New Virus Attacks Via RAR Files 585
sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."
Is this really a big deal? (Score:5, Interesting)
Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...
Big deal (Score:4, Interesting)
RAR is very popular (Score:5, Interesting)
Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.
Similarly, I suppose virus-writers could rename their
Re:Good news! (Score:5, Interesting)
The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.
RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.
Whats the point? (Score:4, Interesting)
Re:It can't scan INSIDE the rar (Score:5, Interesting)
I can't say I've ever paid much attention to other products but I would have hoped Norton and the like would also have this capability.
Re:Is this really a big deal? (Score:5, Interesting)
I'm waiting for the email attachments without extension that include 'instructions' on how to 'save as' to add the extenion, then execute the code. The password protected zip file worms were close...
Re:It can't scan INSIDE the rar (Score:5, Interesting)
Of course, I don't know whether you have WinRAR installed. Can AVG scan your RAR files if you don't have WinRAR installed?
Re:ClamAV wins again... (Score:5, Interesting)
ClamAV just wins period. Not having to pay per-seat licensing is awesome. Never needing to track or renew a subscription is worth every penny you'll spend on Clam AV (umm...$0.00).
I can't think of any reason to run anything else for an email server. Am I missing something really big that ClamAV just can't do?
Re:RAR is very popular (Score:3, Interesting)
Re:Good news! (Score:1, Interesting)
Is there any open source RAR handlers? Last I checked, there weren't any. The only solution is apparently shareware. Well, Zip is free. Sounds like a win to me.
Besides, Zip can do archive spanning too. The Windows XP built-in Zip compressor can't, but any decent Zip program should be capable of doing it.
Re:Good news! (Score:2, Interesting)
(Since 1993, according to WikiPedia.)
I remember investigating it back in my BBSing days.
Though I guess that makes it an even sorrier situation for AV companies.
Ssshhhh (Score:2, Interesting)
They already do this with zip files, which is a pity. Many times, I have to send attachments which include EXE files... If this protection is implemented, we'll have to rename the exe files to ex_ or something
Re:Is this really a big deal? (Score:3, Interesting)
Actually, I suspect that e-week is exactly the demographics. Many ppl in that group do not care about the legality of such an action and yet, must have enough knowledge to get to warez.
Re:Is this really a big deal? (Score:2, Interesting)
Re:Is this really a big deal? (Score:5, Interesting)
Associating the name of a file with its content type is quite ludicrous; Apple used to do a better job of this with the file resources (the average user couldn't change file type - the name wasn't the type!) but with the transition to OS X (Unix) the metadata with files can be lost and is associated via file extension again.
This boils down to the fact that digital data is inherently untyped; there is no way to tell if something is *really* a word document, bitmap, executable, or a random collection of bits (you can use signatures in the data to help with this, but that's about it).
However, more on topic: I didn't know RAR files had "executable" content. If a file in a .RAR archive has a virus, that's no different than any other "hidden" trojan: shouldn't the virus scanner realise there is a problem as soon as the user tries to do something with the uncompressed/unencrypted file?
When will we see a .TXT virus? (Score:5, Interesting)
Many companies block
So, once people get into the
And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.
-ch
The commercial vendors should have done this (Score:2, Interesting)
Commercial antivirus vendors should have implemented this. It seems ludicrous to me that the vendors of these products skipped a popular compression mechanism just because nobody had bothered to release a virus that understood it first. Security companies should be preemptively building in support for things like this. It's not as if it was an unpredictable issue.
The free(speech) ClamAV has support for this already, and I would hazard other compression formats as well. It obviously doesn't take *massive* developer effort to add support for things like this. And it's obviously something that people have already thought about it.
One of the reasons why we have such a problem with these things is that *even vendors of security products* don't seem to want to think proactively about issues that might arise. They wait for something to bite them in the ass before they fix it - leaving everyone vulnerable in the meantime.
Re:Is this really a big deal? (Score:2, Interesting)
Re:limited scope at best (Score:3, Interesting)
Clearly you've never experienced line noise. Me, personally, if I was downloading something back in the BBS days and I had a bit of line noise I'd rather be able to download another smaller RAR piece than have to redownload the whole thing. Z-Modem wouldn't have done squat in that situation (which was so common that *drumroll please* this is why people doing this began distributing things this way). As for as BitTorrent goes, sure, it's a lot better at catching errors and correcting them, but it's not flawless. You're still better off with RAR+SFV plus BitTorrent doing it's MD5 checks than with just BitTorrent.
Yes, who cares if you got the app but no documentation to go with it. It's all greek to you, obviously!
No, Torrent files and high speed internet don't trump that point. It's rare when a torrent will fully saturate your download. And since many BitTorrent downloaders allow you to tag individual files in a torrent, you can mark RAR's you're getting from the torrent then unmark RAR's you're getting from another source (so you can fully saturate your connection).
That site listed in a thoughtful manner all the reasons why you'd want to use RAR. If you choose to ignore it because you think you know better (hint: you don't or the scene wouldn't be using split RAR's), that's your perogative. But at least a no nothing like yourself isn't responsible for scene releases or scene rules.
Re:limited scope at best (Score:4, Interesting)
"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted." BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.
You have obviously never done binary transfers over usenet (which is still very common today). It's done almost exclusively using RAR because news servers DO drop posts which means that you WILL lose parts of the archive.Re:Is this really a big deal? (Score:2, Interesting)
It's better than Mastersplitter because it includes internal verification, and zip didn't split.
I solved this problem back in July, 2004... (Score:3, Interesting)
In this manner the incoming file attachments can be safely scanned for viruses, deleted, quarantined, or renamed by removing the '.txt' at the end and put to use.
If you want to learn more and download my quality (but bland-looking) Windows freeware/shareware, visit now. [cf13.com]
P.S. since July 2004, I've only gotten a handful of 'no content' email spam at iamcf13@hotpop.com. This technique is used by spammers to validate working email addresses that do not bounce. That is the only spam I recieve nowadays. All the rest is autodeleted by cf13-pop3.
However, I DO wish I could run my shareware mailserver cf13-smtp and avoid downloading the spam in the first place.
Re:Is this really a big deal? (Score:3, Interesting)
Now, I understand about the
In addition, I use LaTeX, and my projects tipically comprise many files. But now I can't just zip up the files and send the zip to my collegue, I have to rename the file to zi_ and uuencode it to hide it from our clever e-mail scanner.
The real problem is that I can't go on a training course and get the restrictions lifted. Oh, and people who assume the only 'work related' files are