Malspam Exploits a WinRAR Security Hole

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Last week, researchers unveiled a 19 year old bug in an ancient ACE archive decompresser that, up until recently, shipped with modern builds of WinRAR. WinRAR's own website suggests that the software has a userbase of over 500 million, and while the latest beta versions of the software have removed the vulnerable .dll file, Bleeping Computer reports that researchers have already discovered a campaign to exploit the millions of unpatched software instances in the wild. The 360 Threat Intelligence Center says the "Malspam" campaign distributes malicious archives though email, but Bleeping Computer's own testing reveals that it only works if UAC is disabled, or if WinRAR is run as an administrator.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe... Once launched, the malware will connect to http:// 138 . 204 . 171 . 108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim's computer... As we expect to see more malware attempt to exploit this vulnerability, whether it be through malspam or other methods, it is important that you upgrade to the latest version of WinRAR. If you are unable to upgrade for some reason, then you can use 0Patch's WinRAR micropatch to address this specific WinRAR bug. This micropatch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.

Extracting the exploit to ProgramData presumably allows it to run as an administrator without any kind of UAC prompt, but Windows also has a startup folder at "%appdata%\microsoft\windows\start menu\programs\startup" that doesn't require admin rights to access. In addition to running up-to-date version of WinRAR (or alternatives like 7-zip), occasionally checking either of those startup directories for files that shouldn't be there is probably a good idea.
 
This is only the first. At the moment this exploit needs the admin condition etc...give it time, something far worse will appear
 
Who uses Winrar today? Same people who use AOL instant messenger and Winamp?

Anyone who torrents stuff for sure. Most large files are broken down into smaller multiple RAR files for compression.
 
Who uses Winrar today? Same people who use AOL instant messenger and Winamp?

We use it at work when sending large files to our contract manufacturers overseas. Quick easy and gets past email filters.
 
It always amazed me that windose had no compression utility built is. Its kinda fundamental in an OS.
 
Any reason not to just delete the unacev2.dll file and carry on? As I mentioned in the last news post's comments, I have one .ace file left over from 2002.
 
Looks like windows xp is when being able to zip files in the contextual menu was created, i may be mistaken.
 
Really. I don't keep up but you used to have to get pkunzip to deal with zipped files. I figured winrar was just more of the same.

Of course its 'unzip' in Lunix.

Completely understand, for me it is still habit after an install to put on rar or 7zip. Like being able to handle and compress more formats anyways.

god i remember pkunzip lol.
 
Really. I don't keep up but you used to have to get pkunzip to deal with zipped files. I figured winrar was just more of the same.

Of course its 'unzip' in Lunix.

It only handles .zip files though, AFAIK. 7z and RAR archives and compressed tarballs are relatively common these days, and you do need an external utility to handle them.
 
It only handles .zip files though, AFAIK. 7z and RAR archives and compressed tarballs are relatively common these days, and you do need an external utility to handle them.
Its been rar and tar forever, and we have 7z these days. They do need switches. ;)
 
Sure, but the program interface is generally easier to use than 7zip.

I don't understand what is so hard about 7zip's interface. It's very simple and easy. It's very similar to winrar's interface...
 
Who uses Winrar today? Same people who use AOL instant messenger and Winamp?

Hey, I still use Winamp. An old version, but its Winamp. And I still had Winrar installed, but rather than patch it, I un-installed it. I use 7zip for that stuff now anyways.
 
I find not having to ignore an ad to buy the product everytime a pretty damning reason to never use winrar ever again.

I don't even know what that means. I've been using Winrar like forever, can't even remember when I bought it years ago, it's been so long. Still use it and still like it. Don't see a reason to change now as it's what I'm used to. I have 7zip installed too and rarely use it. I just prefer the interface of Winrar better. It's like an old friend you're comfortable with and don't want to lose, I gave him an aspirin (5.70) and he's good to go.
 
Last edited:
Doesn't surprise me, I'd imagine that Malware developers just roll any newly discovered exploits into the payload toolkit so the program can check for a vulnerability when it scans the infected device.

It takes a long time (if they ever do) for some exploits to be patched or have their updates installed.
 
What was the point of showing UAC settings? Does a program need admin privileges to move a file into a user's Startup folder? Can a program executed from there take control of the computer?
 
I don't understand what is so hard about 7zip's interface. It's very simple and easy. It's very similar to winrar's interface...
Everything is easy for someone who already knows how to use it. This is why we still get the occasional program that virtually no one can use other than the guy who wrote it, or a dozen other guys in the same company who understand how to write code. 'Look how easy it is!': Plink, click obscure icon, click word, drag folder, click obscure icon is a pretty common procedure which can be all but impossible for the average person to figure out without obvious instructions, and then, sometimes even with them. I had to go rescue someone who purchased a AIO cpu cooler because the instructions, even with pictures, sucked.
All products instructions aimed at the average consumer should be tested out with the office nincompoop, or at least, maybe a janitor; not the smartest engineer. And maybe the janitor's grandma, too. Many things can be made really, really easy to use. Garmin's GPS, for example. Not one person that I've given them to, needed to read the instructions. Programs can be made just as well.
 
Everything is easy for someone who already knows how to use it. This is why we still get the occasional program that virtually no one can use other than the guy who wrote it, or a dozen other guys in the same company who understand how to write code. 'Look how easy it is!': Plink, click obscure icon, click word, drag folder, click obscure icon is a pretty common procedure which can be all but impossible for the average person to figure out without obvious instructions, and then, sometimes even with them. I had to go rescue someone who purchased a AIO cpu cooler because the instructions, even with pictures, sucked.
All products instructions aimed at the average consumer should be tested out with the office nincompoop, or at least, maybe a janitor; not the smartest engineer. And maybe the janitor's grandma, too. Many things can be made really, really easy to use. Garmin's GPS, for example. Not one person that I've given them to, needed to read the instructions. Programs can be made just as well.

I'm pretty convinced if you can use winrar you can use 7zip. All the buttons are labeled the same in winrar... Just the icons are differnt. Want to create an archive? Same process as winrar. Extract an already created archive? Same process.
 
Everything is easy for someone who already knows how to use it. This is why we still get the occasional program that virtually no one can use other than the guy who wrote it, or a dozen other guys in the same company who understand how to write code. 'Look how easy it is!': Plink, click obscure icon, click word, drag folder, click obscure icon is a pretty common procedure which can be all but impossible for the average person to figure out without obvious instructions, and then, sometimes even with them. I had to go rescue someone who purchased a AIO cpu cooler because the instructions, even with pictures, sucked.
All products instructions aimed at the average consumer should be tested out with the office nincompoop, or at least, maybe a janitor; not the smartest engineer. And maybe the janitor's grandma, too. Many things can be made really, really easy to use. Garmin's GPS, for example. Not one person that I've given them to, needed to read the instructions. Programs can be made just as well.

Have you ever used 7zip? Because it integrates into the windows file menu, when you install it just leave file association for 7zip. All you have to do is click on the file, or right click and have the file menu with all the 7zip options if you don't want it to just extract in the same folder etc etc. It functions the same as WinRar, it's really just point and click.
 
I'm pretty convinced if you can use winrar you can use 7zip. All the buttons are labeled the same in winrar... Just the icons are differnt. Want to create an archive? Same process as winrar. Extract an already created archive? Same process.
&
Have you ever used 7zip? Because it integrates into the windows file menu, when you install it just leave file association for 7zip. All you have to do is click on the file, or right click and have the file menu with all the 7zip options if you don't want it to just extract in the same folder etc etc. It functions the same as WinRar, it's really just point and click.

Never said I can't, or didn't use it. Just that I've used winrar for a very long time, so it's second nature. We don't jettison stuff that still works.

I have a hard time remembering stuff that I couldn't figure out how to use, but there was a time.......
We all too often forget how hard it is for people to learn stuff they don't already have a past familiarity with. For example: While they've definitely seen it done on some TV show or old movie, kids can't figure out how to use an old landline rotary phone.
Maybe they'd be even more stumped by one of the old phones with not even a dial, but just a crank on the side.
 
At this point 7zip and WinRAR are like 95% the same interface-wise. They do roughly the same things at the same speed, too. I got a WinRAR license from a job I had like 10 years ago and it still works, so I'm still rocking it. Until something else comes out that's markedly better, I'll keep using it.
 
This is why the Linux package manager model is perfect.

Every program on your computer is installed via the package manager.

Every time you check for updates, updates are not just installed for the OS, but also for every installed program.

:ROFLMAO::ROFLMAO:

Because no exploits have ever been found that involved apt or yum.

hahahahahahahaha
 
:ROFLMAO::ROFLMAO:

Because no exploits have ever been found that involved apt or yum.

hahahahahahahaha


You seem to miss the point entirely.

All software has exploits and needs regular patching as they are discovered, package managers as well. If you don't have a package manager that updates everything, you will have software with known security holes in it installed on your system.

Most Windows systems are not compromised due to Weather security problems. They are compromised due to holes in installed software.
 
7zip. That is all.

At least until 7zip chokes on a .gz file created on HP-UX and Gzip for Windows mangles the line-endings and makes you work 80 hours in 5 days because business critical applications aren't getting data during month end close.
 
I have licensed versions of Winrar, but I cannot tell you the last time I saw an ACE file. Even going back 15+ years when piracy was still a thing in my world, it's always been RAR
 
Rar has superior compression to Zip. That’s why it’s better.

What are you talking about?

7zip is a .7z file, not a .zip. When talking about compression, all the reviews I have seen put 7zip far ahead of WinRar, not just in compression ratio, but compression time, 7zip also beat WinRar in extraction. It also depends on the file types being compressed, 7zip is a very capable (and free) program, WinRar is also a great program, but is not free, and at $30 a pop, it is pretty expensive for the kind of program it is when 7zip is free, as it's not the kind of program you just need on a main PC etc, its the kind of program you need on all your devices, for me, that would be $150 to cover all my main computers.

From personal use, and having both on the same computer, compression time goes to 7zip, so does compression size, extracting over a network is also faster with 7zip for me, extraction local seems about the same for both.
 
I find not having to ignore an ad to buy the product everytime a pretty damning reason to never use winrar ever again.

Considering a single user personal license costs 30 euros and it is a lifetime license for unlimited computers you own (if i remember correctly), if that ad annoyed you enough, you could have just bought it a decade ago and didn't had to see a single "buy this shareware" window. Obviously 7-zip is a free alternative now.

A single computer usage license. The user purchases one license to use the software on one computer.

Home users may use their single computer usage license on all computers and mobile devices (USB drive, external hard drive, etc.) which are property of the license owner.
 
This is a fun thread.

Anyway, I haven't done a Windows install in years where 7zip wasn't in the group of essential small apps installed immediately.

Only compression/decompression app you'll ever need. And its free..
 
Back
Top