New Virus Attacks Via RAR Files

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

Re:Is this really a big deal?

[LoRdTAW]

Well it could definatly cause a problem with warez. Most warez is usually packed using RAR.

Re:limited scope at best

[Beuno]

Ive been using rar extensions for years, never had a problem or complaint. Winrar is just as easy or easier to use then Winzip.....

It can't scan INSIDE the rar

[jptechnical]

All the common scanners can scan inside a zip archived file. However, most scanners cannot scan inside a rar archive. So you are getting it wrong. A virus scan OF the file will return nothing but a .rar file. The virus can be hidden IN the rar file, which is not scanned. Hopefully your AV has a good realtime file scan so it if it written to a temp file it will be scanned as soon as it is accessed.

Re:Good news!

[DarkEdgeX]

ZIP files are inherently insecure (if you rely on the password protection anyways). RAR files are much more secure. Just try using one of those brute-force password cracking apps [elcomsoft.com] on a RAR file-- it takes significantly longer to brute force a RAR than a ZIP.

Re:Good news!

[wtrmute]

Which is a pity, since .rar files are so much more compressible than .zip files. The difference is roughly the same between .gz and .bz2... What would be really easy is for anti-virus writers to include a RAR decompression library [unrarlib.org] and look inside the damned files, rather than reject useful technology for no good reason

ClamAV wins again...

[Vellmont]

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

Re:RAR is very popular

[rainman_bc]

Just to point out that some places use stuff like UltimateZIP or something that'll handle all compressed archives, including ace and rar. It isn't just winrar that opens rar files.

RAR is very popular in China

[winkydink]

at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.

Not a big deal

[Artifakt]

As the article explains it (you do read the articles ,don't you?). The .RAR has to be unpacked, to reveal a file with dual extensions - like "Pron.jpg.exe".
The user still has to be dumb enough to click on that .exe without running a virus scanner on it first. No one has made a .rar that somehow executes on its own.
The article expresses a fear that there are people out there in cluelessland that will think "Gee, I know I should scan .exe's that came packed in .zip's, but this came packed in another compression. Duuh! it must be safe!".
There may be three people on the whole planet who are actually at that particular mix of clueless and clueful states. The rest either still don't know the first thing about what a .rar or an .exe is, or they won't be fooled.
If a journalist tried to make us all afraid of the risk of terrorists that try to sneak through customs by disguising themselves as Mexican Banditos, complete with bandoleers of bullets, some people would probably buy that too.

Re:Good news!

[Anonymous Coward]

Last time I looked at WinRAR it had no support for NTFS Permissions, unlike WinZip. Which makes it pretty useless for backups outside of the proverbial mom's basement.

Re:Good news!

[Anonymous Coward]

What would be really easy is for anti-virus writers to include a RAR decompression library and look inside the damned files, rather than reject useful technology for no good reason

The FAQ claims that it doesn't open files produced by anything newer than WinRAR 2.9. Newer formats seem to be undocumented.

Re:ClamAV wins again...

[xXDarkNinjaXx]

I love ClamAV [clamav.net], props to all the developers and the clamav community [clamav.net]. They've been helpful to me.

REALLY old news

[JohnVH]

Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).

Re:It can't scan INSIDE the rar

[Lehk228]

H+BDEV's AntiVir scans inside RAR files just fine, and has done so since at least 4 years ago.

Re:The solution is worse than the problem

[pe1chl]

I hope that served to teach you that e-mail is not a sensible mechanism to exchange executables.

Re:Is this really a big deal?

[stupidfoo]

Unfortunately, a malicious person can still e-mail a macro virus by merely changing a .DOC file's extension to .RTF. (Microsoft should prevent Word from running macros in files with .RTF extensions, but it doesn't.)

http://www.infoworld.com/articles/op/xml/00/10/30/ 001030oplivingston.html [infoworld.com]

ZOO format files have the same problem

[Anonymous Coward]

i had a test system get infected with a virus, and just as a test, I compressed the exe with ZOO, and none of the anti-virus programs would do anything about it, couldnt even detect it.

converted to a self-extracting file, and it was still invisible.

I even sent it off to NAV/SARC and McAfee, never heard a word back from them.

so yes, its possible and very easy to compress viruses in ways the anti-virus engines can't understand and they would slip right by...

Re:limited scope at best

[DarkEdgeX]

I can't stand rar files. Its like saying "lets use this archive format that is different just because we want to be different."

LOL, yes, this is exactly why I use RAR, honestly! Jesus you're dumb.

Zip has been a standard for a long long time now, so what is the point in archiving in something completely different that then makes people go out and download and install yet another piece of software to have loaded in memory to do the same thing zip does.

You know, the horse and carriage has been a standard for a long long time now, so what is the point in getting around in something totally faster that then makes people go out and buy something just like it when in the end it does the same thing as that horse and carriage.

Clue: WinRAR compresses better, is more secure, and is a heck of a lot more feature rich than WinZIP. WinZIP is, to put it nicely, a piece of shit. And ZIP is outdated compared to RAR and 7-Zip (be it compression or security).

What annoys me even more is when you download a movie file and someone rar's it up into a million different pieces. You aren't compressing it any and we aren't all on 14.4 modems anymore. Just make it a freaking iso or bin file and be done with it. Don't even get me started about people who rip cd's to mp3 but don't bother to run them through the online system to have it automatically assign cd and track titles. People are freaking lazy. If you are going to do something illegal like that at least do a good job and do it completely and correctly.

Your newbieness truly knows no bounds. Please educate yourself, don't worry, we'll all wait:

• http://whyrar.has.it/ [whyrar.has.it] (specifically http://whyrar.omfg.se/index_eng.html [whyrar.omfg.se])
• http://www.slyck.com/ng.php?page=5 [slyck.com]

Now, STFU and sit.

Re:Good news!

[Repton]

Of course, RAR is not the best [compression.ca] either...

Re:RAR is very popular

[m50d]

RAR is better compression, and the compression ratio is all that matters. I had 1.2gb of binaries to fit on a CD, tar+bzip2 had it at around 780mb (gzip I interrupted at around 900mb). Arj was 706, but rar did it without breaking into a sweat: 636 mb, I had enough space for feather linux as well.

clamav

[spottedkangaroo]

I was shocked to discover this is a problem in clamav's clamd, since it only uses the built in rar lib citing license restrictions.

That made me kinda mad. The built in lib does rar up to 2.0, but won't look in 3.0s. What good is clamav with such a glaring hole in it?

Yeah, I could use the command line scanner with arcane options to use the unrar app, but that won't help my 5,000 email subscribers. So I'm bag to suggesting they use something like norton... (which technicall I never stopped recommending for obvious reasons).

Well, er, good news!

[hey!]

1) If you think 7z is a trivial algorithm to implement, you REALLY haven't looked at it. Also there isn't (last time I checked) any mac implementation

OK, the pzip people (p7zip project [sourceforge.net]) have ported it to the posix command line. But you'll have to compile it yourself and write your own GUI. But you can at least work with 7zip archives now.

Re:In other news

[m50d]

In case you were serious, http://www.password-crackers.com/crack.html#ARJ [password-crackers.com]

Re:Good news!

[DrXym]

Bzip2 + tar gets as good compression as RAR and has the added benefit of being almost ubiquitous, as well as having decent open source tools for compression and extraction on virtually every platform. Multi-volume is simply a matter of calling split before storing it.

Re:Good news!

[njyoder]

Those tests weren't all that great. bzip2 is great at text compression for example, but not good at other stuff. It makes no sense to test it on binary files. I've seen ACE better than RAR in some tests, results vary. Also, I didn't see 7-zip or a lot of the lesser known formats tested.

Re:Is this really a big deal?

[Alioth]

Actually, UNIX doesn't necessarily need the file extension - the kernel looks at the file's 'magic number' (as well as the executable bit) to decide if it should be executed and how to execute it.

Re:Is this really a big deal?

[HD Webdev]

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

.rar archives being infected is very old news as well as every other archive format.

.rar files have been infected since they have existed and posted to USENET. Rar files are much better than zip files in that people can download (let's say) a .rar that's been split into 15 parts. By using smartpar [sourceforge.net], even if a part of that .rar is corrupted, Smartpar does parity and other checks to reconstruct the missing part(s)

As you note, most people don't know about rar files. And even if they do, the anti-virus program will block the virus as soon as the rar set is put back together.

This is a complete non-issue. Not to mention, Winrar, which creates and reassembles .rar files prompts users to scan files for infections before extracting them.

Not by Default!

[lorcha]

> man clamd.conf

[...]
ScanRAR
Enable scanning of RAR archives. Due to license issues libclamav does not support RAR 3.0 archives (only the old 2.0 format is sup-ported). Because some users report stability problems with unrarlib it's disabled by default and must be enabled in the config file.
Default: disabled
[...]

F-Prot too!

[Anonymous Coward]

F-Prot has been scanning multivolume RAR archives since version 3, WITHOUT USING EXTERNAL UNRAR like ClamAV does.

Re:ClamAV wins again...

[swillden]

Am I missing something really big that ClamAV just can't do?

Get updates about a major new virus a week too late to do any good?

I was working for a client who had a vigorously-enforced anti-virus policy. Before anyone is allowed to connect to the network, the I/T security dept. has to verify that they have an anti-virus package installed, running and up-to-date. This policy created a bit of a problem when I showed up with my laptop running Debian Linux. I tried to argue that there are no Linux viruses in the wild and, further, that as a 100% Windows shop, even if my machine did have a virus, it wouldn't run on any of *theirs*. No luck. "NO AV, NO NETWORK," was the decision from on high.

Not expecting much, I ran "apt-cache search anti-virus" and was shocked to see that there were two different AV tools packaged by Debian, and that clamav even had the ability to scan local files on my system. I set it up to scan periodically, left "freshclam" set on the default update schedule (daily), showed the I/T security guy how it worked (and that it had found nothing), and he grudgingly allowed me on the network, convinced, I think, that my open source anti-virus tool *had* to be crap.

A couple of days later, I noticed that ClamAV had flagged a file in my mailbox as being infected. It was a document that the client's project manager had sent me -- from a machine running an up-to-date copy of Norton Anti-Virus Gold, Corporate Edition. I reported the incident and didn't think much of it. I figured the manager that sent it to me must not have had his AV software running (Lord knows if I ran Windows I'd be tempted to shut the CPU- and RAM-hogging thing down so I could get some work done).

Over the next two days, nearly all productive work in the I/T dept. ground to a halt, because by the time I got the infected document, almost the entire company was infected. I don't recall which virus it was (it didn't really interfere with anything I was doing), but I know they had a devil of a time getting it all cleaned up.

As it turned out, NONE of the three major commercial AV tools deployed at the company detected the new virus until about a week later.

I found out later that this experience is the rule, not the exception, with fast-moving new viruses. ClamAV is not only community-developed, but the databased is community-maintained as well, so whenever a sysadmin somewhere notices a new virus, it gets added to the database very quickly. The commercial AV vendors don't move as quickly, and consequently their tools often miss fast-spreading viruses long enough for them to become a problem.

ClamAV rocks.

Re:Is this really a big deal?

[amanpatelhotmail.com]

Also I know a few people who send rar files through their work address's because zip is blocked.

Gmail blocks sending attachments of "executable" files, which includes .pl .exe .bat .com etc..., It even checks inside of zip, tar/gz archives to see if a file with matching extension is found. If it is found, gmail will not allow you to send your email.

On the other hand if you compress your archive using RAR, gmail cannot check the contents and thus does not complain about executable files.

Re:Is this really a big deal? Use WordPad

[Nom du Keyboard]

still e-mail a macro virus by merely changing a .DOC file's extension to .RTF. (Microsoft should prevent Word from running macros in files with .RTF extensions, but it doesn't.)

The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.