Slashdot Mirror
New Virus Attacks Via RAR Files
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
...most firewalls do not block the extension yet.
Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...
Code, Hardware, stuff like that.
Goatse once came to me in a .REAR file. Close enough to avoid.
Table-ized A.I.
don't accept rar files from people you don't know. And, if you do, don't run random executables inside them?
Le français vous intéresse?
Rar files are most commonly used in the legal archiving of binary files and DVDs.
"Most anti-virus software cannot scan a .RAR file"
What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?
Just tested this on AVG and it indeed scans rar archives.
I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.
Carry on with the downloading, there's nothing to see here...
Don't buy WoW Gold! Make it yourself!
This would have been more of a threat had it been in .CAB format. Not everyone uses .RAR files. Heck, in my company there are a grand total of 3 computers capable of even opneing a .RAR file...the one I'm posting from is one. On a side note: my wife got this virus emailed to her and she called me at work to ask what a rar file was... Needless to say, this virus will not be long-lived as it's just plain stupid.
Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.
"Warez is becoming infected with viruses!"
I find that more technically-abled people are familiar with and have installed WinRAR or the unix-variant based RAR on their system.
.exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.
Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.
Similarly, I suppose virus-writers could rename their
I'm a big tall mofo.
It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.
Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'
Maybe you live in the stone age, but I know we use RAR here almost exclusively.
The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.
RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
... in related news eWeek is able to sell more impressions and generate more revenue by getting coverage on Slashdot for pointless non-news articles such as new Virus hides in compressed files ...
Which is a pity, since .rar files are so much more compressible than .zip files. The difference is roughly the same between .gz and .bz2... What would be really easy is for anti-virus writers to include a RAR decompression library and look inside the damned files, rather than reject useful technology for no good reason
The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).
AccountKiller
Blocking extensions is pretty pointless ... how hard is it to rename before/after going thru a wall?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
It seems to me this would be the simplest. Just require the virus makers to use the .virus extension and that will give the AV makers more time to perfect RAR scanning.
Is anyone with me?
Boredom's not a burden anyone should bear.
Apparently I should have been more clear--when testing with AVG it certainly can scan the contents of the archive; I watched as it scanned several exe files I placed inside the archive.
I can't say I've ever paid much attention to other products but I would have hoped Norton and the like would also have this capability.
at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).
Comment removed based on user account deletion
Personally I prefer WinRAR to any compression program currently available.
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.
I guess I just don't understand what the "nightmare" part is about WinRAR.
How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.
Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.
However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).
As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".
Gimme a freakin' break already.
Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.
-- This sig for rent.
Are you sure AVG didn't actually use the WinRAR you have installed to extract the files, so it can scan them? I know that Ark (a KDE file archiving utility) uses Rarsoft's unrar to operate on RAR files.
Of course, I don't know whether you have WinRAR installed. Can AVG scan your RAR files if you don't have WinRAR installed?
I suffer from attention surplus disorder.
Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).
You give compeling arguments why both zip and rar are used: they became popular when the speed/efficiency compromise mattered. Using either now is simply due to habit and culture.
There isn't an advantage for most users.
bzip2, 7z, and many more compression formats are better, and you can find archive spanning programs for every single compression technique because that's such a trivial algorithm to implement.
I can't come up with a reason why you'd use rar OR zip.
Mod me down and I will become more powerful than you can possibly imagine!
I hope that served to teach you that e-mail is not a sensible mechanism to exchange executables.
This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.
Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus. .rar files. System is safe from virus. .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.
Scenario 1: System cannot unpack
Scenario 2: System can unpack
I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.
It's only a matter of time before we see a .TXT virus. Sounds implausible, but virus writers are very good at adapting to people's work habits.
.ZIP at the perimeter (at a firewall or mail server.) People still have work to do -- so they workaround this block by renaming .ZIP files as .TXT files. We have several clients who *REQUIRE* us to send them files us like this.
.TXT -> .ZIP -> unarchive habit, they'll be happy to do the same with a virus.
Many companies block
So, once people get into the
And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.
-ch
"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted." BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.
You have obviously never done binary transfers over usenet (which is still very common today). It's done almost exclusively using RAR because news servers DO drop posts which means that you WILL lose parts of the archive.Why exactly does putting viruses into .rar's count as a new virus attack technique?
This is the same thing that has been going of for a long time with viruses in compressed files.
What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?
This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.
Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?
The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Can AVG scan your RAR files if you don't have WinRAR installed?
How the bleep do you expect a user to get infected from a file inside a RAR (which is the point of this discussion) if he doesn't have a RAR decompressor?
If he can decompress, so can AVG. If he can't, AVG only scans the outside of the RAR, which is the only part that can infect him. Where's the problem?
While that might seem an attractive option to some, helpdesk employees worldwide are screaming at the thought of the association for .doc and .rtf files suddenly switching to Wordpad.
"Why won't my Office work, and what is this silly 'wordpad' that started up?"
"What's the frequency Kenneth?"
My approach simply tacks on '.txt' on the end of ALL email file attachments filenames. As a result, system compromise is IMPOSSIBLE this way provided Windows still associates .txt files with Notepad/Wordpad and those programs haven't been compromised.
In this manner the incoming file attachments can be safely scanned for viruses, deleted, quarantined, or renamed by removing the '.txt' at the end and put to use.
If you want to learn more and download my quality (but bland-looking) Windows freeware/shareware, visit now.
P.S. since July 2004, I've only gotten a handful of 'no content' email spam at iamcf13@hotpop.com. This technique is used by spammers to validate working email addresses that do not bounce. That is the only spam I recieve nowadays. All the rest is autodeleted by cf13-pop3.
However, I DO wish I could run my shareware mailserver cf13-smtp and avoid downloading the spam in the first place.