New Virus Through Rar Files

[Raptrex 0]

Virus writers have once again gotten the drop on anti-virus vendors and IT administrators with a new technique that's finding early and considerable success.

Late last month, administrators and service providers began seeing virus-infected messages with a new type of attachment hitting their mail servers: an .rar archive. .Rar files are similar to .zip files in that they are containers used to hold one or more compressed files. The .rar format is not as widely known as .zip, but it is used for a number of tasks, including compressing very large files, such as music and video.

The emergence of .rar-packed viruses highlights the lengths to which virus writers are willing to go to evade anti-virus systems, as well as the limitations of those traditional signature-based defenses.

Experts say .rar files carrying viruses have been sailing past commercial anti-virus products and finding their way into the mailboxes of users, who are often unfamiliar with the file format. Administrators who have seen .rar-packed malware say that none of the messages have been stopped by their anti-virus defenses.

Many of the messages in .rar virus e-mail are slick invitations to view pornographic content, which is part of the reason for the viruses' success, experts say. .Rar's compression algorithm is 30 percent more efficient than .zip technology, so it is often used to compress such content. E-mail purporting to deliver images and video in an .rar archive may well be taken as legitimate, experts say.

eWEEK.com Special Report: Worm Attacks Once opened, the archive typically contains an executable file with a double extension, such as "foto.jpg.exe." The viruses themselves are new and are usually droppers that install a Trojan or back door on the user's PC.

"Most of these are appealing to lustful young men," said Bill Franklin, president of Zero Spam Network Corp., in Coral Gables, Fla., a managed services provider. "It's a game of percentages. This is just another way to get control of machines. It may hit fewer machines, but they're probably more technical users, so their machines would be of higher value. It's a good example of the fact that virus writers are probing every nook and cranny."

One recent .rar virus that appeared at the end of last week is disguised as a patch from Microsoft Corp. Although the text of the e-mail is poorly written, users have often proved willing to fall for such pitches. Franklin said that he has seen about six or seven new .rar viruses each week this month and that all of them are getting past the anti-virus products installed on his network.

Anti-virus vendors have acknowledged the presence of viruses delivered as .rar files in the past few weeks and are scrambling to develop tools to identify and eradicate the malware.

Officials at McAfee Inc., which by the end of last week had developed signatures for a few of the new viruses, said virus writers probably have turned to using .rar archives to get past gateway filtering rules. "Some large corporations have blocked [.zip files], so this is a way around that," said Jimmy Kuo, a McAfee Fellow at the Santa Clara, Calif., company.

Kuo said some early NetSky variants used .rar archives as well.

One administrator who has seen a number of these viruses recently on his network said that while the social engineering in the messages is nothing special, the novelty of the .rar format is enough to fool some users.

"Most users have finally gotten trained not to open .zips and executables, and now we have to worry about this," said the administrator, who asked not to be identified. "Our [anti-virus system] doesn't catch these yet, so we have to block it at the gateway in order to stop them."

Original Source

dam i hope i dont get one and i hope they dont make one for ZIP files

[canute24 0]

Make one for zip files?? There are thousands of them. Didn't you read the quote?This is very bad news! I lost about 2GB .exe due to a virus attack so I usually Rar the files to protect them also to save space.Thank you for the info.To be on the safe side don't open any attachment from unknown people. Not even pics (jpg) they can attack using Java script. Recently I reported a virus which was sent to me by someone. But the problem is that the user doesn't know anything about the virus because it mail itself.Be careful.

[dai 0]

People need to learn not to open any attachments in email even if it is from their best friend. I know a lot of people who use windows and they have no idea what a file extension is. in fact, windows comes with the file extensions turned off by default. Ive seen viruses come as picture.jpg.pif ... this is obviously suspiscious. I saw it but if I hadn't turned on file extension visibility, I would have thought it was just a jpg file.as for rar's, they have been around a LONG time and I've been using them for a long time. most download places use rar rather than zip because it works better and faster.

[mahesh2k 0]

Thanks for the help i think rar is very rarely used with most of setup makers actually compression rate of rar iss much more than zip and gz format.maybe rar format makers are really worried about this now.causee this way many users and new version makers are in trouble.anyway thanks for notifying.

[RGPHNX 0]

Hey Guys,There are several anti-virus scanners that adequately & completely scan RAR files. They use "heuristic" scanning techniques rather than the more common "dictionary" scanning methods. The problem with dictionary methods is that the specific "bug" must be identified via a unique string used in the bug's modus operandi that no other bug out there (ie. 100K bugs & counting) uses. Then the anti-virus program maker must re-distribute the unique ID string for that particular bug in an updated "dictionary" to all the end users out there. This takes time.The heuristic scanner totally side steps the ID string issue & IDs bugs thru what they are doing to your system files (ie. dll, exe etc.). If there's any unauthorized changes thru commands in the virus's files that attempt to change the core essential files on your system, then the anti-virus alerts you to it or blocks it. The advantage that heuristic scanners have is that there is a finite number of changes that can be made to any system files as defined thru the allowed commands built into the OS.Hope this HelpsRGPHNX

[canute24 0]

There is absolutely no need to worry about viruses if you have a good antivirus running. I have PC-Cillin 2002 updated almost everyday. When I click on any file haveing a virus, absolutely anything at all, RAR,ZIP it catches it. Just keep updating.

[s243a 0]

I don?t completely get this whole virus issue. The rar virus you have to double click on an executable to access. Well, then it is partly the users stupidity for clicking on it. Then again there are a lot of people that are pretty lax in this stuff. Anyway, if a file Microsoft says is a media file executes as an executable I think Microsoft should be held liable for any damage. This is clear incompetence or worse a deliberate attempt to prop up the anti-virus industry.

[canute24 0]

You don't get the whole virus issue that's why you are talking like this. No one click on the virus file unnecessarily. When you get one in the inbox you will understand the whole issue. It is not a problem for those who already know about it. It is only a problem for newbies.

[Casanova 0]

Are these viruses contained as an executable copresed inside the rar, or is the virus executed when the archive is opened?

[no9t9 0]

There is absolutely no need to worry about viruses if you have a good antivirus running. I have PC-Cillin 2002 updated almost everyday. When I click on any file haveing a virus, absolutely anything at all, RAR,ZIP it catches it. Just keep updating.

53416[/snapback]

there is a problem with your statement. You think you don't have to worry because your anti virus catches all the viruses. But, this is just what you SEE. Your antivirus program only catches what it knows and it isn't going to tell you when it couldn't catch the virus. You COULD potentially have tons of viruses in your computer that your anti virus didnt catch.

 

Antivirus is not a perfect solution. The best solution is a combination of awareness, software protection (antivirus, firewalls, etc.), and backups.

[NeXDesigns 0]

ouch, i deal with .rar archives all day, i have people constantly sending me stuff for skinning, design, etc, and i even got a virus off msn (.pif one)

[canute24 0]

I have PC-Cillin, Spybot and Zone Alarm. I open every attachment expecting a virus and it usually is. They take care of the virus and other problems.

[=Savage= 0]

god this is so annoying....why is it that there are people that are sad enough to sit around and create viruses that mess up are computer. its stupid havent these people got anything better to do in there life?And what the hell is the point in anti-virus software when there are tons of viruses and wroms etc that can penetrate that shield?

[canute24 0]

god this is so annoying....why is it that there are people that are sad enough to sit around and create viruses that mess up are computer. its stupid havent these people got anything better to do in there life?
And what the hell is the point in anti-virus software when there are tons of viruses and wroms etc that can penetrate that shield?

When there is a new virus it takes time for it to spread around the world from its birth place. But old ones are close. Without and antivirus the old ones will get into action. The old viruses are just quiet because of the antivirus. Imagine your drive gets filled up within minutes of installing the OS and your PC crashes everytime so what are you going to do??? Wait for the virus to go away?

[serverph 0]

When there is a new virus it takes time for it to spread around the world from its birth place. But old ones are close. Without and antivirus the old ones will get into action. The old viruses are just quiet because of the antivirus. Imagine your drive gets filled up within minutes of installing the OS and your PC crashes everytime so what are you going to do??? Wait for the virus to go away?

55865[/snapback]

there is something wrong with this statement.

Without and antivirus the old ones will get into action. The old viruses are just quiet because of the antivirus.

-- not necessarily true. there are dormant viruses (which wreaks havoc on your PC at a designated date and time), yes, BUT if that virus is there in your hard disk in the first place, then that antivirus application you are using is not effective at all since it did not do its job to destroy the old virus. you should throw that stuff away instead, and choose a better antivirus. i could give some leeway if it's a new virus, and the antivirus did not detect it, but old viruses -- that's just plain useless antivirus.