New Virus Attacks Via RAR Files

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

Is this really a big deal?

[FyRE666]

...most firewalls do not block the extension yet.

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

Re:Is this really a big deal?

[LoRdTAW]

Well it could definatly cause a problem with warez. Most warez is usually packed using RAR.

Re:Is this really a big deal?

[Jhon]

I doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems. .rar have been blocked at our proxy (both extension and mimetype) and email scanner for years. Along with rtf, password protected zip files, exe files, cpl files, etc. It's a long list.

I'm waiting for the email attachments without extension that include 'instructions' on how to 'save as' to add the extenion, then execute the code. The password protected zip file worms were close...

Re:Is this really a big deal?

[WindBourne]

I doubt eweek's demographic is strong in the 'warez' crowd.

Actually, I suspect that e-week is exactly the demographics. Many ppl in that group do not care about the legality of such an action and yet, must have enough knowledge to get to warez.

Re:Is this really a big deal?

[Lord Kano]

doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems.

Contrary to popular opinion, Corporate admins aren't the only people who worry about security.

LK

Re:Is this really a big deal?

[mabinogi]

and they don't so much care about it, as install some piece of shit filter, leave all the defaults on no matter how idiotic they are in the sense of the buisness they are "protecting", and feel happy in the knowledge that someone else is worrying about security for them (not bitter, honest)...

Re:Is this really a big deal?

[stupidfoo]

Unfortunately, a malicious person can still e-mail a macro virus by merely changing a .DOC file's extension to .RTF. (Microsoft should prevent Word from running macros in files with .RTF extensions, but it doesn't.)

http://www.infoworld.com/articles/op/xml/00/10/30/ 001030oplivingston.html [infoworld.com]

Re:Is this really a big deal? Use WordPad

[Nom du Keyboard]

still e-mail a macro virus by merely changing a .DOC file's extension to .RTF. (Microsoft should prevent Word from running macros in files with .RTF extensions, but it doesn't.)

The workaround is to open all received e-mail on Windows machines using the included WordPad program. It reads both .DOC and .RTF files, but can't run macros.

Re:Is this really a big deal? Use WordPad

[bob beta]

While that might seem an attractive option to some, helpdesk employees worldwide are screaming at the thought of the association for .doc and .rtf files suddenly switching to Wordpad.

"Why won't my Office work, and what is this silly 'wordpad' that started up?"

Re:Is this really a big deal?

[Jhon]

I'd bet dollars to donuts you are a user, not an admin.

Attack against users? What user needs to receive .SCR files via email? Seriously. How about .CPL files? How about .exe files? or .com files? Or .bat? or .vbs?

All the typical vectors of viruses/worms. Who in billing, or sales/marketing, or whatever NEEDS those files?

When you weigh the cost between the constant drain on IT resources broken OSs (from viruses, unapproved 3rd party apps, etc) would cost, you can't SERIOUSLY hold your position as someone in charge of security.

Our email server blocks up to 2000 (sometimes more) of the above extentions. Most are IDd viruses (netsky, bagle, etc). The RARE occation it blocks something not IDd is due to a NEW virus that hasn't made it to the virus-def file on the scanners.

I'm constantly amazed by the number of people..

And I'm constantly amazed by the number of ACs who pretend to know things and act indignant.

Re:Is this really a big deal?

[Anonymous Coward]

You lost your dollars. I'm an MCSE and a CCNA with several years experience as a network admin. Notice I was talking about blocking long lists of extensions. I block executables on my network, both exe and scripts. .EXE, .WSH, .CPL, .BAT, etc. Probably less than 20 extensions, total. I don't block things like .RTF or .XLS or .DOC or .MDB . Yes, it is possible to get various types of malware that way. But there's always a trade off between usability and security. If you want a really secure network, unplug the cable and shut everything down. No viruses or worms, guaranteed. Being able to pass around documents and useful files is part of the reason to have a network. When it gets to the point where your users are sending emails that say "Here's the new database I created. Save it to your desktop and rename it from database.bdm to database.mdb before you open it" then you're part of the problem, not the solution.

IT people all too often lose perspective. They see the network as an end to itself. The users are just pains in the neck who screw up my beautiful setup and can't be trusted to use my equipment properly. The whole point of having a network is to enable people to do their jobs more effectively and more efficiently, and part of doing the job includes exchanging various types of files. If you're going to stop the network from being useful, why not shut it down and save all the money you're spending on it?

Blocking executables and having solid, updated virus protection is part of good network security. So is temporarily blocking certain extensions if there's an alert for a new worm or virus that uses a specific type of file. Once your antivirus is updated to reflect the new beastie and the initial infection crisis is over, unblock the extension. Blanket blocking long lists of extensions is a DoS on yourself.

Re:Is this really a big deal?

[King_TJ]

Good to see an admin with some (surprisingly uncommon) common sense!

I don't work in corporate I.T. anymore (thankfully... pretty tired of the "cube farm" and useless meetings, etc.) -- but when I did, this type of thing was always a battle.

The quickest way to turn the entire company's perception of I.T. from positive to negative is to keep putting up barriers to their computer usage under the auspices of being "for their own good".

My take on it is; Your job as an I.T. worker is to provide customer servi

Re:Is this really a big deal?

[chthonicdaemon]

What user needs to receive .SCR files via email? Seriously. How about .CPL files? How about .exe files? or .com files? Or .bat? or .vbs?

Now, I understand about the .scr files, but how about software development or work-friendly scripting? What if I have written a program/script (as I am wont to do) that saves my coworker lots of time by automatically converting 10000 gif files to png or something like that. Now I have to walk to the other side of the building with a floppy or a thumbdrive. What a retr

concern for warez ... not really

[rkmath]

It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).

Re:concern for warez ... not really

[LoRdTAW]

Warez has changed allot in the past years. Gone are the days where you had to know someone with an ftp site (similar to the old BBS days). Back then you had to know what you were doing and how to talk your way in. Enter edonky/kazaa and bittorrent where any joe can download anything they want. I know my brothers friends download using emule and they certainly dont know any more then your average joe.

Re:Is this really a big deal?

[zbeeble]

I suppose it depends what you download. But quite a lot of games and movies are compressed with rar. Also I know a few people who send rar files through their work address's because zip is blocked.

Re:Is this really a big deal?

[Trejkaz]

If zip (or any) files are blocked, I like sending files encrypted, or merely scrambled.

You would be surprised how few email filters detect an attachment which is simply sent as Base64 or UUEncoded text, in the body. As it's not an attachment, it frequently gets ignored.

Re:Is this really a big deal?

[Nebu]

You would be surprised how few email filters detect an attachment which is simply sent as Base64 or UUEncoded text, in the body. As it's not an attachment, it frequently gets ignored.

Why would we be surprised? People who write e-mail filters have to balance between security and convenience of the user.

I mean, imagine a super complex e-mail filter program that blocked every conceivable way of sending an attachment. If I sent a letter to my mom asking her how her stay was in the hospital, and got someth

Re:Is this really a big deal?

[amanpatelhotmail.com]

Also I know a few people who send rar files through their work address's because zip is blocked.

Gmail blocks sending attachments of "executable" files, which includes .pl .exe .bat .com etc..., It even checks inside of zip, tar/gz archives to see if a file with matching extension is found. If it is found, gmail will not allow you to send your email.

On the other hand if you compress your archive using RAR, gmail cannot check the contents and thus does not complain about executable files.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Is this really a big deal?

[hab136]

I've always wondered why a virus writter couldn't just wrap a virus in a self-extracting encryption algorithm? [...] How could scanning for a virus figure that as a virus (unless you block all executables)?

You've answered your own question - most corporations and free email providers block executables.

Re:Is this really a big deal?

[Rei]

... because you can detect the part that does the self-extracting, of course. :)

A more clever approach is to have another program do the extracting for you - for example, to distribute it as a password-protected zip file and make the password known to the user. That way, you don't need the identifiable extractor.

Re:Is this really a big deal?

[ThosLives]

Actually, this points at a more fundamental issue. What happens if you simply take the extension off the file and set the MIME type to something like "binary stream" and just send it "raw"? I often have to rename files to get them through company (*ahem* outlook) filters that block files.

Associating the name of a file with its content type is quite ludicrous; Apple used to do a better job of this with the file resources (the average user couldn't change file type - the name wasn't the type!) but with the transition to OS X (Unix) the metadata with files can be lost and is associated via file extension again.

This boils down to the fact that digital data is inherently untyped; there is no way to tell if something is *really* a word document, bitmap, executable, or a random collection of bits (you can use signatures in the data to help with this, but that's about it).

However, more on topic: I didn't know RAR files had "executable" content. If a file in a .RAR archive has a virus, that's no different than any other "hidden" trojan: shouldn't the virus scanner realise there is a problem as soon as the user tries to do something with the uncompressed/unencrypted file?

Re:Is this really a big deal?

[Alioth]

Actually, UNIX doesn't necessarily need the file extension - the kernel looks at the file's 'magic number' (as well as the executable bit) to decide if it should be executed and how to execute it.

Re:Is this really a big deal?

[HD Webdev]

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

.rar archives being infected is very old news as well as every other archive format.

.rar files have been infected since they have existed and posted to USENET. Rar files are much better than zip files in that people can download (let's say) a .rar that's been split into 15 parts. By using smartpar [sourceforge.net], even if a part of that .rar is corrupted, Smartpar does parity and other checks to reconstruct the missing part(s)

As you note, most people don't know about rar files. And even if they do, the anti-virus program will block the virus as soon as the rar set is put back together.

This is a complete non-issue. Not to mention, Winrar, which creates and reassembles .rar files prompts users to scan files for infections before extracting them.

Re:Is this really a big deal?

[arodland]

Rar files are much better than zip files in that people can download (let's say) a .rar that's been split into 15 parts.

ZIP has been able to do this since long before RAR has existed; it just wasn't very convenient. ARJ and loads of other archivers could do it conveniently, but ZIP became a de-facto standard on PR grounds, rather than technical ones. RAR is pretty much exactly the same as any number of formats that existed 15 years ago, but people are willing to adopt it because it's new and better, rathe

Slow news day!

[francisew]

Why exactly does putting viruses into .rar's count as a new virus attack technique?

This is the same thing that has been going of for a long time with viruses in compressed files.

What's next, complaining that there are viruses in tar files? Suggesting that propagation of viruses by usb-flash drives, DVD-RW's, SD camera memory and so on... are new vectors of propagation?

This seems like a really lousy way of trying to instill virus paranoia in people to sell more A/V software.

Then again, maybe my tinfoil hat is just a bit tight today. Does anyone think there is merit to this article?

Oh, the horrid memories

[Tablizer]

Goatse once came to me in a .REAR file. Close enough to avoid.

Re:Oh, the horrid memories

[tehshen]

I hope you didn't have any wide open ports for a virus to exploit.

Re:Oh, the horrid memories

[Doctor O]

Ah yes. Reminds me of the great goatse.exe I found on some troll resource server years ago that set the desktop and window background to Mr Goatse and changed the mouse pointer and screensaver accordingly, all in a way that required registry fiddling to EVER get rid of all that. Send that as "niceass.exe" to the jerk who won't stop sending you all his funny, funny PowerPoint "jokes". Hilarity ensues.

Of course, remotely putting that into the autostart folders of pesky coworkers is nice too. Praise Billy Boy

uh...

[koreaman]

don't accept rar files from people you don't know. And, if you do, don't run random executables inside them?

Re:uh...

[jacksonj04]

You're giving end users too much credit here. If it exists, they will click.

For those that don't know

[Anonymous Coward]

Rar files are most commonly used in the legal archiving of binary files and DVDs.

Re:For those that don't know

[greenegg77]

So, thats like 50% legal then?
Nah, it's 100% legal - you're simply a small part of someone's distributed offsite backup and archive model. :D

Can't scan rar??

[nuclear305]

"Most anti-virus software cannot scan a .RAR file"

What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?

Just tested this on AVG and it indeed scans rar archives.

It can't scan INSIDE the rar

[jptechnical]

All the common scanners can scan inside a zip archived file. However, most scanners cannot scan inside a rar archive. So you are getting it wrong. A virus scan OF the file will return nothing but a .rar file. The virus can be hidden IN the rar file, which is not scanned. Hopefully your AV has a good realtime file scan so it if it written to a temp file it will be scanned as soon as it is accessed.

Re:It can't scan INSIDE the rar

[nuclear305]

Apparently I should have been more clear--when testing with AVG it certainly can scan the contents of the archive; I watched as it scanned several exe files I placed inside the archive.

I can't say I've ever paid much attention to other products but I would have hoped Norton and the like would also have this capability.

Re:It can't scan INSIDE the rar

[jptechnical]

You shoulda been more clear. lol. Sorry for the 'you got it wrong'

Re:It can't scan INSIDE the rar

[orkysoft]

Are you sure AVG didn't actually use the WinRAR you have installed to extract the files, so it can scan them? I know that Ark (a KDE file archiving utility) uses Rarsoft's unrar to operate on RAR files.

Of course, I don't know whether you have WinRAR installed. Can AVG scan your RAR files if you don't have WinRAR installed?

Re:It can't scan INSIDE the rar

[Geoffreyerffoeg]

Can AVG scan your RAR files if you don't have WinRAR installed?

How the bleep do you expect a user to get infected from a file inside a RAR (which is the point of this discussion) if he doesn't have a RAR decompressor?

If he can decompress, so can AVG. If he can't, AVG only scans the outside of the RAR, which is the only part that can infect him. Where's the problem?

Re:It can't scan INSIDE the rar

[Lehk228]

H+BDEV's AntiVir scans inside RAR files just fine, and has done so since at least 4 years ago.

No problem!

[ChibiLZ]

I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.

Carry on with the downloading, there's nothing to see here...

Re:No problem!

[B3ryllium]

If anything, we should congratulate them. They've found a way to cut down on a few bytes of junk data flying around the net.

Cumulatively, it could be a big waste reduction. :)

Re:No problem!

[dan_sdot]

TFA says that the .rar contains a file like foto.jpg.exe.

I actually believe that if Windows didn't "Hide the file extension for known types", as is the default setting, viruses would be a much less serious issue. In other words, what they see for that file is "foto.jpg". They know what a jpg file is, and forget the Windows is actually hiding the true file extension. I think most people actually know that you shouldn't open an exe file from an unknown source, but hiding the file extension makes people forget.
Just another example of how very often trying to make computers "easier to use" actually makes things more of a pain in the butt when it comes down to it.

Big deal

[fudgefactor7]

This would have been more of a threat had it been in .CAB format. Not everyone uses .RAR files. Heck, in my company there are a grand total of 3 computers capable of even opneing a .RAR file...the one I'm posting from is one. On a side note: my wife got this virus emailed to her and she called me at work to ask what a rar file was... Needless to say, this virus will not be long-lived as it's just plain stupid.

Re:Big deal

[TheRealMindChild]

It may be stupid, but someone had to be stung by this, else there wouldn't be a story.

Re:Big deal

[pe1chl]

So what you could really do is:

- write a program that installs a trojan
- write documentation that says it handles .whatever files
- make sure Google has indexed it
- send .whatever files around

People will download and install your trojan all by themselves! Profit!

The Bright Side

[Dachannien]

Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.

Re:The Bright Side

[AndroidCat]

I'd feel more comfortable if so many idiots hadn't managed to follow the directions to open encrypted zips and run the malware inside. :)

Slashdot Headline!

[im_thatoneguy]

"Warez is becoming infected with viruses!"

RAR is very popular

[bigtallmofo]

I find that more technically-abled people are familiar with and have installed WinRAR [rarlabs.com] or the unix-variant based RAR on their system.

Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.

Similarly, I suppose virus-writers could rename their .exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.

Re:RAR is very popular

[rainman_bc]

Just to point out that some places use stuff like UltimateZIP or something that'll handle all compressed archives, including ace and rar. It isn't just winrar that opens rar files.

Re:RAR is very popular

[SunFan]

I thought technically abled people still used tar and bzip2? Putting the compression separate from the archiving makes sense--it still works great in piped UNIX commands and bzip2 is more aggressive than Zip is.

Re:RAR is very popular

[m50d]

RAR is better compression, and the compression ratio is all that matters. I had 1.2gb of binaries to fit on a CD, tar+bzip2 had it at around 780mb (gzip I interrupted at around 900mb). Arj was 706, but rar did it without breaking into a sweat: 636 mb, I had enough space for feather linux as well.

I've been opening .rar files for a while

[IInventedTheInternet]

And I've always extracted and scanned the contents before executing.

It just makes sense to me.

appealing to lustful young men

[w1r3sp33d]

Last week's virus was "disguised as a patch from Microsoft Corp" and apparently nobody wanted to click it (who's afraid of the BSOD?)

... but free pr0n, well who ain't gonna click that?

How's this new?

[Phanatic1a]

It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.

Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'

Trojan?

[rhizome]

And thusly, isn't it a trojan and not a piggybacked virus?

eWeek ...

[jest3r]

... in related news eWeek is able to sell more impressions and generate more revenue by getting coverage on Slashdot for pointless non-news articles such as new Virus hides in compressed files ...

In other news

[JamesP]

A new virus is spreading through password-protected .arj files.

Fortunatelly, no one got it, as no one remembers anymore what the heck an .ARJ file is, let alone find a password cracker for it.

Rumors said the password is "G04TSE.CXR0X".. go now then, have some fun...

Re:In other news

[m50d]

In case you were serious, http://www.password-crackers.com/crack.html#ARJ [password-crackers.com]

ClamAV wins again...

[Vellmont]

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

Re:ClamAV wins again...

[j-turkey]

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

ClamAV just wins period. Not having to pay per-seat licensing is awesome. Never needing to track or renew a subscription is worth every penny you'll spend on Clam AV (umm...$0.00).

I can't think of any reason to run anything else for an email server. Am I missing something really big that ClamAV just can't do?

Re:ClamAV wins again...

[swillden]

Am I missing something really big that ClamAV just can't do?

Get updates about a major new virus a week too late to do any good?

I was working for a client who had a vigorously-enforced anti-virus policy. Before anyone is allowed to connect to the network, the I/T security dept. has to verify that they have an anti-virus package installed, running and up-to-date. This policy created a bit of a problem when I showed up with my laptop running Debian Linux. I tried to argue that there are no Linux viruses in the wild and, further, that as a 100% Windows shop, even if my machine did have a virus, it wouldn't run on any of *theirs*. No luck. "NO AV, NO NETWORK," was the decision from on high.

Not expecting much, I ran "apt-cache search anti-virus" and was shocked to see that there were two different AV tools packaged by Debian, and that clamav even had the ability to scan local files on my system. I set it up to scan periodically, left "freshclam" set on the default update schedule (daily), showed the I/T security guy how it worked (and that it had found nothing), and he grudgingly allowed me on the network, convinced, I think, that my open source anti-virus tool *had* to be crap.

A couple of days later, I noticed that ClamAV had flagged a file in my mailbox as being infected. It was a document that the client's project manager had sent me -- from a machine running an up-to-date copy of Norton Anti-Virus Gold, Corporate Edition. I reported the incident and didn't think much of it. I figured the manager that sent it to me must not have had his AV software running (Lord knows if I ran Windows I'd be tempted to shut the CPU- and RAM-hogging thing down so I could get some work done).

Over the next two days, nearly all productive work in the I/T dept. ground to a halt, because by the time I got the infected document, almost the entire company was infected. I don't recall which virus it was (it didn't really interfere with anything I was doing), but I know they had a devil of a time getting it all cleaned up.

As it turned out, NONE of the three major commercial AV tools deployed at the company detected the new virus until about a week later.

I found out later that this experience is the rule, not the exception, with fast-moving new viruses. ClamAV is not only community-developed, but the databased is community-maintained as well, so whenever a sysadmin somewhere notices a new virus, it gets added to the database very quickly. The commercial AV vendors don't move as quickly, and consequently their tools often miss fast-spreading viruses long enough for them to become a problem.

ClamAV rocks.

Not by Default!

[lorcha]

> man clamd.conf

[...]
ScanRAR
Enable scanning of RAR archives. Due to license issues libclamav does not support RAR 3.0 archives (only the old 2.0 format is sup-ported). Because some users report stability problems with unrarlib it's disabled by default and must be enabled in the config file.
Default: disabled
[...]

Whats the point?

[bizitch]

Blocking extensions is pretty pointless ... how hard is it to rename before/after going thru a wall?

How about a .virus file type?

[jptechnical]

It seems to me this would be the simplest. Just require the virus makers to use the .virus extension and that will give the AV makers more time to perfect RAR scanning.

Is anyone with me?

RAR bombs

[Schreckgestalt]

This is great. They have still not all figured out how to avoid bzip2 bombs [netsys.com], how are they supposed to be able to scan RAR files? I mean, heck, they can't adopt a new compression file every 2 weeks! Oh wait...

RAR is very popular in China

[winkydink]

at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.

So..

[mysidia]

If your firewall blocks ZIP files and RAR files, then how are you supposed to exchange groups of files with your friends efficiently?

Isn't the WHOLE POINT of having archive file software on your computer defeated by blocking content with these extensions?

Not a big deal

[Artifakt]

As the article explains it (you do read the articles ,don't you?). The .RAR has to be unpacked, to reveal a file with dual extensions - like "Pron.jpg.exe".
The user still has to be dumb enough to click on that .exe without running a virus scanner on it first. No one has made a .rar that somehow executes on its own.
The article expresses a fear that there are people out there in cluelessland that will think "Gee, I know I should scan .exe's that came packed in .zip's, but this came packed in another compression. Duuh! it must be safe!".
There may be three people on the whole planet who are actually at that particular mix of clueless and clueful states. The rest either still don't know the first thing about what a .rar or an .exe is, or they won't be fooled.
If a journalist tried to make us all afraid of the risk of terrorists that try to sneak through customs by disguising themselves as Mexican Banditos, complete with bandoleers of bullets, some people would probably buy that too.

REALLY old news

[JohnVH]

Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).

The solution is worse than the problem

[emarkp]

...when you block filetypes.

Educate the users not to be morons. At our site, we've had trouble working with a university because our ISP removes .exe files from attachments and their server removes .zip files. Pretty hard to exchange executables in that kind of environment.

Now we use an ftp server. All because idiots click on attachments without thinking.

Re:The solution is worse than the problem

[pe1chl]

I hope that served to teach you that e-mail is not a sensible mechanism to exchange executables.

Another strike against Linux

[WhiteWolf666]

Gosh.
All my household systems come with software to decrypt rars, bzip2s, gzips, tars, etc. . .

All this extra functionality results in vulnerabilities, eh?

Oh. Wait. Even when I get the file open, the trojan won't excute. Guess I better fire up Wine, see if I can get it to work.

If only Win32 was better supported in Linux, then I wouldn't have these cross-platform issues.

Ohh, it's just about user stupidity as usual

[Jugalator]

It's about people clicking on RAR archives said to contain Anna Kournikova pictures, and other women with hot grits? Well what's new there?

It's not a problem with RAR in specific... If they block RAR files, I'm sure they could instead just be guided to a web page and told to install an ActiveX control instead. :-P (of course a digitally signed one so they get a false sense of security)

If you could only patch the real serious security holes here -- the ones in the users' brains...

*sigh*

[Nephroth]

This bothers me, it always bothers me when something that is not a vulnerability gets pegged as one. .RAR is not a vulnerability, and it's not a means for spreading viruses any more than any other format is. The vulnerability lies in short-sighted software development that failed to take into account that perhaps .RAR files might be used in addition to .ZIP. It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.

Why didn't we have problems like this in the past? Why did virus writers have to be so much more clever? It was because the only people using computers had at least something of an idea of what they were doing. Viruses are, for the most part, easily avoided. It's only when users are clueless and trusting that they are allowed to flourish.

Re:*sigh*

[Alan Hicks]

It's similar to the claims that international support in mozilla was a vulnerability. It isn't. the USER is the vulnerabitlity, educate the user and the vast majority of these problems will go away.

While I agree with you to some extent, you picked a really poor example there. The international characters in the URL toolbar are really very deceptive. Allow me to offer you two picture links.

Letter "a" [fileformat.info]
Letter "a" [fileformat.info]

Now you tell me which one is the cyrillic character, and which is the roman charact

Not sure how this is a new threat

[RaguMS]

Correct me if I'm wrong, but I do not understand how this poses a new threat to any system that is protected by a working antivirus.
Scenario 1: System cannot unpack .rar files. System is safe from virus.
Scenario 2: System can unpack .rar files. User manually executes virus contained in .rar file. File is first decompressed to the Temp directory, where antivirus catches it.

I just tested eTrust Antivirus, and it does catch the EICAR test file if I try to open it from a RAR, so I don't see what the problem is.

When will we see a .TXT virus?

[Chief Typist]

It's only a matter of time before we see a .TXT virus. Sounds implausible, but virus writers are very good at adapting to people's work habits.

Many companies block .ZIP at the perimeter (at a firewall or mail server.) People still have work to do -- so they workaround this block by renaming .ZIP files as .TXT files. We have several clients who *REQUIRE* us to send them files us like this.

So, once people get into the .TXT -> .ZIP -> unarchive habit, they'll be happy to do the same with a virus.

And it's going to be fun seeing the whole IT infrastructure that relies on file extensions fall into a crumbling heap.

-ch

Again I think we missed the point

[tod_miller]

Why even **consider** having to block rar files?

THEY ARE USEFUL ESPECIALLY OVER A NETWORK, you know, they reduce file sizes.

Instead: educate, and write decent sandboxing / active protection software that will scan on decompress.

OK, don't bothc the job, do it right.

blocking rar files... great then all warez sites will rename to .r4r or something. get real. what are we, a bunch of 3rd grade marketting types?

I solved this problem back in July, 2004...

[iamcf13]

My approach [cf13.com] simply tacks on '.txt' on the end of ALL email file attachments filenames. As a result, system compromise is IMPOSSIBLE this way provided Windows still associates .txt files with Notepad/Wordpad and those programs haven't been compromised.

In this manner the incoming file attachments can be safely scanned for viruses, deleted, quarantined, or renamed by removing the '.txt' at the end and put to use.

If you want to learn more and download my quality (but bland-looking) Windows freeware/shareware, visit now. [cf13.com]

P.S. since July 2004, I've only gotten a handful of 'no content' email spam at iamcf13@hotpop.com. This technique is used by spammers to validate working email addresses that do not bounce. That is the only spam I recieve nowadays. All the rest is autodeleted by cf13-pop3.

However, I DO wish I could run my shareware mailserver cf13-smtp and avoid downloading the spam in the first place.

Re:limited scope at best

[Beuno]

Ive been using rar extensions for years, never had a problem or complaint. Winrar is just as easy or easier to use then Winzip.....

Re:limited scope at best

[Temsi]

Personally I prefer WinRAR to any compression program currently available.
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.

I guess I just don't understand what the "nightmare" part is about WinRAR.

How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.

Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.

However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).

As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".

Gimme a freakin' break already.

Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.

Re:limited scope at best

[RicoX9]

As for the "yet" part of blocking... When are we going to put the responsibility in the hands of the user and stop dumbing down the internet?

When the stupid end users stop downloading everything they can to infect thier PC's with spy/mal-ware. You are the EXCEPTION. "End User" is equivalent to a 4-letter word in our department. Every inch you give them is a mile they make you walk to fix their problems.

Sounds like you've never worked any kind of support job. People do stupid things that you tell them

Re:limited scope at best

[DarkEdgeX]

I can't stand rar files. Its like saying "lets use this archive format that is different just because we want to be different."

LOL, yes, this is exactly why I use RAR, honestly! Jesus you're dumb.

Zip has been a standard for a long long time now, so what is the point in archiving in something completely different that then makes people go out and download and install yet another piece of software to have loaded in memory to do the same thing zip does.

You know, the horse and carriage has been a standa

Re:limited scope at best

[DarkEdgeX]

BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.

Clearly you've never experienced line noise. Me, personally, if I was downloading something back in the BBS days and I had a bit of line noise I'd rather be able to download another smaller RAR piece than have to redownload the whole thing. Z-Modem wouldn't have done squa

Re:limited scope at best

[1000StonedMonkeys]

"Because the releases consists of small parts you don't have to worry about re-downloading the whole release if something goes wrong and a file gets corrupted." BS. In this day and age of high speed internet this is not relevent. Especially while using torrent files. It really wasn't ever relevent during the modem/bbs days. Z-modem had resume downloads and everyone used it. No need for rar then.

You have obviously never done binary transfers over usenet (which is still very common today). It's done almost exclusively using RAR because news servers DO drop posts which means that you WILL lose parts of the archive.

Re:Good news!

[TheRealMindChild]

Maybe you live in the stone age, but I know we use RAR here almost exclusively.

The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.

RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.

Re:Good news!

[Anonymous Coward]

Last time I looked at WinRAR it had no support for NTFS Permissions, unlike WinZip. Which makes it pretty useless for backups outside of the proverbial mom's basement.

Re:Good news!

[fireboy1919]

You give compeling arguments why both zip and rar are used: they became popular when the speed/efficiency compromise mattered. Using either now is simply due to habit and culture.

There isn't an advantage for most users.

bzip2, 7z, and many more compression formats are better, and you can find archive spanning programs for every single compression technique because that's such a trivial algorithm to implement.

I can't come up with a reason why you'd use rar OR zip.

Well, er, good news!

[hey!]

1) If you think 7z is a trivial algorithm to implement, you REALLY haven't looked at it. Also there isn't (last time I checked) any mac implementation

OK, the pzip people (p7zip project [sourceforge.net]) have ported it to the posix command line. But you'll have to compile it yourself and write your own GUI. But you can at least work with 7zip archives now.

Re:Good news!

[DrXym]

Bzip2 + tar gets as good compression as RAR and has the added benefit of being almost ubiquitous, as well as having decent open source tools for compression and extraction on virtually every platform. Multi-volume is simply a matter of calling split before storing it.

Re:Good news!

[DarkEdgeX]

ZIP files are inherently insecure (if you rely on the password protection anyways). RAR files are much more secure. Just try using one of those brute-force password cracking apps [elcomsoft.com] on a RAR file-- it takes significantly longer to brute force a RAR than a ZIP.

Re:Good news!

[wtrmute]

Which is a pity, since .rar files are so much more compressible than .zip files. The difference is roughly the same between .gz and .bz2... What would be really easy is for anti-virus writers to include a RAR decompression library [unrarlib.org] and look inside the damned files, rather than reject useful technology for no good reason

Re:Good news!

[Repton]

Of course, RAR is not the best [compression.ca] either...

Re:Good news!

[Stoutlimb]

That's funny because I know several. All they had to do was see the same files compressed with ZIP, and again with RAR. Once they saw WinRAR did everything WinZIP could do, and then some, and was easier to boot, they switched.

Face it, people are slowly moving to a better and more efficient format. All we have is some virus protection companies who are on the slow end of adapting to new technologies. And it's not all that new, RAR has been around for at least 5 years.

Do you really want to trust an ant

Re:Good news!

[Minute Work]

I haven't seen a (legitimate American) business that uses RAR files for any reason. Any company that prohibits users from installing extra software would thus prohibit their users from installing a RAR decompressor. It would also be very easy to delete all incoming RAR files or reject the message with something like "Please send a ZIP file" instead. Until people start sending ZIP files (which are rejected after being virus-scanned) this is largely a non-threat.

Nice elitest answer there. YOU can't thin

Re:Well, duh.

[bcmm]

Both self-extracting RAR and self extracting zip files are *.EXE binaries. They just contain ta decompresser and some data to decompress.

Did you think that Windows automatically knows to try and execute .RAR files or something?

Re:first post

[Anonymous Coward]

someone shouted HQX at me once and I didn't sleep for a week.