Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Virus Attacks Via RAR Files

timothy posted more than 9 years ago | from the not-in-debian-yet dept.

Security 585

sscottsci writes "A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers. Most anti-virus software cannot scan a .RAR file, and most firewalls do not block the extension yet."

cancel ×

585 comments

Sorry! There are no comments related to the filter you selected.

Is this really a big deal? (4, Interesting)

FyRE666 (263011) | more than 9 years ago | (#11738319)

...most firewalls do not block the extension yet.

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

Re:Is this really a big deal? (5, Informative)

LoRdTAW (99712) | more than 9 years ago | (#11738355)

Well it could definatly cause a problem with warez. Most warez is usually packed using RAR.

Re:Is this really a big deal? (4, Interesting)

Jhon (241832) | more than 9 years ago | (#11738523)

I doubt eweek's demographic is strong in the 'warez' crowd. And if your in charge of a corporate firewall and your users are downloading 'warez', you've got serious problems. .rar have been blocked at our proxy (both extension and mimetype) and email scanner for years. Along with rtf, password protected zip files, exe files, cpl files, etc. It's a long list.

I'm waiting for the email attachments without extension that include 'instructions' on how to 'save as' to add the extenion, then execute the code. The password protected zip file worms were close...

concern for warez ... not really (5, Insightful)

rkmath (26375) | more than 9 years ago | (#11738542)

It is true that most warez files are compressed using RAR. But it is also true that the general warez kiddie is not the type who would click on any executable without some virus checking. (Yes - it seems a shame - but the run of the mill warez kiddie is not the clueless user who clicks on every attachment in their email).

Re:Is this really a big deal? (-1, Flamebait)

Homology (639438) | more than 9 years ago | (#11738401)

Well, I know of a few that do now... Seriously, is this that much of a threat? Winzip (AFAIK) doesn't handle Rar archives, and most users wouldn't know how to open one if they did find one in their inbox...

Well, I do scan even .RAR files... Seriously, I use OpenBSD as a desktop so is this much of a threat? I mean, this "virus" thingy seems way overblown, at least for me.

Re:Is this really a big deal? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11738492)

Seriously, I use OpenBSD as a desktop so is this much of a threat? I mean, this "virus" thingy seems way overblown, at least for me.

Nobody gives a damn what OS you run. The majority of computer users do have problems with these viruses. When it happens to them, go ahead and keep your smugness to yourself.

Re:Is this really a big deal? (1)

Homology (639438) | more than 9 years ago | (#11738590)

Nobody gives a damn what OS you run. The majority of computer users do have problems with these viruses. When it happens to them, go ahead and keep your smugness to yourself.

Oh dear AC, go read my post again and compare it to the original post. Just because you post as AC is not a license to not use your brain. Erh, ignore previous sentence.

Re:Is this really a big deal? (0)

Anonymous Coward | more than 9 years ago | (#11738578)

gotta say, my nearly-default install of OpenBSD crashes WAY more often than my XP box... it may be a hardware issue, but I doubt it. I'm thinking a driver sucks. I just hit restart every other day since it's just a gateway box... point is, get off your high horse.

Re:Is this really a big deal? (1)

tehshen (794722) | more than 9 years ago | (#11738439)

That is true, but some of these 'lustful young men' could get quite excited about the prospect of free pr0n (in a rar file or not), search for a .rar decompressor, decompress, get virused. It is not as big a threat as with .zip or whatever, but it is a threat nonetheless.

Re:Is this really a big deal? (1)

bobbagum (556152) | more than 9 years ago | (#11738461)

some users who are just smart enough to get warez or torrents would probably be just dumb enough to be suseptible to this exploit.

Re:Is this really a big deal? (4, Insightful)

zbeeble (808759) | more than 9 years ago | (#11738472)

I suppose it depends what you download. But quite a lot of games and movies are compressed with rar. Also I know a few people who send rar files through their work address's because zip is blocked.

Re:Is this really a big deal? (4, Insightful)

liquidpele (663430) | more than 9 years ago | (#11738544)

I've always wondered why a virus writter couldn't just wrap a virus in a self-extracting encryption algorithm? The virus could even use different algorithms or different salts or something each time it spread (gotten from the host) so that each time it would look different to a scanner. How could scanning for a virus figure that as a virus (unless you block all executables)?

Re:Is this really a big deal? (0)

Anonymous Coward | more than 9 years ago | (#11738614)

a firewall can block an extension to a filename?

first post (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11738320)

RAR!!!!! scary huh?

Re:first post (2, Funny)

Anonymous Coward | more than 9 years ago | (#11738497)

someone shouted HQX at me once and I didn't sleep for a week.

So what? (0)

Anonymous Coward | more than 9 years ago | (#11738322)

So what?

When the virus is installed, then the virus scanner can find it and kill it.

Re:So what? (1)

LNN (304087) | more than 9 years ago | (#11738433)

When the virus is installed, it has probably also deactivated your virus scanner.

Re:So what? (0)

Anonymous Coward | more than 9 years ago | (#11738543)

Uh. Norton/Symantec have real-time protection. Every process that starts gets scanned first. Wouldn't that prevent infection?

One word: (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11738327)

Raaaawr!

Rar (-1, Troll)

stone2020 (123807) | more than 9 years ago | (#11738329)

Rar Rar Rar Rar!

Good news! (0)

generic-man (33649) | more than 9 years ago | (#11738332)

I haven't seen a (legitimate American) business that uses RAR files for any reason. Any company that prohibits users from installing extra software would thus prohibit their users from installing a RAR decompressor. It would also be very easy to delete all incoming RAR files or reject the message with something like "Please send a ZIP file" instead.

Until people start sending ZIP files (which are rejected after being virus-scanned) this is largely a non-threat.

Re:Good news! (5, Interesting)

TheRealMindChild (743925) | more than 9 years ago | (#11738416)

Maybe you live in the stone age, but I know we use RAR here almost exclusively.

The reason Zip became so popular was its speed/efficiency comprimise back in the days where it mattered. Using zip, nowadays, is simply due to habit and culture. There isn't an advantage for MOST like there used to be.

RAR compression is better and has a very nice archive spanning feature. Believe me... this is ever so handy when backing up 40GB of data to a file system/Software that can't address files larger then 2GB. Couple that with the free Stuffit Expander, and I can't come up with a reason you WOULDN't use RAR.

Re:Good news! (2, Informative)

Anonymous Coward | more than 9 years ago | (#11738546)

Last time I looked at WinRAR it had no support for NTFS Permissions, unlike WinZip. Which makes it pretty useless for backups outside of the proverbial mom's basement.

Re:Good news! (1)

Jhon (241832) | more than 9 years ago | (#11738586)

Just how often do you email 40GB files?

You're right that it's basically 'habit' that zip is used, but there has been abosolutely no reason to expect/need our users to download, send or receive RAR files. Because, as you said, that "habit".

When our clients start wanting to send us stuff in RAR, we'll deal with it. Until then, there is no reason and I suspect that this is true for most (not all) corporations...

Re:Good news! (1, Informative)

DarkEdgeX (212110) | more than 9 years ago | (#11738428)

ZIP files are inherently insecure (if you rely on the password protection anyways). RAR files are much more secure. Just try using one of those brute-force password cracking apps [elcomsoft.com] on a RAR file-- it takes significantly longer to brute force a RAR than a ZIP.

Re:Good news! (5, Informative)

wtrmute (721783) | more than 9 years ago | (#11738434)

Which is a pity, since .rar files are so much more compressible than .zip files. The difference is roughly the same between .gz and .bz2... What would be really easy is for anti-virus writers to include a RAR decompression library [unrarlib.org] and look inside the damned files, rather than reject useful technology for no good reason

Re:Good news! (2, Informative)

Anonymous Coward | more than 9 years ago | (#11738564)

What would be really easy is for anti-virus writers to include a RAR decompression library and look inside the damned files, rather than reject useful technology for no good reason

The FAQ claims that it doesn't open files produced by anything newer than WinRAR 2.9. Newer formats seem to be undocumented.

Re:Good news! (2, Insightful)

Stoutlimb (143245) | more than 9 years ago | (#11738515)

That's funny because I know several. All they had to do was see the same files compressed with ZIP, and again with RAR. Once they saw WinRAR did everything WinZIP could do, and then some, and was easier to boot, they switched.

Face it, people are slowly moving to a better and more efficient format. All we have is some virus protection companies who are on the slow end of adapting to new technologies. And it's not all that new, RAR has been around for at least 5 years.

Do you really want to trust an anti-virus company that can't deal with semi-popular 5 year old compression protocols?

Re:Good news! (2, Insightful)

Minute Work (749085) | more than 9 years ago | (#11738551)

I haven't seen a (legitimate American) business that uses RAR files for any reason. Any company that prohibits users from installing extra software would thus prohibit their users from installing a RAR decompressor. It would also be very easy to delete all incoming RAR files or reject the message with something like "Please send a ZIP file" instead. Until people start sending ZIP files (which are rejected after being virus-scanned) this is largely a non-threat.


Nice elitest answer there. YOU can't think of a good purpose to use .rar files so therefore we shouldn't bother. I've been using WinRAR from http://www.rarsoft.com/ [rarsoft.com] for years because it has been able to handle .ZIP, .RAR, and most importantly, .tar.gz files for those of us working in a dual windows/unix(linux) environment. Most of the Zip utilities that have been provided by the companies that I work for have provided a client only capable of accessing zip formats.

Also, I prefer the .RAR format BECAUSE other programs have a harder time peeking around in them. Most of the things I put in a .RAR file I want to be kept confidential and I password the file. Granted this isn't top-notch security but it's sufficient to deter most snoopers. (I don't trust network admins.)

Remember! (-1, Troll)

inertia@yahoo.com (156602) | more than 9 years ago | (#11738339)

Don't be gay, Sparky! RAR!

Re:Remember! (0)

Anonymous Coward | more than 9 years ago | (#11738396)

Hey, it's OK to be gay!

Re:Remember! (0)

Anonymous Coward | more than 9 years ago | (#11738432)

But is it ok to be Sparky?

Oh, the horrid memories (5, Funny)

Tablizer (95088) | more than 9 years ago | (#11738340)

Goatse once came to me in a .REAR file. Close enough to avoid.

Re:Oh, the horrid memories (0)

Anonymous Coward | more than 9 years ago | (#11738447)

I bet that file was full of crap.

Re:Oh, the horrid memories (5, Funny)

tehshen (794722) | more than 9 years ago | (#11738526)

I hope you didn't have any wide open ports for a virus to exploit.

uh... (5, Funny)

koreaman (835838) | more than 9 years ago | (#11738343)

don't accept rar files from people you don't know. And, if you do, don't run random executables inside them?

Re:uh... (1)

ChuckSchwab (813568) | more than 9 years ago | (#11738435)

Yeah, that would make sense. Then again, so would not opening a random attachment from "I love you!". So would not opening any unsolicited executable. That's exactly why they're successful: it "only" works on morons.

For those that don't know (5, Funny)

Anonymous Coward | more than 9 years ago | (#11738346)

Rar files are most commonly used in the legal archiving of binary files and DVDs.

Re:For those that don't know (0)

Anonymous Coward | more than 9 years ago | (#11738360)

It is used particularly when legally distributing the backups to friends around the globe to keep your copies safe should there be a natural disaster that destroys all of your data.

Re:For those that don't know (1)

Further82 (720625) | more than 9 years ago | (#11738431)

Wow! When you put it like that it does not sound so bad anymore. I mean like, those hax0rs with c00l names are legaly archiving their warez and DVD's. Then somehow through unknown means, that legal arhive ends up in Azureus and then on my hard disk. So, thats like 50% legal then? Sounds good to me.

Re:For those that don't know (5, Funny)

greenegg77 (718749) | more than 9 years ago | (#11738536)

So, thats like 50% legal then?
Nah, it's 100% legal - you're simply a small part of someone's distributed offsite backup and archive model. :D

Crap... (0)

Anonymous Coward | more than 9 years ago | (#11738347)

I've always counted my torrents safe... just don't execute weird .exes... guess I better go download a new virus scanner :-(

Free Sony PSPs. [freepsps.com] It's real. It's here.

Can't scan rar?? (4, Insightful)

nuclear305 (674185) | more than 9 years ago | (#11738353)

"Most anti-virus software cannot scan a .RAR file"

What? Is it really a case where the software can't scan the archive or is it just that it's not included in the default types of files to scan?

Just tested this on AVG and it indeed scans rar archives.

It can't scan INSIDE the rar (2, Informative)

jptechnical (644454) | more than 9 years ago | (#11738402)

All the common scanners can scan inside a zip archived file. However, most scanners cannot scan inside a rar archive. So you are getting it wrong. A virus scan OF the file will return nothing but a .rar file. The virus can be hidden IN the rar file, which is not scanned. Hopefully your AV has a good realtime file scan so it if it written to a temp file it will be scanned as soon as it is accessed.

Re:It can't scan INSIDE the rar (4, Interesting)

nuclear305 (674185) | more than 9 years ago | (#11738479)

Apparently I should have been more clear--when testing with AVG it certainly can scan the contents of the archive; I watched as it scanned several exe files I placed inside the archive.

I can't say I've ever paid much attention to other products but I would have hoped Norton and the like would also have this capability.

Re:It can't scan INSIDE the rar (1)

jptechnical (644454) | more than 9 years ago | (#11738552)

You shoulda been more clear. lol. Sorry for the 'you got it wrong'

Re:It can't scan INSIDE the rar (5, Interesting)

orkysoft (93727) | more than 9 years ago | (#11738597)

Are you sure AVG didn't actually use the WinRAR you have installed to extract the files, so it can scan them? I know that Ark (a KDE file archiving utility) uses Rarsoft's unrar to operate on RAR files.

Of course, I don't know whether you have WinRAR installed. Can AVG scan your RAR files if you don't have WinRAR installed?

Re:It can't scan INSIDE the rar (0)

Anonymous Coward | more than 9 years ago | (#11738510)

F-prot is one that can scan inside a .rar archive.
Tested with WinXP SP2, F-Prot version 3.16a.
FWIW.

Re:Can't scan rar?? (1)

Limecron (206141) | more than 9 years ago | (#11738407)

I would assume they meant that it doesn't actually decompress the contents and scan the files it contains.

Re:Can't scan rar?? (1)

gitreel (628922) | more than 9 years ago | (#11738595)

Mcafee scans rar files as well. Imagine that I wonder what antivirus programs the author used.

limited scope at best (0, Troll)

CdBee (742846) | more than 9 years ago | (#11738356)

Windows XP or earlier can't open RAR files natively as far as I'm aware, and since the software needed to do so ia a nightmare from 90s compression hell - I'm not sure why this is a major concern

The problems scanning them will be fixed within days, probably

Re:limited scope at best (2, Informative)

Beuno (740018) | more than 9 years ago | (#11738398)

Ive been using rar extensions for years, never had a problem or complaint. Winrar is just as easy or easier to use then Winzip.....

Re:limited scope at best (1)

Taladar (717494) | more than 9 years ago | (#11738571)

Windows XP or earlier can't open RAR files natively as far as I'm aware
It can't open ANY archive format natively unless you count the broken implementation of zip that causes the Explorer to use 99% CPU time for a LONG time when confronted with a broken zip file (read: when opening a folder containing such a file).

Re:limited scope at best (4, Insightful)

Temsi (452609) | more than 9 years ago | (#11738581)

Personally I prefer WinRAR to any compression program currently available.
Unfortunately, WinZip sucks beyond words.
XP's Native handling of Zip files is annoying at best, and is usually one of the first things I disable whenever I install XP.

I guess I just don't understand what the "nightmare" part is about WinRAR.

How easy does it have to be, really? Select files, right click, select "add to archive" or "add to filename.rar" and let it run. You're done.
Extracting is even easier. Right click, select "Extract files" to get a path choice, "Extract Here" to uhm, extract in the current folder or "Extract to filename" which creates a folder with the same name as the file.

Not to mention the bonus features you get if you bother to open the program, such as file recovery and repair, authentication checking, and the ability to extract from a partial set and even extract broken files if you really, really need them.

However, this should not be an issue at all, since most people don't have any support for RAR files and therefore can't open them to run the executable inside it (which is monumentally stupid anyway and whoever does, deserves whatever crap they get installed as a result of that action).

As for the "yet" part of blocking...
When are we going to put the responsibility in the hands of the user and stop dumbing down the internet? There are those of us who actually know what we're doing, don't open unknown attachments, never get viruses or trojans and always get pissed off when email servers filter out valid files.
I can't even send a bloody Word document because of the "risk of macros".

Gimme a freakin' break already.

Listen up people, if you're too dumb to use email without infecting your computer with the latest malware, maybe you should reconsider email as your communications method of choice.

No problem! (4, Insightful)

ChibiLZ (697816) | more than 9 years ago | (#11738362)

I fail to see the problem here. TFA says that the .rar contains a file like foto.jpg.exe. This is nothing new, they're just using a better compression program to spread their malware.

Carry on with the downloading, there's nothing to see here...

Big deal (3, Interesting)

fudgefactor7 (581449) | more than 9 years ago | (#11738365)

This would have been more of a threat had it been in .CAB format. Not everyone uses .RAR files. Heck, in my company there are a grand total of 3 computers capable of even opneing a .RAR file...the one I'm posting from is one. On a side note: my wife got this virus emailed to her and she called me at work to ask what a rar file was... Needless to say, this virus will not be long-lived as it's just plain stupid.

Re:Big deal (1)

TheRealMindChild (743925) | more than 9 years ago | (#11738464)

It may be stupid, but someone had to be stung by this, else there wouldn't be a story.

Re:Big deal (1)

Babbster (107076) | more than 9 years ago | (#11738589)

These are the type of people who will receive a .rar file, find that they can't open it, Google to find a program that can open it, download one of those programs, install the downloaded program, decompress the .rar file, then run whatever .exe file they find in it. Some people LOVE being infected by viruses and they will go to any lengths to get it done.

Winzip (0)

Anonymous Coward | more than 9 years ago | (#11738368)

Oops....MS used Winzip technology in XP...and i think winzip has become less popular.and rar is increasing slowly(fcking closed...no open version) because winrar can handle *tgz+ man other formats

The Bright Side (4, Insightful)

Dachannien (617929) | more than 9 years ago | (#11738370)

Fortunately, your grandmother has no clue what a .rar file is or how to open one, leaving her safe from infection by this new method. In fact, it's fairly safe to say that the only people who will get owned by .rar file viruses are lamer hax0r wannabes desperate for more pr0n.

Re:The Bright Side (2, Insightful)

AndroidCat (229562) | more than 9 years ago | (#11738516)

I'd feel more comfortable if so many idiots hadn't managed to follow the directions to open encrypted zips and run the malware inside. :)

Slashdot Headline! (5, Funny)

im_thatoneguy (819432) | more than 9 years ago | (#11738374)

"Warez is becoming infected with viruses!"

And in other news... (1)

XFilesFMDS1013 (830724) | more than 9 years ago | (#11738568)

A new version of KaZaa has just been released

RAR is very popular (5, Interesting)

bigtallmofo (695287) | more than 9 years ago | (#11738377)

I find that more technically-abled people are familiar with and have installed WinRAR [rarlabs.com] or the unix-variant based RAR on their system.

Of course, such people are less likely to be taken in by a virus, so I'm forced to believe that this new spin on virus writing isn't going to be very effective.

Similarly, I suppose virus-writers could rename their .exe file to be .txt and leave instructions within the .txt file to rename the file to .exe and from there ask them to execute it but the people that would understand those instructions would not be likely to follow them.

Re:RAR is very popular (0)

Anonymous Coward | more than 9 years ago | (#11738465)

oh yes... a text file with instructions to rename it... I can see it now...

here are steps for to run coool game!
1) delete text and space here
2) reanem file "fun.exe"
3) double click file
4) All your base are belong to us
EVil ViRuS CoDe WoOt

Re:RAR is very popular (3, Informative)

rainman_bc (735332) | more than 9 years ago | (#11738476)

Just to point out that some places use stuff like UltimateZIP or something that'll handle all compressed archives, including ace and rar. It isn't just winrar that opens rar files.

Well, duh. (0, Flamebait)

baggachipz (686602) | more than 9 years ago | (#11738380)

.rar files can be self-extracting like zip files, so they pose the same security risk. I can't belive that nobody's exploited this until now.

Re:Well, duh. (1)

bcmm (768152) | more than 9 years ago | (#11738480)

Both self-extracting RAR and self extracting zip files are *.EXE binaries. They just contain ta decompresser and some data to decompress.

Did you think that Windows automatically knows to try and execute .RAR files or something?

Re:Well, duh. (1)

baggachipz (686602) | more than 9 years ago | (#11738609)

Well then what's the big deal? Joe-AOL downloads a .rar file, but can't open it (and expose the nasty files) because he doesn't have WinRAR. This is a security risk HOW?

I've been opening .rar files for a while (3, Insightful)

IInventedTheInternet (818590) | more than 9 years ago | (#11738385)

And I've always extracted and scanned the contents before executing.

It just makes sense to me.

appealing to lustful young men (1)

w1r3sp33d (593084) | more than 9 years ago | (#11738394)

Last week's virus was "disguised as a patch from Microsoft Corp" and apparently nobody wanted to click it (who's afraid of the BSOD?)

... but free pr0n, well who ain't gonna click that?

I don't get the big deal... (0)

Anonymous Coward | more than 9 years ago | (#11738403)

Yeah, so they're simply taking the virus and packing it with another archiving tool... In any sense it's not the .rar file itself that's the threat, so rather than having administrators complain about it, they should simply have active protection running on the workstations themselves. The average computer user doesn't even understand how a virus works, so it's stupid anyways to simply rely on e-mail attachments being scanned unless they plan to support all forms of compression. Just my 2 cents...

A question... (1, Redundant)

ajaf (672235) | more than 9 years ago | (#11738404)

"A new article at eWeek indicates that Virus writers are using .RAR files to bypass Filters and Anti-Virus systems to infect computers."

Computers or Computers running Windows?

How's this new? (5, Insightful)

Phanatic1a (413374) | more than 9 years ago | (#11738405)

It's not that there's a virus piggybacked on the .rar, which you infect yourself with by unraring the .rar, it's that they're sending around .rared viruses, which you infect yourself wih if you unrar and then execute them.

Not seeing the problem, aside from the same old 'don't go happy-assing around executing any damn old executable that someone emails you.'

Trojan? (1)

rhizome (115711) | more than 9 years ago | (#11738534)

And thusly, isn't it a trojan and not a piggybacked virus?

eWeek ... (4, Funny)

jest3r (458429) | more than 9 years ago | (#11738420)

... in related news eWeek is able to sell more impressions and generate more revenue by getting coverage on Slashdot for pointless non-news articles such as new Virus hides in compressed files ...

Uhhh... Theres not really much difference between (1)

Bob64 (844867) | more than 9 years ago | (#11738421)

In my opinion theres not much difference between zip and rar... Only a different compression algorithm. Other then that, they both serve as containers that attempt to compress the contents.

Im also sure that most anti-virus programs scan RAR files.

In my opinion, this is nothing special, virus writers are just trying to change their delivery method. Just like how a virus was written for .swf files. Its now only the matter of adding the .rar extention to the filter.

Virus Filters (1)

DHalcyon (804389) | more than 9 years ago | (#11738426)

IMHO doing some filtering at the provider could help. My mail provider uses a Spam/Virus filter that works with black/whitelists for each user and a global blacklist created by the provider (Which can be overridden by my personal whitelist). Haven't seen a virus in my inbox for 2 years and counting.

In other news (3, Funny)

JamesP (688957) | more than 9 years ago | (#11738427)

A new virus is spreading through password-protected .arj files.

Fortunatelly, no one got it, as no one remembers anymore what the heck an .ARJ file is, let alone find a password cracker for it.

Rumors said the password is "G04TSE.CXR0X".. go now then, have some fun...

ClamAV wins again... (5, Informative)

Vellmont (569020) | more than 9 years ago | (#11738445)

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

Re:ClamAV wins again... (2, Informative)

xXDarkNinjaXx (525539) | more than 9 years ago | (#11738573)

I love ClamAV [clamav.net] , props to all the developers and the clamav community [clamav.net] . They've been helpful to me.

Re:ClamAV wins again... (5, Interesting)

j-turkey (187775) | more than 9 years ago | (#11738610)

The OSS program ClamAV supports scanning of RAR files. If most anti-virus programs truly don't support RAR format, this is another big win for ClamAV. (I run it on my own server, and as part of an anti spam/virus email service and it runs flawlessly).

ClamAV just wins period. Not having to pay per-seat licensing is awesome. Never needing to track or renew a subscription is worth every penny you'll spend on Clam AV (umm...$0.00).

I can't think of any reason to run anything else for an email server. Am I missing something really big that ClamAV just can't do?

Whats the point? (3, Interesting)

bizitch (546406) | more than 9 years ago | (#11738457)

Blocking extensions is pretty pointless ... how hard is it to rename before/after going thru a wall?

Re:Whats the point? (1)

pe1chl (90186) | more than 9 years ago | (#11738562)

Of course your scanner should not check filenames (extensions are basically just part of the filename) but it should determine the type of the file by looking at its contents.

Every decent scanner does this. Surprisingly many commercial virus-scanners from "wellknown manufacturers" don't. But who said those were any good?

How about a .virus file type? (5, Funny)

jptechnical (644454) | more than 9 years ago | (#11738467)

It seems to me this would be the simplest. Just require the virus makers to use the .virus extension and that will give the AV makers more time to perfect RAR scanning.

Is anyone with me?

RAR bombs (2, Insightful)

Schreckgestalt (692027) | more than 9 years ago | (#11738473)

This is great. They have still not all figured out how to avoid bzip2 bombs [netsys.com] , how are they supposed to be able to scan RAR files? I mean, heck, they can't adopt a new compression file every 2 weeks! Oh wait...

No worries, DOA viruses (1)

DigitalCrackPipe (626884) | more than 9 years ago | (#11738487)

The good thing is that most people can't open rar files. You must intentionally install software to unarchive rar files.

The only real concern is when kids install rar software and then a click-happy parent opens any attachment and any files inside. (or other multi-user home computer scenarios)

The only news here is that while AV software could help protect the clueless before, there is now a workaround. in a few circumstances. Luckily, this is a small enough percentage that no new epidemic can occur.

RAR is very popular in China (3, Informative)

winkydink (650484) | more than 9 years ago | (#11738494)

at least it is with my 2 subsidiaries there. Winzip does not do a Chinese version. RAR does.

Great Quote (0)

Anonymous Coward | more than 9 years ago | (#11738498)

In reference to viruses posing as rar archives containing porn:
"Most of these are appealing to lustful young men"

In other news: (0)

Anonymous Coward | more than 9 years ago | (#11738500)

Email gateway anti-virus scanners quite sucky.

So.. (2, Insightful)

mysidia (191772) | more than 9 years ago | (#11738509)

If your firewall blocks ZIP files and RAR files, then how are you supposed to exchange groups of files with your friends efficiently?

Isn't the WHOLE POINT of having archive file software on your computer defeated by blocking content with these extensions?

Its their job (1)

mixtape5 (762922) | more than 9 years ago | (#11738519)

I have known and been using .rar files for about a year. I would think that somewhere along the way, some anti-virus programmer somewhere would notice a security threat and begin working on scanning meathods?

Just a thought/question, if anyone has thoughts or explanations I would appreatiate the information.

Not a big deal (2, Informative)

Artifakt (700173) | more than 9 years ago | (#11738527)

As the article explains it (you do read the articles ,don't you?). The .RAR has to be unpacked, to reveal a file with dual extensions - like "Pron.jpg.exe".
The user still has to be dumb enough to click on that .exe without running a virus scanner on it first. No one has made a .rar that somehow executes on its own.
The article expresses a fear that there are people out there in cluelessland that will think "Gee, I know I should scan .exe's that came packed in .zip's, but this came packed in another compression. Duuh! it must be safe!".
There may be three people on the whole planet who are actually at that particular mix of clueless and clueful states. The rest either still don't know the first thing about what a .rar or an .exe is, or they won't be fooled.
If a journalist tried to make us all afraid of the risk of terrorists that try to sneak through customs by disguising themselves as Mexican Banditos, complete with bandoleers of bullets, some people would probably buy that too.

Re:Not a big deal (1)

Negativeions101 (706722) | more than 9 years ago | (#11738604)

fuck, that was funny.

not really a problem (1)

Negativeions101 (706722) | more than 9 years ago | (#11738558)

It's sort of an issue if you download a lot of warez. The warez scene uses the RAR format almost exclusively. So now I guess you have to watch what you download. Other than that it's not really an issue. Don't download files of any format, let alone rar, if you don't know the source.

The vector doesn't matter, only the cure (2, Insightful)

Repugnant_Shit (263651) | more than 9 years ago | (#11738565)

One of our customers started blocking zip files. So now we either rename them to zi_ or use another kind of compression (rar, gzip, etc.). What on earth is the difference? A virus can latch on to whatever it wants - it would take almost no effort on the part of the author.

What will fix this is more knowledgeable users and up-to-date antivirus software. My own users get viruses from other people, but either the antivirus software catches it, or they simply call and ask what they should do (delete or send it to me first).

Soon our customer will probably start blocking rar files, then zi_ files. It is the probably one of the laziest ways to block viruses, and not really that effective at it.

Whats the problem? (1)

JustNiz (692889) | more than 9 years ago | (#11738585)

Windows doesn't have a .rar viewer built-in as standard anyway. It would be a bigger problem if windows could open .rar files by default.

This elevates most .rar users to the not-quite-so-dumb crowd, as they had to at least know enough to download a .rar archiver to open the virussed .rar in the first place.

Even most l33t h8x0rs use .rar ;-)

FUD FACTOR (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11738588)

F.U.D. FEAR UNCERTANTY and DOUBT. This is a ploy to scare the masses. This is not really new. This isn't even that much of a risk to most companies. Rar is not a standard that IT people rely on. This seems to be aimed at generating FUD into the the public. This can happenen in any type of compression tool.
Yes AV scanners can scan RAR files.
Where does this guy get off saying you can't block .rar file types at the FW. I don't have any problems with blocking any type of attachments.
This article is crap and only posted to stir a commotion.
We shouldn't waste anymore time on this post. I am sure we have something important to discuss.

REALLY old news (3, Informative)

JohnVH (86999) | more than 9 years ago | (#11738608)

Umm, this is REALLY old news. This particular method of trying to sneak past virus scanners has been around since at least March 2004 (search Google for W32.Beagle@mm!rar).

.arr files (0)

Anonymous Coward | more than 9 years ago | (#11738613)

In other new's pirate's are using the .arr format
i's thi's wrong?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?