New Virus Attacks Via RAR Files

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

Can't scan rar??

[nuclear305]

"Most anti-virus software cannot scan a .RAR file"

What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?

Just tested this on AVG and it indeed scans rar archives.

No problem!

[ChibiLZ]

I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.

Carry on with the downloading, there's nothing to see here...

The Bright Side

[Dachannien]

Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.

I've been opening .rar files for a while

[IInventedTheInternet]

And I've always extracted and scanned the contents before executing.

It just makes sense to me.

How's this new?

[Phanatic1a]

It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.

Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'

Re:Is this really a big deal?

[zbeeble]

I suppose it depends what you download. But quite a lot of games and movies are compressed with rar. Also I know a few people who send rar files through their work address's because zip is blocked.

RAR bombs

[Schreckgestalt]

This is great. They have still not all figured out how to avoid bzip2 bombs [netsys.com], how are they supposed to be able to scan RAR files? I mean, heck, they can't adopt a new compression file every 2 weeks! Oh wait...

So..

[mysidia]

If your firewall blocks ZIP files and RAR files, then how are you supposed to exchange groups of files with your friends efficiently?

Isn't the WHOLE POINT of having archive file software on your computer defeated by blocking content with these extensions?

Re:Good news!

[Stoutlimb]

That's funny because I know several. All they had to do was see the same files compressed with ZIP, and again with RAR. Once they saw WinRAR did everything WinZIP could do, and then some, and was easier to boot, they switched.

Face it, people are slowly moving to a better and more efficient format. All we have is some virus protection companies who are on the slow end of adapting to new technologies. And it's not all that new, RAR has been around for at least 5 years.

Do you really want to trust an anti-virus company that can't deal with semi-popular 5 year old compression protocols?

Re:The Bright Side

[AndroidCat]

I'd feel more comfortable if so many idiots hadn't managed to follow the directions to open encrypted zips and run the malware inside. :)

concern for warez ... not really

[rkmath]

It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Good news!

[Minute Work]

I haven't seen a (legitimate American) business that uses RAR files for any reason. Any company that prohibits users from installing extra software would thus prohibit their users from installing a RAR decompressor. It would also be very easy to delete all incoming RAR files or reject the message with something like "Please send a ZIP file" instead. Until people start sending ZIP files (which are rejected after being virus-scanned) this is largely a non-threat.

Nice elitest answer there. YOU can't think of a good purpose to use .rar files so therefore we shouldn't bother. I've been using WinRAR from http://www.rarsoft.com/ [rarsoft.com] for years because it has been able to handle .ZIP, .RAR, and most importantly, .tar.gz files for those of us working in a dual windows/unix(linux) environment. Most of the Zip utilities that have been provided by the companies that I work for have provided a client only capable of accessing zip formats.

Also, I prefer the .RAR format BECAUSE other programs have a harder time peeking around in them. Most of the things I put in a .RAR file I want to be kept confidential and I password the file. Granted this isn't top-notch security but it's sufficient to deter most snoopers. (I don't trust network admins.)

The vector doesn't matter, only the cure

[Repugnant_Shit]

One of our customers started blocking zip files. So now we either rename them to zi_ or use another kind of compression (rar, gzip, etc.). What on earth is the difference? A virus can latch on to whatever it wants - it would take almost no effort on the part of the author.

What will fix this is more knowledgeable users and up-to-date antivirus software. My own users get viruses from other people, but either the antivirus software catches it, or they simply call and ask what they should do (delete or send it to me first).

Soon our customer will probably start blocking rar files, then zi_ files. It is the probably one of the laziest ways to block viruses, and not really that effective at it.

Re:limited scope at best

[Temsi]

Personally I prefer WinRAR to any compression program currently available.
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.

I guess I just don't understand what the "nightmare" part is about WinRAR.

How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.

Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.

However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).

As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".

Gimme a freakin' break already.

Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.

FUD FACTOR

[Anonymous Coward]

F.U.D. FEAR UNCERTANTY and DOUBT. This is a ploy to scare the masses. This is not really new. This isn't even that much of a risk to most companies. Rar is not a standard that IT people rely on. This seems to be aimed at generating FUD into the the public. This can happenen in any type of compression tool.
Yes AV scanners can scan RAR files.
Where does this guy get off saying you can't block .rar file types at the FW. I don't have any problems with blocking any type of attachments.
This article is crap and only posted to stir a commotion.
We shouldn't waste anymore time on this post. I am sure we have something important to discuss.

Re:Is this really a big deal?

[hab136]

I've always wondered why a virus writter couldn't just wrap a virus in a self-extracting encryption algorithm? [...] How could scanning for a virus figure that as a virus (unless you block all executables)?

You've answered your own question - most corporations and free email providers block executables.

Re:Good news!

[fireboy1919]

You give compeling arguments why both zip and rar are used: they became popular when the speed/efficiency compromise mattered. Using either now is simply due to habit and culture.

There isn't an advantage for most users.

bzip2, 7z, and many more compression formats are better, and you can find archive spanning programs for every single compression technique because that's such a trivial algorithm to implement.

I can't come up with a reason why you'd use rar OR zip.

The solution is worse than the problem

[emarkp]

...when you block filetypes.

Educate the users not to be morons. At our site, we've had trouble working with a university because our ISP removes .exe files from attachments and their server removes .zip files. Pretty hard to exchange executables in that kind of environment.

Now we use an ftp server. All because idiots click on attachments without thinking.

Re:concern for warez ... not really

[LoRdTAW]

Warez has changed allot in the past years. Gone are the days where you had to know someone with an ftp site (similar to the old BBS days). Back then you had to know what you were doing and how to talk your way in. Enter edonky/kazaa and bittorrent where any joe can download anything they want. I know my brothers friends download using emule and they certainly dont know any more then your average joe.

Re:No problem!

[dan_sdot]

TFA says that the .rar contains a file like foto.jpg.exe.

I actually believe that if Windows didn't "Hide the file extension for known types", as is the default setting, viruses would be a much less serious issue. In other words, what they see for that file is "foto.jpg". They know what a jpg file is, and forget the Windows is actually hiding the true file extension. I think most people actually know that you shouldn't open an exe file from an unknown source, but hiding the file extension makes people forget.
Just another example of how very often trying to make computers "easier to use" actually makes things more of a pain in the butt when it comes down to it.

Re:Can't scan rar??

[Anonymous Coward]

Couldn't an EXE be created that will unrar the archive and then execute the virus?

I'm certain it's the compression technique used by RAR more over than a virus that is being hidden itself.

In other news .. Most Windows based Anti-virus programs do not scan EXT3 partitions.

Re:Big deal

[pe1chl]

So what you could really do is:

- write a program that installs a trojan
- write documentation that says it handles .whatever files
- make sure Google has indexed it
- send .whatever files around

People will download and install your trojan all by themselves! Profit!

Re:limited scope at best

[Anonymous Coward]

XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.

I guess I just don't understand what the "nightmare" part is about WinRAR.

How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.

Wait, so you don't like Windows XP's way of handling ZIP files, but then you go on to describe using RAR that sounds like it works in exactly the same way.

Choose a bunch of files. Right click and choose "Send To -> Compressed Folder". Right click a Zip file and choose "Extract All". Choose a location to extract the files to.

Sounds almost exactly like the way you described WinRAR.

Except for one thing: I can explore into Zip files just like any other folder. Double click on it, and it opens in an Explorer window, just like a folder. (By the way, you can also choose "Explore" on Zip files if you want to use the Explorer style interface instead of the new window interface.)

You can copy files in and out, just like any other folder. Sounds smooth to me. Last time I checked WinRAR, it did not work like that, instead the RAR file would open up inside WinRAR and display as a long list of files instead of the much cleaner list of icons you get with Windows XP's Zip support.

I can't imagine why you'd find Windows XP's Zip support annoying. I perfer it over WinZip, which is a shoddy program.

*sigh*

[Nephroth]

This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.

Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.

What AV can't extract rar?

[smakx]

I am unaware of any av software I have seen (I have seen and configured most) that cannot extract rar (even embedded levels deep) and scan the enveloped files. It seems like tech news sites are taking a que from american media (and american leadership) by sensationalizing non problems. There are plenty of real issues to deal with and bs problems like these make it harder to sift through all the crap to find what really matters. The command-line virus scanner I used to scan files that were uploaded to my bbs in 1986 could scan within rar (and most other) compressed files. Perhaps the people reporting news on technical news sites should have some sort of technical background and (preferably) experience.

Not sure how this is a new threat

[RaguMS]

Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus.
Scenario 1: System cannot unpack .rar files. System is safe from virus.
Scenario 2: System can unpack .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.

I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.

Re:uh...

[cavemanf16]

Yes, he most definitely is. My sister-in-law worked, briefly, for a small, regional art distribution company. Her supervisor infected the company (and shut them down - the whole company - for days at a time) TWICE because she thought the virus-ridden "email was sent directly to her, so it must have been legitamate." This is also the same supervisor who nearly gave my sister-in-law a written warning because she changed the Windows desktop wallpaper, stating that doing so could make viruses happen and icons magically disappear.

Yes, the average user IS just that dumb.

Re:Is this really a big deal?

[Trejkaz]

If zip (or any) files are blocked, I like sending files encrypted, or merely scrambled.

You would be surprised how few email filters detect an attachment which is simply sent as Base64 or UUEncoded text, in the body. As it's not an attachment, it frequently gets ignored.

Re:limited scope at best

[Zed2K]

Lets look at some of those "reasons" for using rar:

"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted."

BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.

"You can control that everything has been downloaded correctly by checking against the SFV-file. Hence you will always know whether you've gotten a complete uncorrupt release of what you were downloading."

Again not relevent. If you are taking the time to d/l instead of actually buy something why the hell would you care if it was complete? As long as its not infected (which you just scan it to find out) and works then who cares.

"You can download from multiple sources at the same time - ensuring comformt and maximizing your download speed."

Torrent files and high speed internet trumps this one too. Another not relevent "arguement".

"We ge a standardized way of sharing, which DC obviously benefits greatly from. You will learn to recognize a good release and be spared the inconvenient trouble/surprise of poorly ripped movies by amatures."

Opinion. Yeah, those handicam releases of highly compressed video sure do benefit from being split into hundreds of small files and stuck into another archive. Clue, you don't gain anything by recompressing video.

I have yet to EVER hear of a valid reason to use rar. It seems people use it to be difficult and thats about it. And and don't give me the bs about newsgroups. They are slow and unreliable and extinct.

"Clue: WinRAR compresses better, is more secure, and is a heck of a lot more feature rich than WinZIP. WinZIP is, to put it nicely, a piece of shit. And ZIP is outdated compared to RAR and 7-Zip (be it compression or security)."

What possible features could you want except that it compresses (who gives a shit about sizes these days) and it extracts. Passwords are a pain in the ass and anyone that password locks their archive then uploads it for people is just trying to get their hit counts up for their web sites.

So again I ask, give me a good reason why rar is better?

Re:Is this really a big deal?

[Lord Kano]

doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems.

Contrary to popular opinion, Corporate admins aren't the only people who worry about security.

LK

Re:limited scope at best

[RicoX9]

As for the "yet" part of blocking... When are we going to put the responsibility in the hands of the user and stop dumbing down the internet?

When the stupid end users stop downloading everything they can to infect thier PC's with spy/mal-ware. You are the EXCEPTION. "End User" is equivalent to a 4-letter word in our department. Every inch you give them is a mile they make you walk to fix their problems.

Sounds like you've never worked any kind of support job. People do stupid things that you tell them not to do. They will do them multiple times, after being told not to multiple times. Some of them are management, and therefore not generally subject to punishment for violating said rules. Everyone must have their pretty screen savers, fun animated cursors, and dressed up email "stationery".

Don't get me wrong, you sound like someone who is fairly educated in what not to do. As the MIS/IT/IS dept, we do these things in self defense. It's not you who has to answer to the CIO/CEO as to why we got nailed by the XXX worm/trojan/virus.

My 2cents...

Re:Is this really a big deal?

[mabinogi]

and they don't so much care about it, as install some piece of shit filter, leave all the defaults on no matter how idiotic they are in the sense of the buisness they are "protecting", and feel happy in the knowledge that someone else is worrying about security for them (not bitter, honest)...

Re:*sigh*

[Alan Hicks]

It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.

While I agree with you to some extent, you picked a really poor example there. The international characters in the URL toolbar are really very deceptive. Allow me to offer you two picture links.

Letter "a" [fileformat.info]
Letter "a" [fileformat.info]

Now you tell me which one is the cyrillic character, and which is the roman character. I don't know about you but my eyes are not that good! It would be trivial for some one to mask their domain in a link as another domain, provided the spoofed domain has a roman letter "a" in it anywhere. You could even set up a proxy server to listen for connections to something like https://paypal.com and respond normally. What's more, the web browser wouldn't issue an SSL alert, because the SSL cert would match the fake "paypal.com".

rot 13
Gur frpbaq yrggre vf gur ebzna "n".

Again I think we missed the point

[tod_miller]

Why even **consider** having to block rar files?

THEY ARE USEFUL ESPECIALLY OVER A NETWORK, you know, they reduce file sizes.

Instead: educate, and write decent sandboxing / active protection software that will scan on decompress.

OK, don't bothc the job, do it right.

blocking rar files... great then all warez sites will rename to .r4r or something. get real. what are we, a bunch of 3rd grade marketting types?

Slow news day!

[francisew]

Why exactly does putting viruses into .rar's count as a new virus attack technique?

This is the same thing that has been going of for a long time with viruses in compressed files.

What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?

This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.

Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?

Re:Is this really a big deal?

[Jhon]

I'd bet dollars to donuts you are a user, not an admin.

Attack against users? What user needs to receive .SCR files via email? Seriously. How about .CPL files? How about .exe files? or .com files? Or .bat? or .vbs?

All the typical vectors of viruses/worms. Who in billing, or sales/marketing, or whatever NEEDS those files?

When you weigh the cost between the constant drain on IT resources broken OSs (from viruses, unapproved 3rd party apps, etc) would cost, you can't SERIOUSLY hold your position as someone in charge of security.

Our email server blocks up to 2000 (sometimes more) of the above extentions. Most are IDd viruses (netsky, bagle, etc). The RARE occation it blocks something not IDd is due to a NEW virus that hasn't made it to the virus-def file on the scanners.

I'm constantly amazed by the number of people..

And I'm constantly amazed by the number of ACs who pretend to know things and act indignant.

Re:Is this really a big deal?

[Anonymous Coward]

the kernel looks at the file's 'magic number' (as well as the executable bit) to decide if it should be executed and how to execute it.

What unix distribution executes files based on magic number and NOT the executable bit???

Re:Is this really a big deal?

[arodland]

Rar files are much better than zip files in that people can download (let's say) a .rar that's been split into 15 parts.

ZIP has been able to do this since long before RAR has existed; it just wasn't very convenient. ARJ and loads of other archivers could do it conveniently, but ZIP became a de-facto standard on PR grounds, rather than technical ones. RAR is pretty much exactly the same as any number of formats that existed 15 years ago, but people are willing to adopt it because it's new and better, rather than old and better :)

Re:Is this really a big deal?

[sfm]

> .rar have been blocked at our proxy (both
> extension and mimetype) and email scanner
> for years. Along with rtf, password protected
> zip files, exe files, cpl files, etc. It's a
> long list.

Why not block all outside files, and be certain that no infections can come through. (Okay, I should have turned the sarcasm flag on)

In doing engineering contracting, it is common to send and receive .exe files, password protected .zip files, etc. I'm not sure that a well meaning IT department realizes the hoops they are making the engineering department jump through.

Re:It can't scan INSIDE the rar

[Geoffreyerffoeg]

Can AVG scan your RAR files if you don't have WinRAR installed?

How the bleep do you expect a user to get infected from a file inside a RAR (which is the point of this discussion) if he doesn't have a RAR decompressor?

If he can decompress, so can AVG. If he can't, AVG only scans the outside of the RAR, which is the only part that can infect him. Where's the problem?

Re:Is this really a big deal?

[Anonymous Coward]

You lost your dollars. I'm an MCSE and a CCNA with several years experience as a network admin. Notice I was talking about blocking long lists of extensions. I block executables on my network, both exe and scripts. .EXE, .WSH, .CPL, .BAT, etc. Probably less than 20 extensions, total. I don't block things like .RTF or .XLS or .DOC or .MDB . Yes, it is possible to get various types of malware that way. But there's always a trade off between usability and security. If you want a really secure network, unplug the cable and shut everything down. No viruses or worms, guaranteed. Being able to pass around documents and useful files is part of the reason to have a network. When it gets to the point where your users are sending emails that say "Here's the new database I created. Save it to your desktop and rename it from database.bdm to database.mdb before you open it" then you're part of the problem, not the solution.

IT people all too often lose perspective. They see the network as an end to itself. The users are just pains in the neck who screw up my beautiful setup and can't be trusted to use my equipment properly. The whole point of having a network is to enable people to do their jobs more effectively and more efficiently, and part of doing the job includes exchanging various types of files. If you're going to stop the network from being useful, why not shut it down and save all the money you're spending on it?

Blocking executables and having solid, updated virus protection is part of good network security. So is temporarily blocking certain extensions if there's an alert for a new worm or virus that uses a specific type of file. Once your antivirus is updated to reflect the new beastie and the initial infection crisis is over, unblock the extension. Blanket blocking long lists of extensions is a DoS on yourself.

Re:Is this really a big deal?

[King_TJ]

Good to see an admin with some (surprisingly uncommon) common sense!

I don't work in corporate I.T. anymore (thankfully... pretty tired of the "cube farm" and useless meetings, etc.) -- but when I did, this type of thing was always a battle.

The quickest way to turn the entire company's perception of I.T. from positive to negative is to keep putting up barriers to their computer usage under the auspices of being "for their own good".

My take on it is; Your job as an I.T. worker is to provide customer service to the rest of your company's employees. Sometimes, that means not taking the "easy way out" of blocking a bunch of things to prevent a potential problem. Rather, it's your job as admin to make sure you've got an environment in place where you can easily rebuild a corrupted system, and where you can screen out as much known junk as possible without resorting to interfering with valid data/documents.

Same goes for monitoring web usage, IMHO. It's fine to put a system in place to filter illegal sites, pornography, and so forth. But it should be fully automated, with an easy option to open a given URL back up if someone calls saying they need access to it. Otherwise, you put on the "I.T. police" hat when you start trying to tattle on co-workers for surfing the net for "too long" or going to "improper web sites". (I'd much rather be able to say "Sorry... the automated filter blocked you out." than "Yep - I purposely set things up so you guys couldn't go to that page." Why take on the responsibility of deciding for yourself what they can and can't see and do?)