Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Virus Attacks Via RAR Files

Posted by timothy on from the not-in-debian-yet dept.

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

6 of 585 comments (clear)

  1. How's this new? by Phanatic1a · · Score: 5, Insightful

    It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.

    Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'

  2. concern for warez ... not really by rkmath · · Score: 5, Insightful

    It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).

  3. *sigh* by Nephroth · · Score: 5, Insightful

    This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.

    Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.

    --
    Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
  4. Not sure how this is a new threat by RaguMS · · Score: 5, Insightful

    Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus.
    Scenario 1: System cannot unpack .rar files. System is safe from virus.
    Scenario 2: System can unpack .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.

    I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.

  5. Re:Is this really a big deal? by Jhon · · Score: 5, Insightful
    I'd bet dollars to donuts you are a user, not an admin.

    Attack against users? What user needs to receive .SCR files via email? Seriously. How about .CPL files? How about .exe files? or .com files? Or .bat? or .vbs?

    All the typical vectors of viruses/worms. Who in billing, or sales/marketing, or whatever NEEDS those files?

    When you weigh the cost between the constant drain on IT resources broken OSs (from viruses, unapproved 3rd party apps, etc) would cost, you can't SERIOUSLY hold your position as someone in charge of security.

    Our email server blocks up to 2000 (sometimes more) of the above extentions. Most are IDd viruses (netsky, bagle, etc). The RARE occation it blocks something not IDd is due to a NEW virus that hasn't made it to the virus-def file on the scanners.
    I'm constantly amazed by the number of people..
    And I'm constantly amazed by the number of ACs who pretend to know things and act indignant.
  6. Re:Is this really a big deal? by Anonymous Coward · · Score: 5, Insightful

    You lost your dollars. I'm an MCSE and a CCNA with several years experience as a network admin. Notice I was talking about blocking long lists of extensions. I block executables on my network, both exe and scripts. .EXE, .WSH, .CPL, .BAT, etc. Probably less than 20 extensions, total. I don't block things like .RTF or .XLS or .DOC or .MDB . Yes, it is possible to get various types of malware that way. But there's always a trade off between usability and security. If you want a really secure network, unplug the cable and shut everything down. No viruses or worms, guaranteed. Being able to pass around documents and useful files is part of the reason to have a network. When it gets to the point where your users are sending emails that say "Here's the new database I created. Save it to your desktop and rename it from database.bdm to database.mdb before you open it" then you're part of the problem, not the solution.

    IT people all too often lose perspective. They see the network as an end to itself. The users are just pains in the neck who screw up my beautiful setup and can't be trusted to use my equipment properly. The whole point of having a network is to enable people to do their jobs more effectively and more efficiently, and part of doing the job includes exchanging various types of files. If you're going to stop the network from being useful, why not shut it down and save all the money you're spending on it?

    Blocking executables and having solid, updated virus protection is part of good network security. So is temporarily blocking certain extensions if there's an alert for a new worm or virus that uses a specific type of file. Once your antivirus is updated to reflect the new beastie and the initial infection crisis is over, unblock the extension. Blanket blocking long lists of extensions is a DoS on yourself.