Malspam Exploits a WinRAR Security Hole

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Last week, researchers unveiled a 19 year old bug in an ancient ACE archive decompresser that, up until recently, shipped with modern builds of WinRAR. WinRAR's own website suggests that the software has a userbase of over 500 million, and while the latest beta versions of the software have removed the vulnerable .dll file, Bleeping Computer reports that researchers have already discovered a campaign to exploit the millions of unpatched software instances in the wild. The 360 Threat Intelligence Center says the "Malspam" campaign distributes malicious archives though email, but Bleeping Computer's own testing reveals that it only works if UAC is disabled, or if WinRAR is run as an administrator.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe... Once launched, the malware will connect to http:// 138 . 204 . 171 . 108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim's computer... As we expect to see more malware attempt to exploit this vulnerability, whether it be through malspam or other methods, it is important that you upgrade to the latest version of WinRAR. If you are unable to upgrade for some reason, then you can use 0Patch's WinRAR micropatch to address this specific WinRAR bug. This micropatch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.

Extracting the exploit to ProgramData presumably allows it to run as an administrator without any kind of UAC prompt, but Windows also has a startup folder at "%appdata%\microsoft\windows\start menu\programs\startup" that doesn't require admin rights to access. In addition to running up-to-date version of WinRAR (or alternatives like 7-zip), occasionally checking either of those startup directories for files that shouldn't be there is probably a good idea.
 

TheOne&OnlyZeke

100% Irish
Joined
Jul 21, 2000
Messages
10,890
This is only the first. At the moment this exploit needs the admin condition etc...give it time, something far worse will appear
 

delita

[H]ard|Gawd
Joined
Mar 10, 2014
Messages
1,728
Who uses Winrar today? Same people who use AOL instant messenger and Winamp?

Anyone who torrents stuff for sure. Most large files are broken down into smaller multiple RAR files for compression.
 

Darunion

Supreme [H]ardness
Joined
Oct 6, 2010
Messages
4,178
Who uses Winrar today? Same people who use AOL instant messenger and Winamp?

We use it at work when sending large files to our contract manufacturers overseas. Quick easy and gets past email filters.
 

PenGunn

Limp Gawd
Joined
May 30, 2013
Messages
349
It always amazed me that windose had no compression utility built is. Its kinda fundamental in an OS.
 

arnemetis

2[H]4U
Joined
Aug 2, 2004
Messages
3,618
Any reason not to just delete the unacev2.dll file and carry on? As I mentioned in the last news post's comments, I have one .ace file left over from 2002.
 

Darunion

Supreme [H]ardness
Joined
Oct 6, 2010
Messages
4,178
Looks like windows xp is when being able to zip files in the contextual menu was created, i may be mistaken.
 

Darunion

Supreme [H]ardness
Joined
Oct 6, 2010
Messages
4,178
Really. I don't keep up but you used to have to get pkunzip to deal with zipped files. I figured winrar was just more of the same.

Of course its 'unzip' in Lunix.

Completely understand, for me it is still habit after an install to put on rar or 7zip. Like being able to handle and compress more formats anyways.

god i remember pkunzip lol.
 

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Really. I don't keep up but you used to have to get pkunzip to deal with zipped files. I figured winrar was just more of the same.

Of course its 'unzip' in Lunix.

It only handles .zip files though, AFAIK. 7z and RAR archives and compressed tarballs are relatively common these days, and you do need an external utility to handle them.
 

PenGunn

Limp Gawd
Joined
May 30, 2013
Messages
349
It only handles .zip files though, AFAIK. 7z and RAR archives and compressed tarballs are relatively common these days, and you do need an external utility to handle them.
Its been rar and tar forever, and we have 7z these days. They do need switches. ;)
 

EODetroit

[H]ard|Gawd
Joined
Oct 20, 2004
Messages
1,485
Who uses Winrar today? Same people who use AOL instant messenger and Winamp?

Hey, I still use Winamp. An old version, but its Winamp. And I still had Winrar installed, but rather than patch it, I un-installed it. I use 7zip for that stuff now anyways.
 

Mike89

Gawd
Joined
Jan 27, 2003
Messages
702
I find not having to ignore an ad to buy the product everytime a pretty damning reason to never use winrar ever again.

I don't even know what that means. I've been using Winrar like forever, can't even remember when I bought it years ago, it's been so long. Still use it and still like it. Don't see a reason to change now as it's what I'm used to. I have 7zip installed too and rarely use it. I just prefer the interface of Winrar better. It's like an old friend you're comfortable with and don't want to lose, I gave him an aspirin (5.70) and he's good to go.
 
Last edited:

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
Doesn't surprise me, I'd imagine that Malware developers just roll any newly discovered exploits into the payload toolkit so the program can check for a vulnerability when it scans the infected device.

It takes a long time (if they ever do) for some exploits to be patched or have their updates installed.
 

FelixAnon

n00b
Joined
Feb 9, 2019
Messages
3
What was the point of showing UAC settings? Does a program need admin privileges to move a file into a user's Startup folder? Can a program executed from there take control of the computer?
 

nightfly

2[H]4U
Joined
Jun 7, 2011
Messages
3,038
I don't understand what is so hard about 7zip's interface. It's very simple and easy. It's very similar to winrar's interface...
Everything is easy for someone who already knows how to use it. This is why we still get the occasional program that virtually no one can use other than the guy who wrote it, or a dozen other guys in the same company who understand how to write code. 'Look how easy it is!': Plink, click obscure icon, click word, drag folder, click obscure icon is a pretty common procedure which can be all but impossible for the average person to figure out without obvious instructions, and then, sometimes even with them. I had to go rescue someone who purchased a AIO cpu cooler because the instructions, even with pictures, sucked.
All products instructions aimed at the average consumer should be tested out with the office nincompoop, or at least, maybe a janitor; not the smartest engineer. And maybe the janitor's grandma, too. Many things can be made really, really easy to use. Garmin's GPS, for example. Not one person that I've given them to, needed to read the instructions. Programs can be made just as well.
 

elite.mafia

[H]F Junkie
Joined
Aug 23, 2004
Messages
14,980
Everything is easy for someone who already knows how to use it. This is why we still get the occasional program that virtually no one can use other than the guy who wrote it, or a dozen other guys in the same company who understand how to write code. 'Look how easy it is!': Plink, click obscure icon, click word, drag folder, click obscure icon is a pretty common procedure which can be all but impossible for the average person to figure out without obvious instructions, and then, sometimes even with them. I had to go rescue someone who purchased a AIO cpu cooler because the instructions, even with pictures, sucked.
All products instructions aimed at the average consumer should be tested out with the office nincompoop, or at least, maybe a janitor; not the smartest engineer. And maybe the janitor's grandma, too. Many things can be made really, really easy to use. Garmin's GPS, for example. Not one person that I've given them to, needed to read the instructions. Programs can be made just as well.

I'm pretty convinced if you can use winrar you can use 7zip. All the buttons are labeled the same in winrar... Just the icons are differnt. Want to create an archive? Same process as winrar. Extract an already created archive? Same process.
 
D

Deleted member 184142

Guest
Everything is easy for someone who already knows how to use it. This is why we still get the occasional program that virtually no one can use other than the guy who wrote it, or a dozen other guys in the same company who understand how to write code. 'Look how easy it is!': Plink, click obscure icon, click word, drag folder, click obscure icon is a pretty common procedure which can be all but impossible for the average person to figure out without obvious instructions, and then, sometimes even with them. I had to go rescue someone who purchased a AIO cpu cooler because the instructions, even with pictures, sucked.
All products instructions aimed at the average consumer should be tested out with the office nincompoop, or at least, maybe a janitor; not the smartest engineer. And maybe the janitor's grandma, too. Many things can be made really, really easy to use. Garmin's GPS, for example. Not one person that I've given them to, needed to read the instructions. Programs can be made just as well.

Have you ever used 7zip? Because it integrates into the windows file menu, when you install it just leave file association for 7zip. All you have to do is click on the file, or right click and have the file menu with all the 7zip options if you don't want it to just extract in the same folder etc etc. It functions the same as WinRar, it's really just point and click.
 

nightfly

2[H]4U
Joined
Jun 7, 2011
Messages
3,038
I'm pretty convinced if you can use winrar you can use 7zip. All the buttons are labeled the same in winrar... Just the icons are differnt. Want to create an archive? Same process as winrar. Extract an already created archive? Same process.
&
Have you ever used 7zip? Because it integrates into the windows file menu, when you install it just leave file association for 7zip. All you have to do is click on the file, or right click and have the file menu with all the 7zip options if you don't want it to just extract in the same folder etc etc. It functions the same as WinRar, it's really just point and click.

Never said I can't, or didn't use it. Just that I've used winrar for a very long time, so it's second nature. We don't jettison stuff that still works.

I have a hard time remembering stuff that I couldn't figure out how to use, but there was a time.......
We all too often forget how hard it is for people to learn stuff they don't already have a past familiarity with. For example: While they've definitely seen it done on some TV show or old movie, kids can't figure out how to use an old landline rotary phone.
Maybe they'd be even more stumped by one of the old phones with not even a dial, but just a crank on the side.
 

Domingo

Fully [H]
Joined
Jul 30, 2004
Messages
20,074
At this point 7zip and WinRAR are like 95% the same interface-wise. They do roughly the same things at the same speed, too. I got a WinRAR license from a job I had like 10 years ago and it still works, so I'm still rocking it. Until something else comes out that's markedly better, I'll keep using it.
 

thebufenator

[H]ard|Gawd
Joined
Dec 8, 2004
Messages
1,367
This is why the Linux package manager model is perfect.

Every program on your computer is installed via the package manager.

Every time you check for updates, updates are not just installed for the OS, but also for every installed program.

:ROFLMAO::ROFLMAO:

Because no exploits have ever been found that involved apt or yum.

hahahahahahahaha
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
33,058
:ROFLMAO::ROFLMAO:

Because no exploits have ever been found that involved apt or yum.

hahahahahahahaha


You seem to miss the point entirely.

All software has exploits and needs regular patching as they are discovered, package managers as well. If you don't have a package manager that updates everything, you will have software with known security holes in it installed on your system.

Most Windows systems are not compromised due to Weather security problems. They are compromised due to holes in installed software.
 

BinarySynapse

[H]F Junkie
Joined
Feb 6, 2006
Messages
15,103
7zip. That is all.

At least until 7zip chokes on a .gz file created on HP-UX and Gzip for Windows mangles the line-endings and makes you work 80 hours in 5 days because business critical applications aren't getting data during month end close.
 

Burticus

Supreme [H]ardness
Joined
Nov 7, 2005
Messages
4,546
I have licensed versions of Winrar, but I cannot tell you the last time I saw an ACE file. Even going back 15+ years when piracy was still a thing in my world, it's always been RAR
 
D

Deleted member 184142

Guest
Rar has superior compression to Zip. That’s why it’s better.

What are you talking about?

7zip is a .7z file, not a .zip. When talking about compression, all the reviews I have seen put 7zip far ahead of WinRar, not just in compression ratio, but compression time, 7zip also beat WinRar in extraction. It also depends on the file types being compressed, 7zip is a very capable (and free) program, WinRar is also a great program, but is not free, and at $30 a pop, it is pretty expensive for the kind of program it is when 7zip is free, as it's not the kind of program you just need on a main PC etc, its the kind of program you need on all your devices, for me, that would be $150 to cover all my main computers.

From personal use, and having both on the same computer, compression time goes to 7zip, so does compression size, extracting over a network is also faster with 7zip for me, extraction local seems about the same for both.
 

faugusztin

2[H]4U
Joined
Mar 9, 2008
Messages
2,668
I find not having to ignore an ad to buy the product everytime a pretty damning reason to never use winrar ever again.

Considering a single user personal license costs 30 euros and it is a lifetime license for unlimited computers you own (if i remember correctly), if that ad annoyed you enough, you could have just bought it a decade ago and didn't had to see a single "buy this shareware" window. Obviously 7-zip is a free alternative now.

A single computer usage license. The user purchases one license to use the software on one computer.

Home users may use their single computer usage license on all computers and mobile devices (USB drive, external hard drive, etc.) which are property of the license owner.
 

criccio

Fully Equipped
Joined
Mar 26, 2008
Messages
13,954
This is a fun thread.

Anyway, I haven't done a Windows install in years where 7zip wasn't in the group of essential small apps installed immediately.

Only compression/decompression app you'll ever need. And its free..
 
Top