New Virus Attacks Via RAR Files

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

Oh, the horrid memories

[Tablizer]

Goatse once came to me in a .REAR file. Close enough to avoid.

uh...

[koreaman]

don't accept rar files from people you don't know. And, if you do, don't run random executables inside them?

For those that don't know

[Anonymous Coward]

Rar files are most commonly used in the legal archiving of binary files and DVDs.

Slashdot Headline!

[im_thatoneguy]

"Warez is becoming infected with viruses!"

eWeek ...

[jest3r]

... in related news eWeek is able to sell more impressions and generate more revenue by getting coverage on Slashdot for pointless non-news articles such as new Virus hides in compressed files ...

In other news

[JamesP]

A new virus is spreading through password-protected .arj files.

Fortunatelly, no one got it, as no one remembers anymore what the heck an .ARJ file is, let alone find a password cracker for it.

Rumors said the password is "G04TSE.CXR0X".. go now then, have some fun...

How about a .virus file type?

[jptechnical]

It seems to me this would be the simplest. Just require the virus makers to use the .virus extension and that will give the AV makers more time to perfect RAR scanning.

Is anyone with me?

Re:first post

[Anonymous Coward]

someone shouted HQX at me once and I didn't sleep for a week.

Re:Oh, the horrid memories

[tehshen]

I hope you didn't have any wide open ports for a virus to exploit.

Re:For those that don't know

[greenegg77]

So, thats like 50% legal then?
Nah, it's 100% legal - you're simply a small part of someone's distributed offsite backup and archive model. :D

Re:No problem!

[B3ryllium]

If anything, we should congratulate them. They've found a way to cut down on a few bytes of junk data flying around the net.

Cumulatively, it could be a big waste reduction. :)

Another strike against Linux

[WhiteWolf666]

Gosh.
All my household systems come with software to decrypt rars, bzip2s, gzips, tars, etc. . .

All this extra functionality results in vulnerabilities, eh?

Oh. Wait. Even when I get the file open, the trojan won't excute. Guess I better fire up Wine, see if I can get it to work.

If only Win32 was better supported in Linux, then I wouldn't have these cross-platform issues.

Re:RAR is very popular in China

[JustNiz]

aaahhh sooo... rinzip... doh... rin... doh.. fuckit RAR.

Re:Is this really a big deal?

[Rei]

... because you can detect the part that does the self-extracting, of course. :)

A more clever approach is to have another program do the extracting for you - for example, to distribute it as a password-protected zip file and make the password known to the user. That way, you don't need the identifiable extractor.

Re:uh...

[jacksonj04]

You're giving end users too much credit here. If it exists, they will click.

Re:Is this really a big deal?

[bobbagum]

still any BOFH worth his salt wouldn't let any lusers runs executables anyway

Ohh, it's just about user stupidity as usual

[Jugalator]

It's about people clicking on RAR archives said to contain Anna Kournikova pictures, and other women with hot grits? Well what's new there?

It's not a problem with RAR in specific... If they block RAR files, I'm sure they could instead just be guided to a web page and told to install an ActiveX control instead. :-P (of course a digitally signed one so they get a false sense of security)

If you could only patch the real serious security holes here -- the ones in the users' brains...

Whelp

[Drako2]

Time to go back to using ARJ

Re:Oh, the horrid memories

[Doctor O]

Ah yes. Reminds me of the great goatse.exe I found on some troll resource server years ago that set the desktop and window background to Mr Goatse and changed the mouse pointer and screensaver accordingly, all in a way that required registry fiddling to EVER get rid of all that. Send that as "niceass.exe" to the jerk who won't stop sending you all his funny, funny PowerPoint "jokes". Hilarity ensues.

Of course, remotely putting that into the autostart folders of pesky coworkers is nice too. Praise Billy Boy for \\[IP address]\C$\ and null sessions. Heh.

Re:Big deal

[fudgefactor7]

Yo, man, she's a nurse, cut her some slack.

Re:Is this really a big deal?

[Nebu]

You would be surprised how few email filters detect an attachment which is simply sent as Base64 or UUEncoded text, in the body. As it's not an attachment, it frequently gets ignored.

Why would we be surprised? People who write e-mail filters have to balance between security and convenience of the user.

I mean, imagine a super complex e-mail filter program that blocked every conceivable way of sending an attachment. If I sent a letter to my mom asking her how her stay was in the hospital, and got something back like:

"Your email was blocked because if you take the lower 4th bits of every word whose position is a prime number and reverse the endianess, you get a executable that runs on the 8-bit Gameboy platform, which could then be run by the recipient using an emulator. This executable has been blocked for your protection. Have a nice day."

I'd be pretty annoyed.

Re:Is this really a big deal? Use WordPad

[bob beta]

While that might seem an attractive option to some, helpdesk employees worldwide are screaming at the thought of the association for .doc and .rtf files suddenly switching to Wordpad.

"Why won't my Office work, and what is this silly 'wordpad' that started up?"