New Virus Attacks Via RAR Files

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

Is this really a big deal?

[FyRE666]

...most firewalls do not block the extension yet.

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

Re:Is this really a big deal?

[Jhon]

I doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems. .rar have been blocked at our proxy (both extension and mimetype) and email scanner for years. Along with rtf, password protected zip files, exe files, cpl files, etc. It's a long list.

I'm waiting for the email attachments without extension that include 'instructions' on how to 'save as' to add the extenion, then execute the code. The password protected zip file worms were close...

Re:Is this really a big deal?

[ThosLives]

Actually, this points at a more fundamental issue. What happens if you simply take the extension off the file and set the MIME type to something like "binary stream" and just send it "raw"? I often have to rename files to get them through company (*ahem* outlook) filters that block files.

Associating the name of a file with its content type is quite ludicrous; Apple used to do a better job of this with the file resources (the average user couldn't change file type - the name wasn't the type!) but with the transition to OS X (Unix) the metadata with files can be lost and is associated via file extension again.

This boils down to the fact that digital data is inherently untyped; there is no way to tell if something is *really* a word document, bitmap, executable, or a random collection of bits (you can use signatures in the data to help with this, but that's about it).

However, more on topic: I didn't know RAR files had "executable" content. If a file in a .RAR archive has a virus, that's no different than any other "hidden" trojan: shouldn't the virus scanner realise there is a problem as soon as the user tries to do something with the uncompressed/unencrypted file?

RAR is very popular

[bigtallmofo]

I find that more technically-abled people are familiar with and have installed WinRAR or the unix-variant based RAR on their system.

Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.

Similarly, I suppose virus-writers could rename their .exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.

Re:Good news!

[TheRealMindChild]

Maybe you live in the stone age, but I know we use RAR here almost exclusively.

The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.

RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.

Re:It can't scan INSIDE the rar

[nuclear305]

Apparently I should have been more clear--when testing with AVG it certainly can scan the contents of the archive; I watched as it scanned several exe files I placed inside the archive.

I can't say I've ever paid much attention to other products but I would have hoped Norton and the like would also have this capability.

Re:It can't scan INSIDE the rar

[orkysoft]

Are you sure AVG didn't actually use the WinRAR you have installed to extract the files, so it can scan them? I know that Ark (a KDE file archiving utility) uses Rarsoft's unrar to operate on RAR files.

Of course, I don't know whether you have WinRAR installed. Can AVG scan your RAR files if you don't have WinRAR installed?

Re:ClamAV wins again...

[j-turkey]

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

ClamAV just wins period. Not having to pay per-seat licensing is awesome. Never needing to track or renew a subscription is worth every penny you'll spend on Clam AV (umm...$0.00).

I can't think of any reason to run anything else for an email server. Am I missing something really big that ClamAV just can't do?

When will we see a .TXT virus?

[Chief+Typist]

It's only a matter of time before we see a .TXT virus. Sounds implausible, but virus writers are very good at adapting to people's work habits.

Many companies block .ZIP at the perimeter (at a firewall or mail server.) People still have work to do -- so they workaround this block by renaming .ZIP files as .TXT files. We have several clients who *REQUIRE* us to send them files us like this.

So, once people get into the .TXT -> .ZIP -> unarchive habit, they'll be happy to do the same with a virus.

And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.

-ch