New Virus Attacks Via RAR Files

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

Is this really a big deal?

[FyRE666]

...most firewalls do not block the extension yet.

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

Big deal

[fudgefactor7]

This would have been more of a threat had it been in .CAB format. Not everyone uses .RAR files. Heck, in my company there are a grand total of 3 computers capable of even opneing a .RAR file...the one I'm posting from is one. On a side note: my wife got this virus emailed to her and she called me at work to ask what a rar file was... Needless to say, this virus will not be long-lived as it's just plain stupid.

RAR is very popular

[bigtallmofo]

I find that more technically-abled people are familiar with and have installed WinRAR [rarlabs.com] or the unix-variant based RAR on their system.

Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.

Similarly, I suppose virus-writers could rename their .exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.

Re:Good news!

[TheRealMindChild]

Maybe you live in the stone age, but I know we use RAR here almost exclusively.

The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.

RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.

Whats the point?

[bizitch]

Blocking extensions is pretty pointless ... how hard is it to rename before/after going thru a wall?

Re:It can't scan INSIDE the rar

[nuclear305]

Apparently I should have been more clear--when testing with AVG it certainly can scan the contents of the archive; I watched as it scanned several exe files I placed inside the archive.

I can't say I've ever paid much attention to other products but I would have hoped Norton and the like would also have this capability.

Re:Is this really a big deal?

[Jhon]

I doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems. .rar have been blocked at our proxy (both extension and mimetype) and email scanner for years. Along with rtf, password protected zip files, exe files, cpl files, etc. It's a long list.

I'm waiting for the email attachments without extension that include 'instructions' on how to 'save as' to add the extenion, then execute the code. The password protected zip file worms were close...

Re:It can't scan INSIDE the rar

[orkysoft]

Are you sure AVG didn't actually use the WinRAR you have installed to extract the files, so it can scan them? I know that Ark (a KDE file archiving utility) uses Rarsoft's unrar to operate on RAR files.

Of course, I don't know whether you have WinRAR installed. Can AVG scan your RAR files if you don't have WinRAR installed?

Re:ClamAV wins again...

[j-turkey]

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

ClamAV just wins period. Not having to pay per-seat licensing is awesome. Never needing to track or renew a subscription is worth every penny you'll spend on Clam AV (umm...$0.00).

I can't think of any reason to run anything else for an email server. Am I missing something really big that ClamAV just can't do?

Re:RAR is very popular

[SunFan]

I thought technically abled people still used tar and bzip2? Putting the compression separate from the archiving makes sense--it still works great in piped UNIX commands and bzip2 is more aggressive than Zip is.

Re:Good news!

[Anonymous Coward]

Is there a free version of RAR available yet? I can use Zip for free. If I really want, I can even use it Free, as there exist open source solutions for handling Zip files.

Is there any open source RAR handlers? Last I checked, there weren't any. The only solution is apparently shareware. Well, Zip is free. Sounds like a win to me.

Besides, Zip can do archive spanning too. The Windows XP built-in Zip compressor can't, but any decent Zip program should be capable of doing it.

Re:Good news!

[Limecron]

Actually, RAR has been around for over a decade.

(Since 1993, according to WikiPedia.)

I remember investigating it back in my BBSing days.

Though I guess that makes it an even sorrier situation for AV companies. :)

Ssshhhh

[rbarreira]

Don't tell anyone! Now gmail may start parsing RAR files and forbidding anyone from attaching rar files which include executable files :(

They already do this with zip files, which is a pity. Many times, I have to send attachments which include EXE files... If this protection is implemented, we'll have to rename the exe files to ex_ or something :( What next, parsing the exe header?

Re:Is this really a big deal?

[WindBourne]

I doubt eweek's demographic is strong in the 'warez' crowd.

Actually, I suspect that e-week is exactly the demographics. Many ppl in that group do not care about the legality of such an action and yet, must have enough knowledge to get to warez.

Re:Is this really a big deal?

[izomiac]

Yes, but that would be generic (installer programs have them all the time). The generic decompression part could decompress a decryption part that could decrypt the virus. The virus could reencrypt itself with a new (but supplied in the executable) encryption key and be off on its merry way. The only real way to see if an executable is a virus or not would be to run parts of its code. Even if you use a sandbox this wouldn't be the safest solution (antivirus-killing virus?). Also, like someone else said, the virus might just use some encryption scheme that took a long time to decrypt. That way it'd launch, show a couple funny pictures or whatever (what the user expects), and use the next 20 minutes of idle time to decrypt itself.

Re:Is this really a big deal?

[ThosLives]

Actually, this points at a more fundamental issue. What happens if you simply take the extension off the file and set the MIME type to something like "binary stream" and just send it "raw"? I often have to rename files to get them through company (*ahem* outlook) filters that block files.

Associating the name of a file with its content type is quite ludicrous; Apple used to do a better job of this with the file resources (the average user couldn't change file type - the name wasn't the type!) but with the transition to OS X (Unix) the metadata with files can be lost and is associated via file extension again.

This boils down to the fact that digital data is inherently untyped; there is no way to tell if something is *really* a word document, bitmap, executable, or a random collection of bits (you can use signatures in the data to help with this, but that's about it).

However, more on topic: I didn't know RAR files had "executable" content. If a file in a .RAR archive has a virus, that's no different than any other "hidden" trojan: shouldn't the virus scanner realise there is a problem as soon as the user tries to do something with the uncompressed/unencrypted file?

When will we see a .TXT virus?

[Chief Typist]

It's only a matter of time before we see a .TXT virus. Sounds implausible, but virus writers are very good at adapting to people's work habits.

Many companies block .ZIP at the perimeter (at a firewall or mail server.) People still have work to do -- so they workaround this block by renaming .ZIP files as .TXT files. We have several clients who *REQUIRE* us to send them files us like this.

So, once people get into the .TXT -> .ZIP -> unarchive habit, they'll be happy to do the same with a virus.

And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.

-ch

The commercial vendors should have done this

[moon-monster]

Personally, I found myself quite suprised that support for this wasn't there already.

Commercial antivirus vendors should have implemented this. It seems ludicrous to me that the vendors of these products skipped a popular compression mechanism just because nobody had bothered to release a virus that understood it first. Security companies should be preemptively building in support for things like this. It's not as if it was an unpredictable issue.

The free(speech) ClamAV has support for this already, and I would hazard other compression formats as well. It obviously doesn't take *massive* developer effort to add support for things like this. And it's obviously something that people have already thought about it.

One of the reasons why we have such a problem with these things is that *even vendors of security products* don't seem to want to think proactively about issues that might arise. They wait for something to bite them in the ass before they fix it - leaving everyone vulnerable in the meantime.

Re:Is this really a big deal?

[Koiu Lpoi]

If you're downloading Warez and you're not careful, you deserve to get a virus. That stuff is usually chock full of viruses, malware, zombie programs, etc. If you're gonna do it, lock your computer down. If you're smart enough to avoid viruses, you're smart enough to avoid this one. Otherwise, you have no place in a warez community. People should spend money and buy things legally anyways. Well, that is unless you've got something against liscencing of games and whatnot (valve cough cough), but that's another argument for another time.

Re:limited scope at best

[DarkEdgeX]

BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.

Clearly you've never experienced line noise. Me, personally, if I was downloading something back in the BBS days and I had a bit of line noise I'd rather be able to download another smaller RAR piece than have to redownload the whole thing. Z-Modem wouldn't have done squat in that situation (which was so common that *drumroll please* this is why people doing this began distributing things this way). As for as BitTorrent goes, sure, it's a lot better at catching errors and correcting them, but it's not flawless. You're still better off with RAR+SFV plus BitTorrent doing it's MD5 checks than with just BitTorrent.

Again not relevent. If you are taking the time to d/l instead of actually buy something why the hell would you care if it was complete? As long as its not infected (which you just scan it to find out) and works then who cares.

Yes, who cares if you got the app but no documentation to go with it. It's all greek to you, obviously!

Torrent files and high speed internet trumps this one too. Another not relevent "arguement".

No, Torrent files and high speed internet don't trump that point. It's rare when a torrent will fully saturate your download. And since many BitTorrent downloaders allow you to tag individual files in a torrent, you can mark RAR's you're getting from the torrent then unmark RAR's you're getting from another source (so you can fully saturate your connection).

That site listed in a thoughtful manner all the reasons why you'd want to use RAR. If you choose to ignore it because you think you know better (hint: you don't or the scene wouldn't be using split RAR's), that's your perogative. But at least a no nothing like yourself isn't responsible for scene releases or scene rules.

Re:limited scope at best

[1000StonedMonkeys]

"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted." BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.

You have obviously never done binary transfers over usenet (which is still very common today). It's done almost exclusively using RAR because news servers DO drop posts which means that you WILL lose parts of the archive.

Re:Is this really a big deal?

[EvilJoker]

RAR isn't for compression (at least not much), but rather for splitting. A 4.4GiB file (or even a 700MiB one)is not possible for the distribution methods further up the chain, and it isn't uncommon for the files to remain intact all the way down to BT (which is GREAT, because it can also be used to fill the pieces grabbed from IRC, usenet, etc).

It's better than Mastersplitter because it includes internal verification, and zip didn't split.

I solved this problem back in July, 2004...

[iamcf13]

My approach [cf13.com] simply tacks on '.txt' on the end of ALL email file attachments filenames. As a result, system compromise is IMPOSSIBLE this way provided Windows still associates .txt files with Notepad/Wordpad and those programs haven't been compromised.

In this manner the incoming file attachments can be safely scanned for viruses, deleted, quarantined, or renamed by removing the '.txt' at the end and put to use.

If you want to learn more and download my quality (but bland-looking) Windows freeware/shareware, visit now. [cf13.com]

P.S. since July 2004, I've only gotten a handful of 'no content' email spam at iamcf13@hotpop.com. This technique is used by spammers to validate working email addresses that do not bounce. That is the only spam I recieve nowadays. All the rest is autodeleted by cf13-pop3.

However, I DO wish I could run my shareware mailserver cf13-smtp and avoid downloading the spam in the first place.

Re:Is this really a big deal?

[chthonicdaemon]

What user needs to receive .SCR files via email? Seriously. How about .CPL files? How about .exe files? or .com files? Or .bat? or .vbs?

Now, I understand about the .scr files, but how about software development or work-friendly scripting? What if I have written a program/script (as I am wont to do) that saves my coworker lots of time by automatically converting 10000 gif files to png or something like that. Now I have to walk to the other side of the building with a floppy or a thumbdrive. What a retrograde step.

In addition, I use LaTeX, and my projects tipically comprise many files. But now I can't just zip up the files and send the zip to my collegue, I have to rename the file to zi_ and uuencode it to hide it from our clever e-mail scanner.

The real problem is that I can't go on a training course and get the restrictions lifted. Oh, and people who assume the only 'work related' files are .doc, .xls and .ppt (perhaps add .pdf for good measure).