New Virus Attacks Via RAR Files 585
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
Re:Is this really a big deal? (Score:5, Informative)
Re:limited scope at best (Score:2, Informative)
It can't scan INSIDE the rar (Score:3, Informative)
Re:Good news! (Score:2, Informative)
Re:Good news! (Score:5, Informative)
ClamAV wins again... (Score:5, Informative)
Re:RAR is very popular (Score:4, Informative)
RAR is very popular in China (Score:4, Informative)
Not a big deal (Score:3, Informative)
The user still has to be dumb enough to click on that
The article expresses a fear that there are people out there in cluelessland that will think "Gee, I know I should scan
There may be three people on the whole planet who are actually at that particular mix of clueless and clueful states. The rest either still don't know the first thing about what a
If a journalist tried to make us all afraid of the risk of terrorists that try to sneak through customs by disguising themselves as Mexican Banditos, complete with bandoleers of bullets, some people would probably buy that too.
Re:Good news! (Score:2, Informative)
Re:Good news! (Score:2, Informative)
The FAQ claims that it doesn't open files produced by anything newer than WinRAR 2.9. Newer formats seem to be undocumented.
Re:ClamAV wins again... (Score:2, Informative)
REALLY old news (Score:3, Informative)
Re:It can't scan INSIDE the rar (Score:3, Informative)
Re:The solution is worse than the problem (Score:4, Informative)
Re:Is this really a big deal? (Score:5, Informative)
http://www.infoworld.com/articles/op/xml/00/10/30
ZOO format files have the same problem (Score:1, Informative)
converted to a self-extracting file, and it was still invisible.
I even sent it off to NAV/SARC and McAfee, never heard a word back from them.
so yes, its possible and very easy to compress viruses in ways the anti-virus engines can't understand and they would slip right by...
Re:limited scope at best (Score:3, Informative)
LOL, yes, this is exactly why I use RAR, honestly! Jesus you're dumb.
You know, the horse and carriage has been a standard for a long long time now, so what is the point in getting around in something totally faster that then makes people go out and buy something just like it when in the end it does the same thing as that horse and carriage.
Clue: WinRAR compresses better, is more secure, and is a heck of a lot more feature rich than WinZIP. WinZIP is, to put it nicely, a piece of shit. And ZIP is outdated compared to RAR and 7-Zip (be it compression or security).
Your newbieness truly knows no bounds. Please educate yourself, don't worry, we'll all wait:
Now, STFU and sit.
Re:Good news! (Score:3, Informative)
Re:RAR is very popular (Score:3, Informative)
clamav (Score:2, Informative)
That made me kinda mad. The built in lib does rar up to 2.0, but won't look in 3.0s. What good is clamav with such a glaring hole in it?
Yeah, I could use the command line scanner with arcane options to use the unrar app, but that won't help my 5,000 email subscribers. So I'm bag to suggesting they use something like norton... (which technicall I never stopped recommending for obvious reasons).
Well, er, good news! (Score:3, Informative)
OK, the pzip people (p7zip project [sourceforge.net]) have ported it to the posix command line. But you'll have to compile it yourself and write your own GUI. But you can at least work with 7zip archives now.
Re:In other news (Score:3, Informative)
Re:Good news! (Score:3, Informative)
Re:Good news! (Score:2, Informative)
Re:Is this really a big deal? (Score:3, Informative)
Re:Is this really a big deal? (Score:5, Informative)
As you note, most people don't know about rar files. And even if they do, the anti-virus program will block the virus as soon as the rar set is put back together.
This is a complete non-issue. Not to mention, Winrar, which creates and reassembles
Not by Default! (Score:3, Informative)
F-Prot too! (Score:1, Informative)
Re:ClamAV wins again... (Score:4, Informative)
Am I missing something really big that ClamAV just can't do?
Get updates about a major new virus a week too late to do any good?
I was working for a client who had a vigorously-enforced anti-virus policy. Before anyone is allowed to connect to the network, the I/T security dept. has to verify that they have an anti-virus package installed, running and up-to-date. This policy created a bit of a problem when I showed up with my laptop running Debian Linux. I tried to argue that there are no Linux viruses in the wild and, further, that as a 100% Windows shop, even if my machine did have a virus, it wouldn't run on any of *theirs*. No luck. "NO AV, NO NETWORK," was the decision from on high.
Not expecting much, I ran "apt-cache search anti-virus" and was shocked to see that there were two different AV tools packaged by Debian, and that clamav even had the ability to scan local files on my system. I set it up to scan periodically, left "freshclam" set on the default update schedule (daily), showed the I/T security guy how it worked (and that it had found nothing), and he grudgingly allowed me on the network, convinced, I think, that my open source anti-virus tool *had* to be crap.
A couple of days later, I noticed that ClamAV had flagged a file in my mailbox as being infected. It was a document that the client's project manager had sent me -- from a machine running an up-to-date copy of Norton Anti-Virus Gold, Corporate Edition. I reported the incident and didn't think much of it. I figured the manager that sent it to me must not have had his AV software running (Lord knows if I ran Windows I'd be tempted to shut the CPU- and RAM-hogging thing down so I could get some work done).
Over the next two days, nearly all productive work in the I/T dept. ground to a halt, because by the time I got the infected document, almost the entire company was infected. I don't recall which virus it was (it didn't really interfere with anything I was doing), but I know they had a devil of a time getting it all cleaned up.
As it turned out, NONE of the three major commercial AV tools deployed at the company detected the new virus until about a week later.
I found out later that this experience is the rule, not the exception, with fast-moving new viruses. ClamAV is not only community-developed, but the databased is community-maintained as well, so whenever a sysadmin somewhere notices a new virus, it gets added to the database very quickly. The commercial AV vendors don't move as quickly, and consequently their tools often miss fast-spreading viruses long enough for them to become a problem.
ClamAV rocks.
Re:Is this really a big deal? (Score:3, Informative)
Gmail blocks sending attachments of "executable" files, which includes .pl .exe .bat .com etc..., It even checks inside of zip, tar/gz archives to see if a file with matching extension is found. If it is found, gmail will not allow you to send your email.
On the other hand if you compress your archive using RAR, gmail cannot check the contents and thus does not complain about executable files.
Re:Is this really a big deal? Use WordPad (Score:4, Informative)
The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.