user I'm against our corporate firewall/mailsweeper/whatever blocking access to attachments purely based on extension. I actually need some of the zip/exe/doc/etc files that are being sent to me so I can do my job. Overzealous email rules are making it much more difficult to do it.
If you know enough to be able to extract a rar file, you probably know how to scan the file after it's uncompressed.
On a related note: today I received a couple of .zip attachments that each contained a file with a name of the form foo.html\ \ \ [a couple more] \ \.com
(This is what I saw on my shell prompt; they were newlines really.) Executables of course, and no doubt viruses. But this trick was new to me.
Please provide a link, or post the paper as a comment.
What program do you recommend for compression and encryption?
Odd...I just sent an EXE file in a ZIP archive (using Gmail) and it worked fine. I'll have to check that again.
The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
people would still run it because it would be labeled cool_pics.virus and windows will hide the .virus by default so their machines would get infected immediately.
please me, have no regrets.
I've seen a few big companies run WinRAR on their desktop machines. The user can easily use the 'extract here' context menu and then execute/open to their hearts content (I mean it's not like the old days of the RAR command line).
But that's not the point. IT professionals will NEVER achieve the goal of making security a priority to the user. The user only needs to know what gets the from A to B, and screw everything else. Remember, most end users think of IT (in the info security sense) as a nuisance to be ignored.
Disclaimer: I might be redundant, but i haven't seen this discussed while skimming the thread.
I don't remember seeing AV software that didn't scan inside RAR archives, at least not in the last 5 years. All the mailserver setups I did that had virus scanning also scan inside RAR archives. That must mean viruses as RAR attachments are not a novelty, do they?
A more recent trend seems to be encrypted RAR or ZIP archives, with the password included in the e-mail (sometimes as a picture, thus making sure of human involvement). That's also old, I think I saw this for the first time almost a year ago.
I've found that many places that block by file extension have inadequate virus scanning on their mail systems to begin with. They simply block the file types that can cause trouble, pat themselves on the back and switch back to UT. It's scary how many big companies (including a major bank) work this way. Kinda shows the other point of view from one of my other posts:(
It tells you about this and that you can get a external lib that will read 3.0 they just cannot ship it with the source.
Now just get the lib and upgrade or block all rars from passing into the system.
This is a normal problem. A licence can be LICE ie Long Interfering Common Error. Lot of programs require extra parts that cannot be shiped with the source. GPL is one of the bigest LICE for closed source developers.
You are correct. I think the solid archive option of rar is what makes it worth using though. So far as I know, there isn't a similar options for Zips, but correct me if I'm wrong.
http://compression.ca/act/act-canterbury.html RAR 2.x is easy to beat, RAR 3.x not, because it uses quite advanced PPM algorithms, which also explains the lack of speed.
This sig does not contain any SCO code.
While that might seem an attractive option to some, helpdesk employees worldwide are screaming at the thought of the association for .doc and .rtf files suddenly switching to Wordpad.
"Why won't my Office work, and what is this silly 'wordpad' that started up?"
"What's the frequency Kenneth?"
Rate me redundant if you like, but I insist I'm the first to put several of the points already stated today in one concise reply -- this isn't new. I've gotten about a dozen or so of these encoded .RAR files over the past few months. A lot of people don't have the tools to extract them (I had to teach our IT staff what an .RAR file is the first time I was sent one of these viruses), but they arrive with a note that says here's the password, extract the .EXE file from the enclosed .RAR, and run the thing to get a screensaver or whatever. .RAR password protection is used because it is so hard for mail servers to detect on the fly. Most (but not all) of the viruses in these .RAR files were detected the instant that I decoded the things (yes, I am foolish enough to rely on IT to catch me with Windows-based software if I fall).
So despite all of this discussion, (1) the distribution method has been around long enough that Symantec Anti-Virus can detect these things, and (2) many of the posts here say virus writers should instruct their users on how to open the file. They already do!
Did anyone bother to ask the customers what they want?
My approach simply tacks on '.txt' on the end of ALL email file attachments filenames. As a result, system compromise is IMPOSSIBLE this way provided Windows still associates .txt files with Notepad/Wordpad and those programs haven't been compromised.
In this manner the incoming file attachments can be safely scanned for viruses, deleted, quarantined, or renamed by removing the '.txt' at the end and put to use.
If you want to learn more and download my quality (but bland-looking) Windows freeware/shareware, visit now.
P.S. since July 2004, I've only gotten a handful of 'no content' email spam at iamcf13@hotpop.com. This technique is used by spammers to validate working email addresses that do not bounce. That is the only spam I recieve nowadays. All the rest is autodeleted by cf13-pop3.
However, I DO wish I could run my shareware mailserver cf13-smtp and avoid downloading the spam in the first place.
My norton internet securit 2005 scans rars just fine, which is ironic seeing as it came in one and yours didnt.
Like the saying goes, never underestimate the bandwidth of a station wagon full of tapes. -Pyrotic
Serves you right for using proprietary archive formats.
And ACE and everything else! Except 7-zip. Did you that nothing can scan a self-extracting 7-zip archive?
Give my girl Lindsay an email
that computer users can be their own best anti virus solution.
lose != loose
1) I said spanning is a trivial algorithm to implement, not 7z. RTFP. Anyway, though, why are you even arguing this?
7z is open source. It's available for all *nixes, including MacOS X, just like bz2. You want to use it but not implement it? Fine. Use the freely available implementations.
2) Good for you. As I said, there are many, many algorithms that usually beat rar. Obviously, there are select cases that rar will win. Claiming that rar wins in one type of file against a single algorithm does not prove that rar is efficient.
Mod me down and I will become more powerful than you can possibly imagine!
They've been doing that for a while. The antivirus just scans for the signature of the "self-extract and execute" code piece, and in some occasions implements the unpacker itself so it can scan the content, once the packed object's signature has been detected.
Even for polymorphic code, you can still find the unpacker's signature, albeit with a bit more difficulty.
Your anti-virus program DOESN'T need Winrar to extract a RAR file. There is source code that programs can use. See here: http://www.rarsoft.com/rar_add.htm
Hey I have a wild idea... Instead of blocking extensions.... C'mon what are we in 1993 DOS?
Let's actually scan every file and look for a signature or something actually related to being a potential virus? Maybe this is just stupid thinking...
Yep - makes pretty much sense to me.
The thing is though, when you've got an employee playing Freecel or Solitaire all day long on their computer, that should be telling you something as their manager..... I would take that to mean either A.) I'm not giving this employee enough useful work to do, so I need to rethink what duties/responsibilities I'm assigning my staff, or B.) This person would rather screw around and play games than get their work done that they're paid to do here. Either way, "band-aiding" the problem by removing the game from the PC is probably NOT the real solution. These are the same people who will go take 30 minutes coffee or smoke breaks, wander the halls trying to look useful, or waste time on the phone all day long if they can.
In response to this and this all I can say is that the spam menace necessitated integrating antispam code to cf13-smtp. Why not fight spam at the SMTP level and keep it out of the networks once and for all in the first place? As for the mailbox scanning, how else is the mailserver supposed to detect spamlike email?
With a bit of effort, cf13-smtp can be configured to act like a regular MTA. This is accomplished by sending all email/spam logging to the bit bucket and allowing all incoming mail with a SpamByte code of 255. But doing all that ultimately allows is the influx of spam to the networks it services and defeats the purpose for the program's existence....
Firewalls shouldn't be blocking 'extensions' in any case. Leave that to proxy's and mail servers.
If your firewall is blocking .RAR or other 'extensions' then its probably made by Microsoft and you are very very safe :-)
Whenever you want to execute something from within a compressed archive, don't you have to write it out to disk first? (Thereby triggering a regular scan of the file)
While this may keep the original (unscannable) RAR file on your system, and will make in-transit scanning impossible, every end user with an antivirus package should be protected from the contents of the RAR.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
tar'd
From the dept of repetititive redundancy dept.
Most of these are appealing to lustful young men
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Sheesh. I got the press release about this on Feb 2. It made some highly suspect claims, so I queried it with the PR, got a weak answer and declined to follow up the story. Basically, it's a product pitch for software that blocks rar archives as spam, nothing more. No different to any other mail filter product, in fact - they all allow file-extension filters.
.rar archive. .rar files .zip files and include invitations to view .rar files, they're easily mistaken for .rar virus is disguised as a patch from Microsoft Corp. .rar file extensions or any other new virus. This
Here's the release:
> Hello,
> The latest virus to cripple networks is the
> are similar to
> pornography. These compressed files carrying viruses easily get past
> most commercial anti-virus products. Since so many computer users
> are unfamiliar with
> legitimate email.
> Once opened, the archive typically contains an executable file with a
> double extension, such as "foto.jpg.exe." The viruses themselves are
> new and install a Trojan or back door on the user's PC. A recent
>
> While most anti-virus vendors are scrambling to find a solution to
> this new virus, Lightspeed Systems (www.lightspeedsytems.com) already
> offers one to its customers. The company's Total Traffic Control
> v5.02 enables users to define spam patterns for email with
> attachments with
> stops the virus at the gateway until virus signatures are available.
>
> To learn more about Total Traffic Control v5.02, please contact me at
> xxx-xxx-xxxx.
One claim I queried was to define the 'most antivirus vendors' which fail to scan RARs. In reply, they could name only one.
And then we have other dubious claims like the suggestion that RAR files are the domain of pornography and have no legitimate use.
So I discarded the release and declined the offered interview, though one shouldn't come down too hard on the vendor in situations like this: this is not the first time I've seen someone get it in the neck because of lousy PR.
The author of RAR provides FREE source code which unpacks RAR files!
that rar is STILL not supported by many antivirus apps shows that the antivirus makers arent really interested in preventing virus from spreading but more interested in making a profit.... this article sounds almost like RAR is a new format.. but its far from new.. Ive used rar for about a decade and the reason I preferred it and ARJ over ZIP was that ZIP had a crappy way of spanning disks back in the good old floppydays and the old NortonCommander like RAR just.. rocked pkzip's ass apart...I'm sure they'll go after 7z or something next.. what about ACE.. is that supported by antivirus greedware companies?
Kaspersky AV has always scanned RAR files...little danger if you use kaspersky. As far as firewalls blocking rar files...simply solved by turning the extensions into .00, .01, .02, etc.
Insert_Ending_Here
Is it this paper: Attacking and Repairing the WinZip Encryption Scheme?
I read the paper and decided that the problems are quite hypothetical. The paper speaks of encrypting 2^32 files, for example.
Someone who exposes sensitive data to complete strangers should use WinZip AES, and then GnuPG to encrypt the WinZip file.
WinZip AES is secure enough for data on a computer to which there is limited access.
I dont post to get karma point you idiot.I have a life other than posting articles.And if i sound incoherent you IMBECILE it's because i'm french and dont know the english language as goog as you! But what i wrote makes sense to me. What's so incoherent at looking at your proxy logs to find out where or what your users have been or downloaded?