Slashdot Mirror
New Virus Attacks Via RAR Files
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
...most firewalls do not block the extension yet.
Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...
Code, Hardware, stuff like that.
Goatse once came to me in a .REAR file. Close enough to avoid.
Table-ized A.I.
don't accept rar files from people you don't know. And, if you do, don't run random executables inside them?
Le français vous intéresse?
Rar files are most commonly used in the legal archiving of binary files and DVDs.
"Most anti-virus software cannot scan a .RAR file"
What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?
Just tested this on AVG and it indeed scans rar archives.
I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.
Carry on with the downloading, there's nothing to see here...
Don't buy WoW Gold! Make it yourself!
This would have been more of a threat had it been in .CAB format. Not everyone uses .RAR files. Heck, in my company there are a grand total of 3 computers capable of even opneing a .RAR file...the one I'm posting from is one. On a side note: my wife got this virus emailed to her and she called me at work to ask what a rar file was... Needless to say, this virus will not be long-lived as it's just plain stupid.
Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.
"Warez is becoming infected with viruses!"
I find that more technically-abled people are familiar with and have installed WinRAR or the unix-variant based RAR on their system.
.exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.
Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.
Similarly, I suppose virus-writers could rename their
I'm a big tall mofo.
And I've always extracted and scanned the contents before executing.
It just makes sense to me.
Ive been using rar extensions for years, never had a problem or complaint. Winrar is just as easy or easier to use then Winzip.....
All the common scanners can scan inside a zip archived file. However, most scanners cannot scan inside a rar archive. So you are getting it wrong. A virus scan OF the file will return nothing but a .rar file. The virus can be hidden IN the rar file, which is not scanned.
Hopefully your AV has a good realtime file scan so it if it written to a temp file it will be scanned as soon as it is accessed.
Boredom's not a burden anyone should bear.
It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.
Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'
Maybe you live in the stone age, but I know we use RAR here almost exclusively.
The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.
RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
... in related news eWeek is able to sell more impressions and generate more revenue by getting coverage on Slashdot for pointless non-news articles such as new Virus hides in compressed files ...
A new virus is spreading through password-protected .arj files.
.ARJ file is, let alone find a password cracker for it.
Fortunatelly, no one got it, as no one remembers anymore what the heck an
Rumors said the password is "G04TSE.CXR0X".. go now then, have some fun...
how long until
Which is a pity, since .rar files are so much more compressible than .zip files. The difference is roughly the same between .gz and .bz2... What would be really easy is for anti-virus writers to include a RAR decompression library and look inside the damned files, rather than reject useful technology for no good reason
The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).
AccountKiller
Blocking extensions is pretty pointless ... how hard is it to rename before/after going thru a wall?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
It seems to me this would be the simplest. Just require the virus makers to use the .virus extension and that will give the AV makers more time to perfect RAR scanning.
Is anyone with me?
Boredom's not a burden anyone should bear.
This is great. They have still not all figured out how to avoid bzip2 bombs, how are they supposed to be able to scan RAR files? I mean, heck, they can't adopt a new compression file every 2 weeks! Oh wait...
at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
someone shouted HQX at me once and I didn't sleep for a week.
If your firewall blocks ZIP files and RAR files, then how are you supposed to exchange groups of files with your friends efficiently?
Isn't the WHOLE POINT of having archive file software on your computer defeated by blocking content with these extensions?
That's funny because I know several. All they had to do was see the same files compressed with ZIP, and again with RAR. Once they saw WinRAR did everything WinZIP could do, and then some, and was easier to boot, they switched.
Face it, people are slowly moving to a better and more efficient format. All we have is some virus protection companies who are on the slow end of adapting to new technologies. And it's not all that new, RAR has been around for at least 5 years.
Do you really want to trust an anti-virus company that can't deal with semi-popular 5 year old compression protocols?
As the article explains it (you do read the articles ,don't you?). The .RAR has to be unpacked, to reveal a file with dual extensions - like "Pron.jpg.exe". .exe without running a virus scanner on it first. No one has made a .rar that somehow executes on its own. .exe's that came packed in .zip's, but this came packed in another compression. Duuh! it must be safe!". .rar or an .exe is, or they won't be fooled.
The user still has to be dumb enough to click on that
The article expresses a fear that there are people out there in cluelessland that will think "Gee, I know I should scan
There may be three people on the whole planet who are actually at that particular mix of clueless and clueful states. The rest either still don't know the first thing about what a
If a journalist tried to make us all afraid of the risk of terrorists that try to sneak through customs by disguising themselves as Mexican Banditos, complete with bandoleers of bullets, some people would probably buy that too.
Who is John Cabal?
It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).
Comment removed based on user account deletion
Last time I looked at WinRAR it had no support for NTFS Permissions, unlike WinZip. Which makes it pretty useless for backups outside of the proverbial mom's basement.
Nice elitest answer there. YOU can't think of a good purpose to use
Also, I prefer the
What would be really easy is for anti-virus writers to include a RAR decompression library and look inside the damned files, rather than reject useful technology for no good reason
The FAQ claims that it doesn't open files produced by anything newer than WinRAR 2.9. Newer formats seem to be undocumented.
One of our customers started blocking zip files. So now we either rename them to zi_ or use another kind of compression (rar, gzip, etc.). What on earth is the difference? A virus can latch on to whatever it wants - it would take almost no effort on the part of the author.
What will fix this is more knowledgeable users and up-to-date antivirus software. My own users get viruses from other people, but either the antivirus software catches it, or they simply call and ask what they should do (delete or send it to me first).
Soon our customer will probably start blocking rar files, then zi_ files. It is the probably one of the laziest ways to block viruses, and not really that effective at it.
Vote for global prefs bug
Personally I prefer WinRAR to any compression program currently available.
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.
I guess I just don't understand what the "nightmare" part is about WinRAR.
How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.
Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.
However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).
As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".
Gimme a freakin' break already.
Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.
-- This sig for rent.
Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).
You give compeling arguments why both zip and rar are used: they became popular when the speed/efficiency compromise mattered. Using either now is simply due to habit and culture.
There isn't an advantage for most users.
bzip2, 7z, and many more compression formats are better, and you can find archive spanning programs for every single compression technique because that's such a trivial algorithm to implement.
I can't come up with a reason why you'd use rar OR zip.
Mod me down and I will become more powerful than you can possibly imagine!
Educate the users not to be morons. At our site, we've had trouble working with a university because our ISP removes .exe files from attachments and their server removes .zip files. Pretty hard to exchange executables in that kind of environment.
Now we use an ftp server. All because idiots click on attachments without thinking.
Gosh. .
All my household systems come with software to decrypt rars, bzip2s, gzips, tars, etc. .
All this extra functionality results in vulnerabilities, eh?
Oh. Wait. Even when I get the file open, the trojan won't excute. Guess I better fire up Wine, see if I can get it to work.
If only Win32 was better supported in Linux, then I wouldn't have these cross-platform issues.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Actually, RAR has been around for over a decade.
:)
(Since 1993, according to WikiPedia.)
I remember investigating it back in my BBSing days.
Though I guess that makes it an even sorrier situation for AV companies.
Don't tell anyone! Now gmail may start parsing RAR files and forbidding anyone from attaching rar files which include executable files :(
:( What next, parsing the exe header?
They already do this with zip files, which is a pity. Many times, I have to send attachments which include EXE files... If this protection is implemented, we'll have to rename the exe files to ex_ or something
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
It's about people clicking on RAR archives said to contain Anna Kournikova pictures, and other women with hot grits? Well what's new there?
:-P (of course a digitally signed one so they get a false sense of security)
It's not a problem with RAR in specific... If they block RAR files, I'm sure they could instead just be guided to a web page and told to install an ActiveX control instead.
If you could only patch the real serious security holes here -- the ones in the users' brains...
Beware: In C++, your friends can see your privates!
This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.
Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
LOL, yes, this is exactly why I use RAR, honestly! Jesus you're dumb.
You know, the horse and carriage has been a standard for a long long time now, so what is the point in getting around in something totally faster that then makes people go out and buy something just like it when in the end it does the same thing as that horse and carriage.
Clue: WinRAR compresses better, is more secure, and is a heck of a lot more feature rich than WinZIP. WinZIP is, to put it nicely, a piece of shit. And ZIP is outdated compared to RAR and 7-Zip (be it compression or security).
Your newbieness truly knows no bounds. Please educate yourself, don't worry, we'll all wait:
Now, STFU and sit.
All I know about Bush is I had a good job when Clinton was president.
I am unaware of any av software I have seen (I have seen and configured most) that cannot extract rar (even embedded levels deep) and scan the enveloped files. It seems like tech news sites are taking a que from american media (and american leadership) by sensationalizing non problems. There are plenty of real issues to deal with and bs problems like these make it harder to sift through all the crap to find what really matters. The command-line virus scanner I used to scan files that were uploaded to my bbs in 1986 could scan within rar (and most other) compressed files. Perhaps the people reporting news on technical news sites should have some sort of technical background and (preferably) experience.
Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus. .rar files. System is safe from virus. .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.
Scenario 1: System cannot unpack
Scenario 2: System can unpack
I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.
Of course, RAR is not the best either...
Repton.
They say that only an experienced wizard can do the tengu shuffle.
That made me kinda mad. The built in lib does rar up to 2.0, but won't look in 3.0s. What good is clamav with such a glaring hole in it?
Yeah, I could use the command line scanner with arcane options to use the unrar app, but that won't help my 5,000 email subscribers. So I'm bag to suggesting they use something like norton... (which technicall I never stopped recommending for obvious reasons).
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
1) If you think 7z is a trivial algorithm to implement, you REALLY haven't looked at it. Also there isn't (last time I checked) any mac implementation
OK, the pzip people (p7zip project) have ported it to the posix command line. But you'll have to compile it yourself and write your own GUI. But you can at least work with 7zip archives now.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
It's only a matter of time before we see a .TXT virus. Sounds implausible, but virus writers are very good at adapting to people's work habits.
.ZIP at the perimeter (at a firewall or mail server.) People still have work to do -- so they workaround this block by renaming .ZIP files as .TXT files. We have several clients who *REQUIRE* us to send them files us like this.
.TXT -> .ZIP -> unarchive habit, they'll be happy to do the same with a virus.
Many companies block
So, once people get into the
And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.
-ch
Bzip2 + tar gets as good compression as RAR and has the added benefit of being almost ubiquitous, as well as having decent open source tools for compression and extraction on virtually every platform. Multi-volume is simply a matter of calling split before storing it.
Personally, I found myself quite suprised that support for this wasn't there already.
Commercial antivirus vendors should have implemented this. It seems ludicrous to me that the vendors of these products skipped a popular compression mechanism just because nobody had bothered to release a virus that understood it first. Security companies should be preemptively building in support for things like this. It's not as if it was an unpredictable issue.
The free(speech) ClamAV has support for this already, and I would hazard other compression formats as well. It obviously doesn't take *massive* developer effort to add support for things like this. And it's obviously something that people have already thought about it.
One of the reasons why we have such a problem with these things is that *even vendors of security products* don't seem to want to think proactively about issues that might arise. They wait for something to bite them in the ass before they fix it - leaving everyone vulnerable in the meantime.
"Pokey, are you drunk on love?" "Yes. Also whiskey. But mostly love... and whiskey."
As for the "yet" part of blocking... When are we going to put the responsibility in the hands of the user and stop dumbing down the internet?
When the stupid end users stop downloading everything they can to infect thier PC's with spy/mal-ware. You are the EXCEPTION. "End User" is equivalent to a 4-letter word in our department. Every inch you give them is a mile they make you walk to fix their problems.
Sounds like you've never worked any kind of support job. People do stupid things that you tell them not to do. They will do them multiple times, after being told not to multiple times. Some of them are management, and therefore not generally subject to punishment for violating said rules. Everyone must have their pretty screen savers, fun animated cursors, and dressed up email "stationery".
Don't get me wrong, you sound like someone who is fairly educated in what not to do. As the MIS/IT/IS dept, we do these things in self defense. It's not you who has to answer to the CIO/CEO as to why we got nailed by the XXX worm/trojan/virus.
My 2cents...
Those tests weren't all that great. bzip2 is great at text compression for example, but not good at other stuff. It makes no sense to test it on binary files. I've seen ACE better than RAR in some tests, results vary. Also, I didn't see 7-zip or a lot of the lesser known formats tested.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Clearly you've never experienced line noise. Me, personally, if I was downloading something back in the BBS days and I had a bit of line noise I'd rather be able to download another smaller RAR piece than have to redownload the whole thing. Z-Modem wouldn't have done squat in that situation (which was so common that *drumroll please* this is why people doing this began distributing things this way). As for as BitTorrent goes, sure, it's a lot better at catching errors and correcting them, but it's not flawless. You're still better off with RAR+SFV plus BitTorrent doing it's MD5 checks than with just BitTorrent.
Yes, who cares if you got the app but no documentation to go with it. It's all greek to you, obviously!
No, Torrent files and high speed internet don't trump that point. It's rare when a torrent will fully saturate your download. And since many BitTorrent downloaders allow you to tag individual files in a torrent, you can mark RAR's you're getting from the torrent then unmark RAR's you're getting from another source (so you can fully saturate your connection).
That site listed in a thoughtful manner all the reasons why you'd want to use RAR. If you choose to ignore it because you think you know better (hint: you don't or the scene wouldn't be using split RAR's), that's your perogative. But at least a no nothing like yourself isn't responsible for scene releases or scene rules.
All I know about Bush is I had a good job when Clinton was president.
"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted." BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.
You have obviously never done binary transfers over usenet (which is still very common today). It's done almost exclusively using RAR because news servers DO drop posts which means that you WILL lose parts of the archive.Why even **consider** having to block rar files?
.r4r or something. get real. what are we, a bunch of 3rd grade marketting types?
THEY ARE USEFUL ESPECIALLY OVER A NETWORK, you know, they reduce file sizes.
Instead: educate, and write decent sandboxing / active protection software that will scan on decompress.
OK, don't bothc the job, do it right.
blocking rar files... great then all warez sites will rename to
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Why exactly does putting viruses into .rar's count as a new virus attack technique?
This is the same thing that has been going of for a long time with viruses in compressed files.
What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?
This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.
Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?
The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
While that might seem an attractive option to some, helpdesk employees worldwide are screaming at the thought of the association for .doc and .rtf files suddenly switching to Wordpad.
"Why won't my Office work, and what is this silly 'wordpad' that started up?"
"What's the frequency Kenneth?"
My approach simply tacks on '.txt' on the end of ALL email file attachments filenames. As a result, system compromise is IMPOSSIBLE this way provided Windows still associates .txt files with Notepad/Wordpad and those programs haven't been compromised.
In this manner the incoming file attachments can be safely scanned for viruses, deleted, quarantined, or renamed by removing the '.txt' at the end and put to use.
If you want to learn more and download my quality (but bland-looking) Windows freeware/shareware, visit now.
P.S. since July 2004, I've only gotten a handful of 'no content' email spam at iamcf13@hotpop.com. This technique is used by spammers to validate working email addresses that do not bounce. That is the only spam I recieve nowadays. All the rest is autodeleted by cf13-pop3.
However, I DO wish I could run my shareware mailserver cf13-smtp and avoid downloading the spam in the first place.