Risk: High
Virus writers have once again got one over anti-virus vendors and IT administrators with a new technique that's finding early and considerable success.
Towards the end of January 2005, administrators and service providers began seeing virus-infected messages with a new type of attachment hitting their mail servers: a .RAR archive. .RAR files are similar to .ZIP files in that they are containers used to hold one or more compressed files. The .RAR format is not as widely known as .ZIP, but it is used for a number of tasks, including compressing very large files, such as music and video.
The emergence of .RAR-packed viruses highlights the lengths to which virus writers are willing to go to evade anti-virus systems, as well as the limitations of those traditional signature-based defences.
Experts say .RAR files carrying viruses have been sailing past commercial anti-virus products and finding their way into the mailboxes of users, who are often unfamiliar with the file format. Administrators who have seen .RAR-packed malware say that none of the messages have been stopped by their anti-virus defences.
Many of the messages in .RAR virus email are slick invitations to view pornographic content, which is part of the reason for the viruses' success, experts say. .RAR's compression algorithm is 30 percent more efficient than .ZIP technology, so it is often used to compress such content. Email purporting to deliver images and video in a .RAR archive may well be taken as legitimate, experts say.
Once opened, the archive typically contains an executable file with a double extension, such as "foto.jpg.exe." The viruses themselves are new and are usually droppers that install a Trojan or back door on the user's PC.
"Most of these are appealing to lustful young men," said Bill Franklin, president of Zero Spam Network Corp., in Coral Gables, Fla., a managed services provider. "It's a game of percentages. This is just another way to get control of machines. It may hit fewer machines, but they're probably more technical users, so their machines would be of higher value. It's a good example of the fact that virus writers are probing every nook and cranny."
One recent .RAR virus that appeared, again in February, is disguised as a patch from Microsoft Corp. Although the text of the email is poorly written, users have often proved willing to fall for such pitches. Franklin said that he had seen about six or seven new .RAR viruses each week in February 2004 and that all of them were getting past the anti-virus products installed on his network.
Anti-virus vendors have acknowledged the presence of viruses delivered as .RAR files and are scrambling to develop tools to identify and eradicate the malware.
Officials at McAfee Inc., which has just developed signatures for a few of the new viruses, said virus writers probably have turned to using .RAR archives to get past gateway filtering rules. "Some large corporations have blocked [.ZIP files], so this is a way around that," commented McAfee.
The recommendation at the moment is to modify any content-filtering software on your commercial gateway, to reject .RAR files in the same manner as .ZIP files until Anti-viral companies have developed protection against these attacks.