Ad Home

Hackers are using 19 yr old Win-RAR bug to install malware

Hackers are using 19 yr old Win-RAR bug to install malware

By using the bug, hackers are desperately dropping persistent malware through generic trojan on systems using the old version of WinRar.
McAfee security firm’s researcher Craig Schmugar has identified that the world famous and commonly used compression software WinRar is plagued with code execution vulnerability for the past nineteen years. Resultantly, over 100 exploits have surfaced that can target vulnerability. A majority of the targets are found to be located in the USA.

The flaw in the software that’s used by 500 million users around the globe was identified only recently by Check Point Research and it immediately made headlines because of the sheer amount of time it has plagued the software. It is observed that attackers can infect devices with such persistent malware and malicious applications that most of the antivirus products cannot detect.

Schmugar explained the working of the exploit in a blog post along with screenshots of how the attack takes place:

“One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album Thank U, Next with a file name of ‘Ariana_Grande-thank_u,_next(2019)_[320].rar,’. When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.”

Schmugar also revealed that all the 100 exploits didn’t install the same malware.

The infection gets activated as soon as the user opens a compressed ZIP file on the PC. It is worth noting that the infection gets activated with all versions of WinRar released in the past nineteen years. The archive files get extracted to any folder that the creator selects such as the Windows startup folder through the absolute path traversal method and a warning notification isn’t generated.

That’s where the malicious malware come into action and run the next time the victim reboots the device. After the computer is rebooted a random, generic Trojan is installed that can only be identified by 9 antivirus products, as per VirusTotal.

Web searches such as this one show that an Ariana Grande RAR file with the same title identified by McAfee is currently circulating on BitTorrent download services. They’re also being advertised on Twitter. People should be reflexively suspicious of any file offered for download online. WinRAR users should ensure at once they are using version 5.70. Any other version is vulnerable to these attacks. Another solution is to switch to 7zip.

The Ariana Grande RAR file is circulating on numerous BitTorrent services and Twitter with the exact same title as Schmugar identified. If you happen to see such a file offered to be downloaded do ignore it and make sure to use WinRar version 5.70 only because that’s the only version not vulnerable to the attacks. Alternately, you can start using 7zip.

To know about latest happenings in technology industry check out other posts of
Thanks For Your Time

No comments