"100 unique exploits and counting": Hackers begin exploiting WinRAR critical vulnerability

[onetheycallEric]

Why it matters: If you have WinRAR installed, make sure you've updated to the most recent version that patches a critical security vulnerability. Vulnerable versions are subject to malicious archive files that are booby trapped and now opportunistic hackers are using this attack vector to hit unknowingly vulnerable users before they can patch.

Download shortcut: WinRAR 5.70

Back in February, cybersecurity firm Check Point disclosed a vulnerability that's existed in WinRAR for some 19 years. The potential attack vector was a result of WinRAR's support for the outdated ACE archive format, whereby those with malicious intent could give an ACE file a .rar extension, and then use it as a booby trap to execute malicious code from a machine's startup folder after a reboot.

Rarlab issued a patch and statement, but those who are not using the most recent version are still at risk.

Now, hackers are leveraging the exploit to reach vulnerable systems before users update. McAfee revealed they've identified "over 100 unique exploits and counting." One particular implementation targets Ariana Grande fans looking to bootleg the artist's popular album "Thank U, Next" by using a file named “Ariana_Grande-thank_u,_next(2019)_[320].rar” that is booby trapped with malicious code.

Other campaigns have been used to spread malware through the WinRAR exploit as well, as 360 Threat Intelligence Center has been documenting via Twitter.

Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy

IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D

— 360 Threat Intelligence Center (@360TIC) February 25, 2019

Warning! Upgrades in the #WinRAR vulnerability (#CVE-2018-20250) exploit, use social engineering to lure victims with embedded image files and encrypt the malicious ACE archive before delivering.

Analysis report: https://t.co/LEcRPqP0cT

Chinese version: https://t.co/wbDCdZl1YV pic.twitter.com/8cjieD1xVJ

— 360 Threat Intelligence Center (@360TIC) February 27, 2019

WinRAR exploit (#CVE-2018-20250) sample (united nations .rar) seems targeting the Middle East. Embedded with bait documents relating to the United Nations Human Rights and the #UN in Arabic, it finally downloads and executes #Revenge RAT.https://t.co/WJ4oJ1UxAz pic.twitter.com/fgHYSD4Mk5

— 360 Threat Intelligence Center (@360TIC) March 12, 2019

WinRAR has an estimated 500 million users, most of which probably don't know about this vulnerability and that creates a desirable attack surface. This attack is bound to gain more traction in the future, so please share with your friends and family if you know they have WinRAR installed and grab the most recent version of the software.

Permalink to story.

https://www.techspot.com/news/79225-100-unique-exploits-counting-hackers-begin-exploiting-winrar.html

 

[BSim500]

Yet for all the lame over-hate, WinRAR still has the best security for non technically competent individuals (Options -> Settings -> Security -> tick "File types to exclude from extracting" = .exe, .com, .bat, etc). If you're the family geek who's the first person everyone calls every time their computer starts to go wonky after they just opened a "pdf" inside a e-mail attachment zip file called "Free money.pdf.exe", then you'll already know that WinRAR is still waiting for 7zip and every other archive manage that lacks this feature to catch up in terms of preventing 99% of real world infections... (7-zip still doesn't even have a security tab, let alone this feature).

 

[Evernessince]

Yet for all the lame over-hate, WinRAR still has the best security for non technically competent individuals (Options -> Settings -> Security -> tick "File types to exclude from extracting" = .exe, .com, .bat, etc). If you're the family geek who's the first person everyone calls every time their computer starts to go wonky after they just opened a "pdf" inside a e-mail attachment zip file called "Free money.pdf.exe", then you'll already know that WinRAR is still waiting for 7zip and every other archive manage that lacks this feature to catch up in terms of preventing 99% of real world infections... (7-zip still doesn't even have a security tab, let alone this feature).

Given that most Anti-Virus programs can be set to scan archives if not done so automatically, it's not that uncommon of a thing. I personally see no reason why the compression software should be responsible for preventing viruses, that's the job of the AV. If you really are downloading that many dubious files a quality anti-virus would do you far more good then trying to prevent a single attack vector. And honestly blocking .exe files from being extracted sounds like it could cause other problems as many legitimate programs come in archives. What does the person do if you didn't tell them about the "security" measure you took and /or they don't know how to disable it to install software stored in an archive?

Heck even windows defender scans in archives and there is an option in the right click menu to scan the selected file. How hard is it to tell people to scan downloaded files before opening? You know the old saying "Give a man a fish, feed him for a day. Teach a man to fish, feed him for a lifetime.". This is basic stuff that takes 3 seconds to show people.

 

[BSim500]

I personally see no reason why the compression software should be responsible for preventing viruses, that's the job of the AV. If you really are downloading that many dubious files a quality anti-virus would do you far more good then trying to prevent a single attack vector. And honestly blocking .exe files from being extracted sounds like it could cause other problems as many legitimate programs come in archives. What does the person do if you didn't tell them about the "security" measure you took and /or they don't know how to disable it to install software stored in an archive?

Because effective security is all about layers, not just relying on one barrier. If you can prevent people from running .exe's in the first place, that's a lot more effective than hoping they've got anti-virus installed, and real-time scanning enabled, and it's not a new virus otherwise the anti-virus won't catch it. And I didn't say "downloading", I'm talking about spam e-mail attachments that appear in say Outlook / Thunderbird which AV don't always catch (because they've learned to change / add just 1 byte for each different batch which throws the CRC signatures out), for which the user wasn't expecting or initiated at all and for which double-extensions regularly confuse them. Hard blocking all .exe's received via e-mail in zip attachments may block some genuine use cases, but 1. For complete newbies I'd always e-mail them the link to the proper official site than e-mail them zipped .exe's, and 2. Worst case, I'd rather spend 5 minutes talking them through how to disable it in WinRAR than a whole day reinstalling Windows and hoping it wasn't a ransomware thing that encrypted their data just because AV's aren't quite as infallible as people would like to believe.

 

[fktech]

How soon before 5.7 is hacked?

 

[fluffydestroyer]

I'm surprised that winrar still aren't using an auto update on their software that way to could avoid this fiasco. All it takes is a bit of an effort in coding and knowledge. But on their defence, they aren't the only lazy developers around. Sorry but I'm not going to be nice when it comes to lazy devs. This is very important in my opinion and if they didn't do the auto update coding first like some software does they could of avoided the situation a day later (or whatever the update triggers)

 

[AmigaInside]

Technically, this is not a WinRAR vulnerability. As explained, the problem lies in a 3rd-party library: the UnACEv2.dll file. WinRAR itself is just fine and the title "WinRAR critical vulnerability" is quite wrong.

Could we blame WinRAR for supporting such an old format? Perhaps, but I wouldn't. Note that the offending file is also used by and contained in several other programs (usually old), and not just WinRAR. So search for it whether you use WinRAR or not.

 

[bluetooth fairy]

Given that most Anti-Virus programs can be set to scan archives if not done so automatically, it's not that uncommon of a thing. I personally see no reason why the compression software should be responsible for preventing viruses, that's the job of the AV.

And honestly blocking .exe files from being extracted sounds like it could cause other problems as many legitimate programs come in archives.

I thought exactly the same way, and seem to agree with both of your points.

But I was curious to find out, why the heck WinRAR has security options. It appears that WinRAR is not just compression software, it's file and archive manager. For nowdays it may sound a bit odd, but there's Total Commander, for example. TC is more comprehensive manager though.

For those who don't have or don't want to install an online AV scanner, WinRAR provides command line options to run AV for on the fly check after archive unpacking.

The 2nd point is about security vs usability topic. For me blocking .exe files from being extracted not only sounds weird, it is abs unusable. This case is uncommon, I guess, but it may have supporters. Some of them, if this feature is unique to WinRAR, could even pay for that.

 

[Arbie]

What the journos never point out is that you can simply delete UnACEv2.dll.

Instead the advice is to upgrade to the latest WinRAR, along with moans about how few people will do that - which is true.

Tell people the most important thing, please. Then go off on how bad the situation is etc etc.

 

[erickmendes]

7-zip for the way.