Slashdot Mirror
New Virus Attacks Via RAR Files
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
"Most anti-virus software cannot scan a .RAR file"
What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?
Just tested this on AVG and it indeed scans rar archives.
I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.
Carry on with the downloading, there's nothing to see here...
Don't buy WoW Gold! Make it yourself!
Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.
It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.
Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'
I suppose it depends what you download. But quite a lot of games and movies are compressed with rar. Also I know a few people who send rar files through their work address's because zip is blocked.
It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).
Comment removed based on user account deletion
Personally I prefer WinRAR to any compression program currently available.
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.
I guess I just don't understand what the "nightmare" part is about WinRAR.
How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.
Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.
However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).
As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".
Gimme a freakin' break already.
Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.
-- This sig for rent.
You've answered your own question - most corporations and free email providers block executables.
You give compeling arguments why both zip and rar are used: they became popular when the speed/efficiency compromise mattered. Using either now is simply due to habit and culture.
There isn't an advantage for most users.
bzip2, 7z, and many more compression formats are better, and you can find archive spanning programs for every single compression technique because that's such a trivial algorithm to implement.
I can't come up with a reason why you'd use rar OR zip.
Mod me down and I will become more powerful than you can possibly imagine!
This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.
Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus. .rar files. System is safe from virus. .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.
Scenario 1: System cannot unpack
Scenario 2: System can unpack
I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.
If zip (or any) files are blocked, I like sending files encrypted, or merely scrambled.
You would be surprised how few email filters detect an attachment which is simply sent as Base64 or UUEncoded text, in the body. As it's not an attachment, it frequently gets ignored.
Karma: It's all a bunch of tree-huggin' hippy crap!
doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems.
Contrary to popular opinion, Corporate admins aren't the only people who worry about security.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
and they don't so much care about it, as install some piece of shit filter, leave all the defaults on no matter how idiotic they are in the sense of the buisness they are "protecting", and feel happy in the knowledge that someone else is worrying about security for them (not bitter, honest)...
Advanced users are users too!
Why exactly does putting viruses into .rar's count as a new virus attack technique?
This is the same thing that has been going of for a long time with viruses in compressed files.
What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?
This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.
Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?
Attack against users? What user needs to receive
All the typical vectors of viruses/worms. Who in billing, or sales/marketing, or whatever NEEDS those files?
When you weigh the cost between the constant drain on IT resources broken OSs (from viruses, unapproved 3rd party apps, etc) would cost, you can't SERIOUSLY hold your position as someone in charge of security.
Our email server blocks up to 2000 (sometimes more) of the above extentions. Most are IDd viruses (netsky, bagle, etc). The RARE occation it blocks something not IDd is due to a NEW virus that hasn't made it to the virus-def file on the scanners.And I'm constantly amazed by the number of ACs who pretend to know things and act indignant.
Can AVG scan your RAR files if you don't have WinRAR installed?
How the bleep do you expect a user to get infected from a file inside a RAR (which is the point of this discussion) if he doesn't have a RAR decompressor?
If he can decompress, so can AVG. If he can't, AVG only scans the outside of the RAR, which is the only part that can infect him. Where's the problem?
You lost your dollars. I'm an MCSE and a CCNA with several years experience as a network admin. Notice I was talking about blocking long lists of extensions. I block executables on my network, both exe and scripts. .EXE, .WSH, .CPL, .BAT, etc. Probably less than 20 extensions, total. I don't block things like .RTF or .XLS or .DOC or .MDB . Yes, it is possible to get various types of malware that way. But there's always a trade off between usability and security. If you want a really secure network, unplug the cable and shut everything down. No viruses or worms, guaranteed. Being able to pass around documents and useful files is part of the reason to have a network. When it gets to the point where your users are sending emails that say "Here's the new database I created. Save it to your desktop and rename it from database.bdm to database.mdb before you open it" then you're part of the problem, not the solution.
IT people all too often lose perspective. They see the network as an end to itself. The users are just pains in the neck who screw up my beautiful setup and can't be trusted to use my equipment properly. The whole point of having a network is to enable people to do their jobs more effectively and more efficiently, and part of doing the job includes exchanging various types of files. If you're going to stop the network from being useful, why not shut it down and save all the money you're spending on it?
Blocking executables and having solid, updated virus protection is part of good network security. So is temporarily blocking certain extensions if there's an alert for a new worm or virus that uses a specific type of file. Once your antivirus is updated to reflect the new beastie and the initial infection crisis is over, unblock the extension. Blanket blocking long lists of extensions is a DoS on yourself.