New Virus Attacks Via RAR Files

← Back to Stories (view on slashdot.org)

New Virus Attacks Via RAR Files

Posted by timothy on Monday February 21, 2005 @07:54AM from the not-in-debian-yet dept.

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

12 of 585 comments (clear)

Min score:

Reason:

Sort:

Re:Is this really a big deal? by LoRdTAW · 2005-02-21 07:58 · Score: 5, Informative

Well it could definatly cause a problem with warez. Most warez is usually packed using RAR.
Re:Good news! by wtrmute · 2005-02-21 08:05 · Score: 5, Informative

Which is a pity, since .rar files are so much more compressible than .zip files. The difference is roughly the same between .gz and .bz2... What would be really easy is for anti-virus writers to include a RAR decompression library and look inside the damned files, rather than reject useful technology for no good reason
ClamAV wins again... by Vellmont · 2005-02-21 08:05 · Score: 5, Informative

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

--
AccountKiller
1. Re:ClamAV wins again... by swillden · 2005-02-21 10:40 · Score: 3, Informative
  
  Am I missing something really big that ClamAV just can't do?
  Get updates about a major new virus a week too late to do any good?
  I was working for a client who had a vigorously-enforced anti-virus policy. Before anyone is allowed to connect to the network, the I/T security dept. has to verify that they have an anti-virus package installed, running and up-to-date. This policy created a bit of a problem when I showed up with my laptop running Debian Linux. I tried to argue that there are no Linux viruses in the wild and, further, that as a 100% Windows shop, even if my machine did have a virus, it wouldn't run on any of *theirs*. No luck. "NO AV, NO NETWORK," was the decision from on high.
  Not expecting much, I ran "apt-cache search anti-virus" and was shocked to see that there were two different AV tools packaged by Debian, and that clamav even had the ability to scan local files on my system. I set it up to scan periodically, left "freshclam" set on the default update schedule (daily), showed the I/T security guy how it worked (and that it had found nothing), and he grudgingly allowed me on the network, convinced, I think, that my open source anti-virus tool *had* to be crap.
  A couple of days later, I noticed that ClamAV had flagged a file in my mailbox as being infected. It was a document that the client's project manager had sent me -- from a machine running an up-to-date copy of Norton Anti-Virus Gold, Corporate Edition. I reported the incident and didn't think much of it. I figured the manager that sent it to me must not have had his AV software running (Lord knows if I ran Windows I'd be tempted to shut the CPU- and RAM-hogging thing down so I could get some work done).
  Over the next two days, nearly all productive work in the I/T dept. ground to a halt, because by the time I got the infected document, almost the entire company was infected. I don't recall which virus it was (it didn't really interfere with anything I was doing), but I know they had a devil of a time getting it all cleaned up.
  As it turned out, NONE of the three major commercial AV tools deployed at the company detected the new virus until about a week later.
  I found out later that this experience is the rule, not the exception, with fast-moving new viruses. ClamAV is not only community-developed, but the databased is community-maintained as well, so whenever a sysadmin somewhere notices a new virus, it gets added to the database very quickly. The commercial AV vendors don't move as quickly, and consequently their tools often miss fast-spreading viruses long enough for them to become a problem.
  ClamAV rocks.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:RAR is very popular by rainman_bc · 2005-02-21 08:07 · Score: 3, Informative

Just to point out that some places use stuff like UltimateZIP or something that'll handle all compressed archives, including ace and rar. It isn't just winrar that opens rar files.

--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
RAR is very popular in China by winkydink · 2005-02-21 08:08 · Score: 3, Informative

at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.

--
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
REALLY old news by JohnVH · 2005-02-21 08:19 · Score: 3, Informative

Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).
Re:The solution is worse than the problem by pe1chl · 2005-02-21 08:30 · Score: 3, Informative

I hope that served to teach you that e-mail is not a sensible mechanism to exchange executables.
Re:Is this really a big deal? by stupidfoo · 2005-02-21 08:36 · Score: 5, Informative

Unfortunately, a malicious person can still e-mail a macro virus by merely changing a .DOC file's extension to .RTF. (Microsoft should prevent Word from running macros in files with .RTF extensions, but it doesn't.)

http://www.infoworld.com/articles/op/xml/00/10/30/ 001030oplivingston.html
Re:Is this really a big deal? by HD+Webdev · 2005-02-21 09:33 · Score: 5, Informative

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

.rar archives being infected is very old news as well as every other archive format.

.rar files have been infected since they have existed and posted to USENET. Rar files are much better than zip files in that people can download (let's say) a .rar that's been split into 15 parts. By using smartpar, even if a part of that .rar is corrupted, Smartpar does parity and other checks to reconstruct the missing part(s)

As you note, most people don't know about rar files. And even if they do, the anti-virus program will block the virus as soon as the rar set is put back together.

This is a complete non-issue. Not to mention, Winrar, which creates and reassembles .rar files prompts users to scan files for infections before extracting them.

--
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
Re:Is this really a big deal? by amanpatelhotmail.com · 2005-02-21 11:20 · Score: 3, Informative

Also I know a few people who send rar files through their work address's because zip is blocked.
Gmail blocks sending attachments of "executable" files, which includes .pl .exe .bat .com etc..., It even checks inside of zip, tar/gz archives to see if a file with matching extension is found. If it is found, gmail will not allow you to send your email.
On the other hand if you compress your archive using RAR, gmail cannot check the contents and thus does not complain about executable files.
Re:Is this really a big deal? Use WordPad by Nom+du+Keyboard · 2005-02-21 12:51 · Score: 3, Informative

still e-mail a macro virus by merely changing a .DOC file's extension to .RTF. (Microsoft should prevent Word from running macros in files with .RTF extensions, but it doesn't.)
The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."