WinRAR 0-Day That Uses Poisoned JPG and TXT Files Under Exploit Since April (arstechnica.com) 30
An anonymous reader quotes a report from Ars Technica: A newly discovered zeroday in the widely used WinRAR file-compression program has been under exploit for four months by unknown attackers who are using it to install malware when targets open booby-trapped JPGs and other innocuous inside file archives. The vulnerability, residing in the way WinRAR processes the ZIP file format, has been under active exploit since April in securities trading forums, researchers from security firm Group IB reported Wednesday. The attackers have been using the vulnerability to remotely execute code that installs malware from families including DarkMe, GuLoader, and Remcos RAT. From there, the criminals withdraw money from broker accounts. The total amount of financial losses and total number of victims infected is unknown, although Group-IB said it has tracked at least 130 individuals known to have been compromised. WinRAR developers fixed the vulnerability, tracked as CVE-2023-38831, earlier this month. "By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families," Group-IB Malware Analyst Andrey Polovinkin wrote. "Weaponized ZIP archives were distributed on trading forums. Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023."
It's recommended that you update to version 6.23 before using WinRAR again.
It's recommended that you update to version 6.23 before using WinRAR again.
WinRAR? Why? (Score:3, Insightful)
I don't understand why people still use RAR.
7-zip is far superior in every possible way.
But I guess people still use gzip and xz when zstd surpassed them in every possible way (better compression, faster, etc).
Re:WinRAR? Why? (Score:5, Informative)
I've found 7-Zip to sometimes produce slightly smaller files, but at a huge time penalty. Case in point, I just did a test where WinRAR produced a 349MB result in 21 seconds, while 7-Zip ended up at 347MB in 38 seconds. That's slightly superior on one point and far inferior on the other. For my use cases, the speed is much more relevant than that tiny storage win.
Over the years I've found that result to be consistent. Whenever I spend a little time doing some tests I end up concluding the switch isn't worth it and stick with WinRAR. Would I have paid for WinRAR today if I was already using 7-Zip? Unlikely. But that train left the station some 15 years ago.
Re: (Score:2)
It's a thread about WinRAR and your subject said "WinRAR? Why?" so, yes. I'm talking about WinRAR. I should also add that an extra nail in the coffin is that 7-Zip's very slight compression advantage isn't a constant in my experience, sometimes WinRAR does better on that point as well, but the speed disadvantage is pretty much consistent.
I'll definitely keep 7-Zip in mind for when the year of the Linux desktop arrives. Or the heat death of the universe, whichever comes first. :p
Re: (Score:2)
Re: WinRAR? Why? (Score:2)
I generally don't compress at all, so I haven't noticed.
I tend to use compression to bundle files together, especially if I'm going to send SFTP or some such.
Re: (Score:2)
You'll have to be a lot more specific about your testing conditions, because both programs support multiple formats and tons of compression options.
Also to consider is the number of different file types they can deal with and how they perform with each; WinRAR supports creation of more compression formats, but 7Zip can open and extract damn near anything.
And of course 7zip is FOSS while WinRAR costs US$29 unless you're a) Buying in bulk, or b) a shitlord who abuses the trial period forever. *shrug*
=Smidge=
Re: (Score:2)
You'll have to be a lot more specific about your testing conditions
I really don't. I was sharing my anecdotal reasons for sticking with WinRAR – in response to someone offering not even an example of what made one better than the other – not pretending to have produced a research paper comparing the two. I'm sure someone's done that at some point, but I don't have that high on my list of things to spend time on in life. My very limited testing is plenty for such a trivial decision for me.
I will add that I have previously spent some time tweaking the settings of
Re: (Score:2)
zstandard doesn't surpass xz/lmza in terms of compression, although it can get within a few percentage points.
Re: (Score:2)
Even though that xz/lzma is the king of raw compression, what zstd has going for it is extremely fast decompression speed. For example, zstd works quite well on btrfs and ZFS, although most often, lzo/lz4 might be the best choice, as compression can actually speed up some I/O.
For long term archives, I still use "xz -v9e", even though that is extremely CPU/RAM intensive, but I want every kilobyte out of stuff I'm throwing onto a cloud backup/archive site, as I'm paying for that.
Re: WinRAR? Why? (Score:2)
Yes, although priorities depend on application (usage), as you implicitly state. For most archival activities or compressing things for transfer over the internet, I donâ(TM)t find the decompression speed of any of these algorithms much of an issue. Compression speed though is, which is why I often go back to bz2 or zip even though they donâ(TM)t come close to lmza/lmza2 for compression ratio.
Re: (Score:3)
As one of the few people who uses (registered) WinRAR copies, there are a few reasons that I use WinRAR. Of course, one can do the same with another utility, but it is easier to do it in one.
Recovery records and recovery volumes come to mind. Yes, one can use PAR2, but compared to just using WinRAR, it is time consuming. WinRAR gives me the option to add recovery records into archives, as well as recovery volumes for multi-volume archives. For example, if I'm uploading an extremely large file to be stor
Re: (Score:2)
TAR is sequential access only. Picking one file (or even just listing all the files) requires parsing the entire file.
Good for non-seekable use cases (like Netcat), bad for files on your disk.
Re: (Score:2)
Yeah, tar kind-of sucks with tape as well, since LTO can seek faster than it takes to read the entire tape, but tar cannot use that.
Re: (Score:2)
Re: (Score:2)
Exactly. 7z opens everything. Why bother with different archivers when 7z handles everything. PKZ204G.EXE, along with WinRAR, are relics.
Windows? Why? (Score:1)
I don't understand why people still use Windows.
Linux is far superior in every possible way.
But I guess people still use DOS when Linux surpassed them in every possible way.
Re: (Score:2)
Linux is not better in every possible way.
Linux IS better than Windows, but only assuming that:
1. All the software you want to use has Linux versions and is available in repositories or at least can run in Wine and someone can help you set it up.
2. All hardware has drivers that are built into the Linux kernel
And sometimes it is the little things that annoy me. For example, Linux detect the touchpad as a mouse and does not give me the option to disable the "tap" function. Or trying to disable the touchscreen
Re: (Score:2)
That file was probably not made by yourself...
Re: (Score:2)
I don't understand why people use any 3rd party archiving software. whenever I see rar or 7z extensions I roll my eyes, like gee let me install some windows 98 era software so I can see your shitty ass java code that probably doesn't work so you can save a whole 3kb in file space
Arrrr! (Score:2)
So, basically, pirates have been getting PWND.
Unar For the Win! (Score:2)
Isn't that the core function of modern malware...? (Score:1)
Not exactly clear how this works (Score:1)
It isn't 100% clear how this exploit works.
Must the victim open the archive in WinRAR first, and then execute the spoofed payload from there?
If you first extract the files, does it then become obvious that the "image" is really a BAT script, or will it be extracted as an invalid image file that is harmless when opened with an image viewer?
Re: (Score:3)
Article is very misleading (Score:5, Informative)
The problem is that WinRAR can preview files that are still _inside_ the archive. So the user says "WinRAR, show me that JPEG file". Then WinRAR gets confused by the fact that there is a directory with the same name in its archive, opens it instead of the JPEG file, and executes the script inside. With exactly the same permissions that an unarchiver needs to have, like the ability to write files.
So extracting the payload is not needed, and would not work. The problem is not that something malicious is installed on your computer, the problem is that WinRAR lets itself be tricked into opening a directory of the same name (which shouldn't be present in the archive, but that's why you write your code carefully) instead of a harmless JPEG file.
Re: (Score:2)