First used to smuggle viruses and worms past perimeter security defenses, then to crash antivirus programs, experts now warn that compressed file formats again are being used to attack networks -- this time as .rar files often masquerading as pornography.
Peter Bieringer, a security consultant at Germany-based network security company AERAsec, last April analyzed a threat he labeled "decompression bombs," which caused many popular antivirus engines to crash when they attempted to decompress gigabytes of data and scan hundreds and thousands of files for viruses. The result can be a denial-of-service attack against applications or systems because of the heavy processing load.
At that time the most widely discussed threat was posed by popular .zip file formats, but that's changed. Organizations that blocked .zip files but allowed other compressed formats to pass the gateway may now regret their leniency.
"Blocking certain formats and switching to others gives a false sense of security that's inviting trouble," said Yoz Grahame, a technology analyst with Business Data Quality Ltd. in London. "If you're choosing .rar files because your antivirus system won't scan them, then it's just giving actual viruses a much easier route into your network. The problem isn't in the .rar format -- it's in the antivirus system implementations."
Bieringer warned that issues can arise any time the decompressor works only in a dump mode. He recommends implementing limits during decompression -- maximum depth of recursive compressed files, the amount of disk/memory-space available and the number of files created -- and adding an anomaly checker with configurable limits.
Now, Grahame said, "several of the major antivirus products can specifically detect these attacks, and some others fail gracefully, but as of late last year most products were still considered vulnerable.
"The primary threat is against automated content scanners at network boundaries, antivirus systems being an obvious candidate," Grahame continued. "If an AV system is patched into your inbound mail server, and the AV system is vulnerable to decompression bombs, then it could be an easy way to knock out those systems and leave a company without working e-mail." And, he warned, .rar is based on a more efficient compression algorithm and so can deliver more effective attacks.
Recent examples of .rar used in malicious code include some early variants of the Netsky worm, as well as a virus last week that purported to be a Microsoft patch, according to an eWeek report.
Some say the fix is a simple one for vendors to implement, but it appears that some vendors remain vulnerable to a flaw widely publicized nearly a year ago.
"If a particular vendor's software doesn't currently block [.rar files], it is a simple software update to add that functionality -- most vendors can update their virus detection engines in a few hours," said Rob McCarthy, president of Lightspeed Systems in Bakersfield, Calif.
Grahame recommended that. "Enterprise customers of all sizes should ascertain if their antivirus systems are immune from such an attack, and if not, what the vendor is doing about it."