Hacker News new | past | comments | ask | show | jobs | submit login
Why questionable downloads use rar archives (lenboyette.com)
29 points by kevlened on Apr 15, 2013 | hide | past | web | favorite | 17 comments

The author suggests that rar is dangerous, because anti-virus software can detect viruses some viruses until you put those viruses inside a rar archive.

But the author doesn't test to see what happens when the user tries to do anything with the rar. presumably people have to extract content to be able to use it - wouldn't that be the point when the anti virus spots the threat?

I thought it was well understood that users should scan content near the point of use rather than the point of download (later, rather than sooner) to allow time for definitions to be distributed and incorporated into av products.

No. Questionable downloads use rar archives because of the compression was generally higher than zip and allowed you to "split" files so it was easier to transport over usenet.

A virus isn't useful until it's extracted anyway.

This is true and I can confirm this. I sincerely urge everyone to check any executable for viruses before they double click on it, while running on Windows, especially!

Just because your antivirus scan doesn't tell you that it's a virus, doesn't mean the file isn't infected. Always, try uploading the file to a cloud based solution like http://virustotal.com which will return scan results from several anti-virus engines. Even if the detection ratio is as low as 2-3, you should be extremely cautious.

Attackers on the internet generally store Viruses inside a container like RAR or Zip and password-protect them. And they supply the password separately. This can be seen in forums, etc. where there is a lot of traffic. The logic behind is that when you run a scan against a virus package hiding behind a password-protected container like RAR or Zip, the anti-virus engine will fail to determine that the file is infected and some engines will even tell you it's clean! Always extract these files, scan it, or upload to a cloud scanning solution and then run it on a sandbox environment to be safe.

I have been a victim of several such attacks in the past (several years back) wherein these files were sent to me as Email attachments and the password was mentioned in the email body as something like "Hurry, open this, run this..etc". And even many popular emails vendors like Gmail fail to detect such files (even till date). Just don't fall for it! Maybe that free smiley software isn't worth it, after all?

For my fellow Windows users, there is an excellent free anti-virus that comes with a Virtual Kiosk and Sandbox mode (meaning, if you run anything inside a sandbox, even a virus won't be able to affect your computer) provided by the popular security guys Comodo:



Here is a demo of a sandbox-escape for Comodo from July http://youtu.be/TopCisbEbWU Even full blown VMs like VMware (CVE-2008-0923) and VirtualBox (CVE-2011-2305) have known escapes.

The only thing worse than running untrusted code on your box is giving other people on the internet a false sense of security that its somehow OK to do so if you install magical snake oil.

Y u mad bro? Advising people to install an Anti virus package isn't exactly the same as selling snake oil. I don't intend to promote any product, including Comodo, but I don't think if we go by your rule we'll be able to settle with any anti-virus s/w. All of them have some known loopholes or the other.

Advising people not to install an A/V package because of <insert youtube video here> is even more dangerous than selling snake oil, dude.

> and Sandbox mode (meaning, if you run anything inside a sandbox, even a virus won't be able to affect your computer)

That is a pretty bold, and demonstratively false statement. You should retract it.

Disclosure: I work for an AV vendor. Mine was one of them listed that does scan within RAR files regardless of a hidden attribute.

One of the things about scanning within archive files is that it's quite IO intensive and by default isn't enabled for most AV installs. I very much doubt the reason for why it's stressful from an IO perspective is lost on HN readers, but one thing that is overlooked in the comments and the article itself is that by default most operating systems do not support RAR compression and really what is mainstream is ZIP on Windows, and Tarballs and Stuffit files on Mac.

The default settings in most AV software are good enough for situations as the author wrote, even if they're on the list that didn't successfully scan within the archive. If your scanner is scanning on write, extracting the archive will in fact cause it to trip regardless of the file's hidden or lack there of attribute.

RAR is a notable exception as it does have the ability to execute code as it is processed through a virtual machine, but at the same time a number of AV engines are geared towards situations like this using things like suspicious behaviour detection and whatnot. Those however are not necessarily enabled by default.

I think that the author's beliefs are a bit overblown here. What really matters is what happens after the RAR file is extracted, not while it's more or less safely packed inside.

100% antivirus miss viruses in password protected RAR archives

Title is extremely misleading, the original - "Why questionable downloads use rar archives" is better, and more importantly, accurate.

60% of antivirus programs missed viruses hidden in an alternate data stream of a file inside a rar archive, not the simple case of a virus in a rar file.

I never really understood why Virus scanners are so keen on scanning archives. Most stuff that I have archived I never touch and if I touch the contents, the Virus scanner will warn me anyway.

In fact the archive search is the single reason why I never do full disk scans voluntarily. They take ages and need tons of resources... Most of the times such a full disk scan is stuff on decompressing some archive.

Like security, hacking is a process. Every step you can take to hide the payload increases the change of execution. For example, take a business that scans files that come thru the firewall and email, they think their firewall does the job well enough so they don't focus on keeping A/V on the computers up to date.

Makes sense...

RAR archives are hugely popular in China, for both legitimate and (presumably) illegitimate reasons. All my Chinese friends constantly send me RAR files. I’ve long wondered why that’s the case. All operating systems these days have built in Zip tools, but you usually have to install extra software to create and extract RAR files.

I seem to remember reading about how the rar format supports executing (arbitrary?) code when you unrar a file (presumably to support custom decompression algos?) but I can't for the life of me find a reference for it now. Anyone have any idea what this is and if that's a factor too?

Tavis Ormandy (a widely respected security researcher) made a "minimal RarVM toolchain", so you can even try it out it yourself: https://github.com/taviso/rarvmtools

How would a virus in an ADS get executed?

I prefer 7-zip over RAR anytime. Stronger crypto, better compression, great parallelization and free.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact