New Virus Attack Technique Bypasses Filters

Virus writers have once again gotten the drop on anti-virus vendors and IT administrators with a new technique that's finding early and considerable success.

Late last month, administrators and service providers began seeing virus-infected messages with a new type of attachment hitting their mail servers: an .rar archive. .Rar files are similar to .zip files in that they are containers used to hold one or more compressed files. The .rar format is not as widely known as .zip, but it is used for a number of tasks, including compressing very large files, such as music and video.

The emergence of .rar-packed viruses highlights the lengths to which virus writers are willing to go to evade anti-virus systems, as well as the limitations of those traditional signature-based defenses.

Experts say .rar files carrying viruses have been sailing past commercial anti-virus products and finding their way into the mailboxes of users, who are often unfamiliar with the file format. Administrators who have seen .rar-packed malware say that none of the messages have been stopped by their anti-virus defenses.

Spammers' new tactics are wreaking havoc with DNS. Click here to read more.

Many of the messages in .rar virus e-mail are slick invitations to view pornographic content, which is part of the reason for the viruses' success, experts say. .Rar's compression algorithm is 30 percent more efficient than .zip technology, so it is often used to compress such content. E-mail purporting to deliver images and video in an .rar archive may well be taken as legitimate, experts say.

Once opened, the archive typically contains an executable file with a double extension, such as "foto.jpg.exe." The viruses themselves are new and are usually droppers that install a Trojan or back door on the user's PC.

"Most of these are appealing to lustful young men," said Bill Franklin, president of Zero Spam Network Corp., in Coral Gables, Fla., a managed services provider. "It's a game of percentages. This is just another way to get control of machines. It may hit fewer machines, but they're probably more technical users, so their machines would be of higher value. It's a good example of the fact that virus writers are probing every nook and cranny."

One recent .rar virus that appeared at the end of last week is disguised as a patch from Microsoft Corp. Although the text of the e-mail is poorly written, users have often proved willing to fall for such pitches. Franklin said that he has seen about six or seven new .rar viruses each week this month and that all of them are getting past the anti-virus products installed on his network.

Anti-virus vendors have acknowledged the presence of viruses delivered as .rar files in the past few weeks and are scrambling to develop tools to identify and eradicate the malware.

Officials at McAfee Inc., which by the end of last week had developed signatures for a few of the new viruses, said virus writers probably have turned to using .rar archives to get past gateway filtering rules. "Some large corporations have blocked [.zip files], so this is a way around that," said Jimmy Kuo, a McAfee Fellow at the Santa Clara, Calif., company.

Kuo said some early NetSky variants used .rar archives as well.

One administrator who has seen a number of these viruses recently on his network said that while the social engineering in the messages is nothing special, the novelty of the .rar format is enough to fool some users.

"Most users have finally gotten trained not to open .zips and executables, and now we have to worry about this," said the administrator, who asked not to be identified. "Our [anti-virus system] doesn't catch these yet, so we have to block it at the gateway in order to stop them."

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.