New Virus Attacks Via RAR Files 585
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
Can't scan rar?? (Score:5, Insightful)
What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?
Just tested this on AVG and it indeed scans rar archives.
No problem! (Score:4, Insightful)
Carry on with the downloading, there's nothing to see here...
The Bright Side (Score:5, Insightful)
I've been opening .rar files for a while (Score:2, Insightful)
It just makes sense to me.
How's this new? (Score:5, Insightful)
Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'
Re:Is this really a big deal? (Score:4, Insightful)
RAR bombs (Score:2, Insightful)
So.. (Score:2, Insightful)
If your firewall blocks ZIP files and RAR files, then how are you supposed to exchange groups of files with your friends efficiently?
Isn't the WHOLE POINT of having archive file software on your computer defeated by blocking content with these extensions?
Re:Good news! (Score:3, Insightful)
Face it, people are slowly moving to a better and more efficient format. All we have is some virus protection companies who are on the slow end of adapting to new technologies. And it's not all that new, RAR has been around for at least 5 years.
Do you really want to trust an anti-virus company that can't deal with semi-popular 5 year old compression protocols?
Re:The Bright Side (Score:2, Insightful)
concern for warez ... not really (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re:Good news! (Score:2, Insightful)
Nice elitest answer there. YOU can't think of a good purpose to use
Also, I prefer the
The vector doesn't matter, only the cure (Score:2, Insightful)
What will fix this is more knowledgeable users and up-to-date antivirus software. My own users get viruses from other people, but either the antivirus software catches it, or they simply call and ask what they should do (delete or send it to me first).
Soon our customer will probably start blocking rar files, then zi_ files. It is the probably one of the laziest ways to block viruses, and not really that effective at it.
Re:limited scope at best (Score:5, Insightful)
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.
I guess I just don't understand what the "nightmare" part is about WinRAR.
How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.
Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.
However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).
As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".
Gimme a freakin' break already.
Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.
FUD FACTOR (Score:1, Insightful)
Yes AV scanners can scan RAR files.
Where does this guy get off saying you can't block
This article is crap and only posted to stir a commotion.
We shouldn't waste anymore time on this post. I am sure we have something important to discuss.
Re:Is this really a big deal? (Score:5, Insightful)
You've answered your own question - most corporations and free email providers block executables.
Re:Good news! (Score:5, Insightful)
There isn't an advantage for most users.
bzip2, 7z, and many more compression formats are better, and you can find archive spanning programs for every single compression technique because that's such a trivial algorithm to implement.
I can't come up with a reason why you'd use rar OR zip.
The solution is worse than the problem (Score:3, Insightful)
Educate the users not to be morons. At our site, we've had trouble working with a university because our ISP removes .exe files from attachments and their server removes .zip files. Pretty hard to exchange executables in that kind of environment.
Now we use an ftp server. All because idiots click on attachments without thinking.
Re:concern for warez ... not really (Score:5, Insightful)
Re:No problem! (Score:4, Insightful)
Just another example of how very often trying to make computers "easier to use" actually makes things more of a pain in the butt when it comes down to it.
Re:Can't scan rar?? (Score:1, Insightful)
I'm certain it's the compression technique used by RAR more over than a virus that is being hidden itself.
In other news
Re:Big deal (Score:3, Insightful)
- write a program that installs a trojan
- write documentation that says it handles
- make sure Google has indexed it
- send
People will download and install your trojan all by themselves! Profit!
Re:limited scope at best (Score:1, Insightful)
I guess I just don't understand what the "nightmare" part is about WinRAR.
How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.
Wait, so you don't like Windows XP's way of handling ZIP files, but then you go on to describe using RAR that sounds like it works in exactly the same way.
Choose a bunch of files. Right click and choose "Send To -> Compressed Folder". Right click a Zip file and choose "Extract All". Choose a location to extract the files to.
Sounds almost exactly like the way you described WinRAR.
Except for one thing: I can explore into Zip files just like any other folder. Double click on it, and it opens in an Explorer window, just like a folder. (By the way, you can also choose "Explore" on Zip files if you want to use the Explorer style interface instead of the new window interface.)
You can copy files in and out, just like any other folder. Sounds smooth to me. Last time I checked WinRAR, it did not work like that, instead the RAR file would open up inside WinRAR and display as a long list of files instead of the much cleaner list of icons you get with Windows XP's Zip support.
I can't imagine why you'd find Windows XP's Zip support annoying. I perfer it over WinZip, which is a shoddy program.
*sigh* (Score:5, Insightful)
Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.
What AV can't extract rar? (Score:2, Insightful)
Not sure how this is a new threat (Score:5, Insightful)
Scenario 1: System cannot unpack
Scenario 2: System can unpack
I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.
Re:uh... (Score:2, Insightful)
Yes, the average user IS just that dumb.
Re:Is this really a big deal? (Score:5, Insightful)
If zip (or any) files are blocked, I like sending files encrypted, or merely scrambled.
You would be surprised how few email filters detect an attachment which is simply sent as Base64 or UUEncoded text, in the body. As it's not an attachment, it frequently gets ignored.
Re:limited scope at best (Score:2, Insightful)
"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted."
BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.
"You can control that everything has been downloaded correctly by checking against the SFV-file. Hence you will always know whether you've gotten a complete uncorrupt release of what you were downloading."
Again not relevent. If you are taking the time to d/l instead of actually buy something why the hell would you care if it was complete? As long as its not infected (which you just scan it to find out) and works then who cares.
"You can download from multiple sources at the same time - ensuring comformt and maximizing your download speed."
Torrent files and high speed internet trumps this one too. Another not relevent "arguement".
"We ge a standardized way of sharing, which DC obviously benefits greatly from. You will learn to recognize a good release and be spared the inconvenient trouble/surprise of poorly ripped movies by amatures."
Opinion. Yeah, those handicam releases of highly compressed video sure do benefit from being split into hundreds of small files and stuck into another archive. Clue, you don't gain anything by recompressing video.
I have yet to EVER hear of a valid reason to use rar. It seems people use it to be difficult and thats about it. And and don't give me the bs about newsgroups. They are slow and unreliable and extinct.
"Clue: WinRAR compresses better, is more secure, and is a heck of a lot more feature rich than WinZIP. WinZIP is, to put it nicely, a piece of shit. And ZIP is outdated compared to RAR and 7-Zip (be it compression or security)."
What possible features could you want except that it compresses (who gives a shit about sizes these days) and it extracts. Passwords are a pain in the ass and anyone that password locks their archive then uploads it for people is just trying to get their hit counts up for their web sites.
So again I ask, give me a good reason why rar is better?
Re:Is this really a big deal? (Score:5, Insightful)
Contrary to popular opinion, Corporate admins aren't the only people who worry about security.
LK
Re:limited scope at best (Score:3, Insightful)
When the stupid end users stop downloading everything they can to infect thier PC's with spy/mal-ware. You are the EXCEPTION. "End User" is equivalent to a 4-letter word in our department. Every inch you give them is a mile they make you walk to fix their problems.
Sounds like you've never worked any kind of support job. People do stupid things that you tell them not to do. They will do them multiple times, after being told not to multiple times. Some of them are management, and therefore not generally subject to punishment for violating said rules. Everyone must have their pretty screen savers, fun animated cursors, and dressed up email "stationery".
Don't get me wrong, you sound like someone who is fairly educated in what not to do. As the MIS/IT/IS dept, we do these things in self defense. It's not you who has to answer to the CIO/CEO as to why we got nailed by the XXX worm/trojan/virus.
My 2cents...
Re:Is this really a big deal? (Score:3, Insightful)
Re:*sigh* (Score:3, Insightful)
While I agree with you to some extent, you picked a really poor example there. The international characters in the URL toolbar are really very deceptive. Allow me to offer you two picture links.
Letter "a" [fileformat.info]
Letter "a" [fileformat.info]
Now you tell me which one is the cyrillic character, and which is the roman character. I don't know about you but my eyes are not that good! It would be trivial for some one to mask their domain in a link as another domain, provided the spoofed domain has a roman letter "a" in it anywhere. You could even set up a proxy server to listen for connections to something like https://paypal.com and respond normally. What's more, the web browser wouldn't issue an SSL alert, because the SSL cert would match the fake "paypal.com".
rot 13
Gur frpbaq yrggre vf gur ebzna "n".
Again I think we missed the point (Score:3, Insightful)
THEY ARE USEFUL ESPECIALLY OVER A NETWORK, you know, they reduce file sizes.
Instead: educate, and write decent sandboxing / active protection software that will scan on decompress.
OK, don't bothc the job, do it right.
blocking rar files... great then all warez sites will rename to
Slow news day! (Score:5, Insightful)
Why exactly does putting viruses into .rar's count as a new virus attack technique?
This is the same thing that has been going of for a long time with viruses in compressed files.
What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?
This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.
Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?
Re:Is this really a big deal? (Score:5, Insightful)
Attack against users? What user needs to receive
All the typical vectors of viruses/worms. Who in billing, or sales/marketing, or whatever NEEDS those files?
When you weigh the cost between the constant drain on IT resources broken OSs (from viruses, unapproved 3rd party apps, etc) would cost, you can't SERIOUSLY hold your position as someone in charge of security.
Our email server blocks up to 2000 (sometimes more) of the above extentions. Most are IDd viruses (netsky, bagle, etc). The RARE occation it blocks something not IDd is due to a NEW virus that hasn't made it to the virus-def file on the scanners. And I'm constantly amazed by the number of ACs who pretend to know things and act indignant.
Re:Is this really a big deal? (Score:1, Insightful)
What unix distribution executes files based on magic number and NOT the executable bit???
Re:Is this really a big deal? (Score:3, Insightful)
ZIP has been able to do this since long before RAR has existed; it just wasn't very convenient. ARJ and loads of other archivers could do it conveniently, but ZIP became a de-facto standard on PR grounds, rather than technical ones. RAR is pretty much exactly the same as any number of formats that existed 15 years ago, but people are willing to adopt it because it's new and better, rather than old and better
Re:Is this really a big deal? (Score:2, Insightful)
> extension and mimetype) and email scanner
> for years. Along with rtf, password protected
> zip files, exe files, cpl files, etc. It's a
> long list.
Why not block all outside files, and be certain that no infections can come through. (Okay, I should have turned the sarcasm flag on)
In doing engineering contracting, it is common to send and receive
Re:It can't scan INSIDE the rar (Score:4, Insightful)
How the bleep do you expect a user to get infected from a file inside a RAR (which is the point of this discussion) if he doesn't have a RAR decompressor?
If he can decompress, so can AVG. If he can't, AVG only scans the outside of the RAR, which is the only part that can infect him. Where's the problem?
Re:Is this really a big deal? (Score:5, Insightful)
IT people all too often lose perspective. They see the network as an end to itself. The users are just pains in the neck who screw up my beautiful setup and can't be trusted to use my equipment properly. The whole point of having a network is to enable people to do their jobs more effectively and more efficiently, and part of doing the job includes exchanging various types of files. If you're going to stop the network from being useful, why not shut it down and save all the money you're spending on it?
Blocking executables and having solid, updated virus protection is part of good network security. So is temporarily blocking certain extensions if there's an alert for a new worm or virus that uses a specific type of file. Once your antivirus is updated to reflect the new beastie and the initial infection crisis is over, unblock the extension. Blanket blocking long lists of extensions is a DoS on yourself.
Re:Is this really a big deal? (Score:3, Insightful)
I don't work in corporate I.T. anymore (thankfully... pretty tired of the "cube farm" and useless meetings, etc.) -- but when I did, this type of thing was always a battle.
The quickest way to turn the entire company's perception of I.T. from positive to negative is to keep putting up barriers to their computer usage under the auspices of being "for their own good".
My take on it is; Your job as an I.T. worker is to provide customer service to the rest of your company's employees. Sometimes, that means not taking the "easy way out" of blocking a bunch of things to prevent a potential problem. Rather, it's your job as admin to make sure you've got an environment in place where you can easily rebuild a corrupted system, and where you can screen out as much known junk as possible without resorting to interfering with valid data/documents.
Same goes for monitoring web usage, IMHO. It's fine to put a system in place to filter illegal sites, pornography, and so forth. But it should be fully automated, with an easy option to open a given URL back up if someone calls saying they need access to it. Otherwise, you put on the "I.T. police" hat when you start trying to tattle on co-workers for surfing the net for "too long" or going to "improper web sites". (I'd much rather be able to say "Sorry... the automated filter blocked you out." than "Yep - I purposely set things up so you guys couldn't go to that page." Why take on the responsibility of deciding for yourself what they can and can't see and do?)