Organizations now blocking the popular .zip file extension to prevent virus and worm attacks within compressed files now have a new challenge -- .rar files. That extension and others like it made headlines last week by providing malware writers with a new avenue of attack.
".Rar is based on a more efficient compression algorithm and so can deliver more effective attacks," said Yoz Grahame, a technology analyst with Business Data Quality Ltd. in London. "And gzipped HTML is somewhat more dangerous. This is the common technique of modern Web servers compressing HTML pages using the gzip algorithm before serving them to save bandwidth.
"If there's an enterprise-wide Web proxy in place that scans incoming content -- a very common situation -- then a bomb delivered that way could knock out Web access for the entire network," Grahame added. "This isn't quite as threatening as an e-mail attack, as an html.gz file must be requested from within the network, but it's still very possible."
Two different threats have plagued organizations that permit the use of compressed files: first viruses and worms smuggled past perimeter security defenses; then antivirus programs that crashed when unpacking files to scan them.
Peter Bieringer, a security consultant at Germany-based network security company AERAsec, last April analyzed a threat he labeled "decompression bombs," which caused many popular antivirus engines to crash when they attempted to decompress gigabytes of data and scan hundreds and thousands of files for viruses. The result can be a denial-of-service attack against applications or systems because of the heavy processing load.
Then the most widely discussed threat was posed by popular .zip file formats, prompting many organizations to block .zip files but allowed other compressed formats to pass the gateway.
"Decompression bombs create a denial-of-service condition by consuming available resources (CPU, memory and/or disk space)," Randy Bartels, a consulting manager at Calence Inc. in Tempe, Ariz., said in an e-mail interview. "These attacks are targeted at SMTP and, to a lesser extent, HTTP. However, this risk is elevated given the ubiquitous nature of Internet connectivity, the anonymous nature of e-mail/HTTP sessions and the data flow process of gateway-based antivirus solutions. The latter ensures that all attachments are decompressed so that they can be examined for malicious content."
Recent examples of .rar used in malicious code include some early variants of the Netsky worm, as well as a recent virus that purported to be a Microsoft patch, according to recent news reports.
"Decompression bombs exploit bugs in network services rather than specific IT strategies, so switching between .zip and .rar as an enterprise's chosen archive format will have no effect," Grahame said. "It's malicious files rather than file formats that do the damage, and there's little an enterprise can do to defend against these attacks other than upgrading or replacing those services."
"Several of the major antivirus products can now specifically detect these attacks, and some others fail gracefully, but as of late last year most products were still considered vulnerable," Grahame said. His recommendation? "Enterprise customers of all sizes should ascertain if their antivirus systems are immune from such an attack, and if not, what the vendor is doing about it."