

Why questionable downloads use rar archives - kevlened
http://lenboyette.com/?p=22

======
DanBC
The author suggests that rar is dangerous, because anti-virus software can
detect viruses some viruses until you put those viruses inside a rar archive.

But the author doesn't test to see what happens when the user tries to do
anything with the rar. presumably people have to extract content to be able to
use it - wouldn't that be the point when the anti virus spots the threat?

I thought it was well understood that users should scan content near the point
of use rather than the point of download (later, rather than sooner) to allow
time for definitions to be distributed and incorporated into av products.

------
neya
This is true and I can confirm this. I sincerely urge everyone to check any
executable for viruses _before_ they double click on it, while running on
Windows, especially!

Just because your antivirus scan doesn't tell you that it's a virus, doesn't
mean the file isn't infected. Always, try uploading the file to a cloud based
solution like <http://virustotal.com> which will return scan results from
several anti-virus engines. Even if the detection ratio is as low as 2-3, you
should be extremely cautious.

Attackers on the internet generally store Viruses inside a container like RAR
or Zip and password-protect them. And they supply the password separately.
This can be seen in forums, etc. where there is a lot of traffic. The logic
behind is that when you run a scan against a virus package hiding behind a
password-protected container like RAR or Zip, the anti-virus engine will fail
to determine that the file is infected and some engines will even tell you
it's clean! Always extract these files, scan it, or upload to a cloud scanning
solution and then run it on a sandbox environment to be safe.

I have been a victim of several such attacks in the past (several years back)
wherein these files were sent to me as Email attachments and the password was
mentioned in the email body as something like "Hurry, open this, run
this..etc". And even many popular emails vendors like Gmail fail to detect
such files (even till date). Just don't fall for it! Maybe that free smiley
software isn't worth it, after all?

For my fellow Windows users, there is an excellent free anti-virus that comes
with a Virtual Kiosk and Sandbox mode (meaning, if you run anything inside a
sandbox, even a virus won't be able to affect your computer) provided by the
popular security guys Comodo:

[http://www.comodo.com/home/internet-security/free-
internet-s...](http://www.comodo.com/home/internet-security/free-internet-
security.php)

Cheers!

~~~
dsl
Here is a demo of a sandbox-escape for Comodo from July
<http://youtu.be/TopCisbEbWU> Even full blown VMs like VMware (CVE-2008-0923)
and VirtualBox (CVE-2011-2305) have known escapes.

The only thing worse than running untrusted code on your box is giving other
people on the internet a false sense of security that its somehow OK to do so
if you install magical snake oil.

~~~
neya
Y u mad bro? Advising people to install an Anti virus package isn't exactly
the same as selling snake oil. I don't intend to promote any product,
including Comodo, but I don't think if we go by your rule we'll be able to
settle with any anti-virus s/w. All of them have some known loopholes or the
other.

Advising people not to install an A/V package because of <insert youtube video
here> is even more dangerous than selling snake oil, dude.

~~~
dsl
> and Sandbox mode (meaning, if you run anything inside a sandbox, _even a
> virus won't be able to affect your computer_ )

That is a pretty bold, and demonstratively false statement. You should retract
it.

------
jpswade
No. Questionable downloads use rar archives because of the compression was
generally higher than zip and allowed you to "split" files so it was easier to
transport over usenet.

A virus isn't useful until it's extracted anyway.

------
afreak
Disclosure: I work for an AV vendor. Mine was one of them listed that does
scan within RAR files regardless of a hidden attribute.

One of the things about scanning within archive files is that it's quite IO
intensive and by default isn't enabled for most AV installs. I very much doubt
the reason for why it's stressful from an IO perspective is lost on HN
readers, but one thing that is overlooked in the comments and the article
itself is that by default most operating systems do not support RAR
compression and really what is mainstream is ZIP on Windows, and Tarballs and
Stuffit files on Mac.

The default settings in most AV software are good enough for situations as the
author wrote, even if they're on the list that didn't successfully scan within
the archive. If your scanner is scanning on write, extracting the archive will
in fact cause it to trip regardless of the file's hidden or lack there of
attribute.

RAR is a notable exception as it does have the ability to execute code as it
is processed through a virtual machine, but at the same time a number of AV
engines are geared towards situations like this using things like suspicious
behaviour detection and whatnot. Those however are not necessarily enabled by
default.

I think that the author's beliefs are a bit overblown here. What really
matters is what happens after the RAR file is extracted, not while it's more
or less safely packed inside.

------
kris121
100% antivirus miss viruses in password protected RAR archives

------
ZoFreX
Title is extremely misleading, the original - "Why questionable downloads use
rar archives" is better, and more importantly, accurate.

60% of antivirus programs missed viruses hidden in an alternate data stream of
a file inside a rar archive, _not_ the simple case of a virus in a rar file.

------
blablabla123
I never really understood why Virus scanners are so keen on scanning archives.
Most stuff that I have archived I never touch and if I touch the contents, the
Virus scanner will warn me anyway.

In fact the archive search is the single reason why I never do full disk scans
voluntarily. They take ages and need tons of resources... Most of the times
such a full disk scan is stuff on decompressing some archive.

~~~
pixl97
Like security, hacking is a process. Every step you can take to hide the
payload increases the change of execution. For example, take a business that
scans files that come thru the firewall and email, they think their firewall
does the job well enough so they don't focus on keeping A/V on the computers
up to date.

~~~
blablabla123
Makes sense...

------
guan
RAR archives are hugely popular in China, for both legitimate and (presumably)
illegitimate reasons. All my Chinese friends constantly send me RAR files.
I’ve long wondered why that’s the case. All operating systems these days have
built in Zip tools, but you usually have to install extra software to create
and extract RAR files.

------
Osmium
I seem to remember reading about how the rar format supports executing
(arbitrary?) code when you unrar a file (presumably to support custom
decompression algos?) but I can't for the life of me find a reference for it
now. Anyone have any idea what this is and if that's a factor too?

~~~
qikon
Tavis Ormandy (a widely respected security researcher) made a "minimal RarVM
toolchain", so you can even try it out it yourself:
<https://github.com/taviso/rarvmtools>

------
kalleboo
How would a virus in an ADS get executed?

------
Sami_Lehtinen
I prefer 7-zip over RAR anytime. Stronger crypto, better compression, great
parallelization and free.

