Software developer Symantec Corporation has confirmed a high-risk buffer-overflow security vulnerability in its AntiVirus Library when scanning RAR archives.
Symantec Corporation has publicly acknowledged a serious security vulnerability in its AntiVirus Library which could lead to execution of arbitrary code when scanning RAR archive files. The issue impacts a dozens of Symantec’s enterprise and consumer products for Windows, as well as recent antivirus products for Macintosh, Linux, Solaris, AIX and handheld devices.
Symantec rates the vulnerability as “high” risk, and says it is “currently working to create and distribute product updates for all affected products.”
Symantec’s statement comes a day after security researcher Alex Wheeler published an public advisory about the problem (PDF).
The issue involves multiple unchecked 16-bit fields in RAR archive sub-block header types. In theory, an attacker could craft an RAR archive to overwrite critical areas of memory with arbitrary data; when executed, this code could execute an attack granting system-wide privileges to the affected system. Since Symantec’s antivirus products scan files coming in via email and other means automatically, the user would not have to view an email message or open an attachment to trigger the attack: it would happen automatically.
To date, there are no known exploits of this bug. As an interim measure, users could consider disabling scans of RAR compressed files and RAR self-extracting archives.
The RAR compression format is relatively popular, particularly among users compressing large audio or video files. As a result, virus creators have increasingly begun bundling malware into RAR archive files to sneak “under the radar” of antivirus products operating on mail servers and other perimeters of networks. Antivirus products can typically scan the contents ZIP archives, but not all can yet scan inside RAR files. Symantec’s products can do so, and the security bug lies within that capability.
Showing 2 comments
RSSfriends don't let friends use Windows..
If .rar can be used on photographs of scantily-clad actresses and models (in my defense, cheesecake, not porno), then I've probably got an "exploit" of this bug to talk about.
On Tue 13 Dec 2005 -- late evening, end of my computer day -- I clicked on an Italian actress' photo in Google Images. Instantly, there were multiple blinks/resets of my browser window and a new toolbar appeared. I immediately took my cable modem offline and ran a full scan with the Norton AV. The toolbar disappeared. (It was "Adware.FastLook", sourced from two files, kthjt.dll and rdt.ini. The Norton AV scanner deleted those and eleven Registry keys.) The anti-spyware capabilities of NIS 2006 were why I'd upgraded last October. Satisfied, I shut down the computer for the night.
On boot-up next morning, before taking the modem online, I had a hijacked browser (complete with DNS numbers for servers in the Amsterdam area, instead of my Tulsa ISP's numbers), a new spyware scanner (UnSpyPC -- complete with desktop shortcut icon), a stack of virus alerts for trojans and spyware, more new and hidden processes than I could keep track of, and Norton ripping out more Registry keys than I knew it was capable of.
The search function and AV scanner was used continually. It was clear from the beginning that the toolbar was only the first of a long line of concealed files and registry keys that somehow got past Norton's "Auto Protect" scanning of code coming into my machine from the Internet. I was quickly angry that this package contained code for known, 2-5-year-old trojans. This should be simple stuff to spot.
I was unstudied and unprepared for this onslaught. I didn't know the term, "rootkit", until about Day 7. I kept notes, but, in hindsight, frequently did not focus on important events.
However, I did start a process of using my Norton logs to trap remote IP numbers and malware exe file names. Use of frequent reboots, short periods online, and Norton's "block/allow traffic" button all lit up the logs with malicious numbers and file names.
I know the URL of the site that hit me with this rootkit payload. I know 4 ranges of IP's to which the trojans attempted to deliver info from my machine -- two in the Amsterdam area and two in California. (This hacker does not work alone.) And I will blab all to anyone who's interested.
The hacker did not ever have complete control of my machine, but it was a close call. The margin, I think, was that I'd locked the AV options with a strong password last October -- after setting all of those options for maximum capabilities. It's clear that he did not breach the AV options password.
The Norton AV software and I countered everything he vomitted out of the rootkit for the first six days. On boot-up, Day 7, the machine went straight into Safe Mode. It took me seven hours of flailing to find and correct the altered bullet list at Run > "msconfig /P".
Exhausted (I'm a 60-something disabled guy with many med problems), I napped and returned a few hours later. The machine had been offline and traffic-blocked while I slept. On return, there was a stack of ten virus alerts waiting for me -- all "access denied" -- detailing five different trojans and spyware packages. Took notes and ran the AV scanner. All ten rogue-code instances were snuffed.
That was early evening, 19 Dec. And it was the end of episode one. There's been no further malware activity that I can detect. The rootkit seems spent.
I'm sure the rootkit is still in there. The OS has displayed continual instabilities since that last burst of activity on 19 Dec. With WinXP Home, it's impossiblle for me to wipe the hard drive and reinstall. I'll have to buy the pricey XP Pro upgrade to get that capability.
"Denial of service" law has been violated and I want a hide to nail to the proverbial barn door.
Symantec's failure to stop known rogue code at the threshold rankles me.
Microsoft's failure to give even a modicum of protection to rogue code writing to their NT kernal is jaw-jacking. Clearly, Microsoft is on the hacker's side, once the hacker is inside.
Thanks to Microsoft's incompetence, I've had no life but this battle for 12 days. I figure it will be another two weeks of study and spyware tools deployment before I can feel somewhat comfortable with the defense -- and, even then, the jaundiced eye will be turned until one of the major AV producers gets off their butt and develops a multifaceted counterattack for rootkits.
Whoever does it well gets my money. Symantec, having had brand loyalty from me for 4 years, is now out in the cold. Discovering that they have mommy-coddled rootkit hackers because Sony wanted to use rootkits as an anti-piracy gimmick is still a flaming wound on the back of my neck.
I'm looking for somebody to sue for the price of the XP Pro upgrade that I figure to have to use many times over the coming year or so. I have a very modest disability income. It's a constant budget fight between meds and food. Giving Microsoft an incompetency reward of $200 will be a hardship deal in many ways..
Wound-licking aside, I have a strong sense that this experience was just the hacker sounding out the defense -- just playing, just kidding around, just seeing what's possible. Other than the endemic instabilities caused by the rootkit's deep corruption of the OS, there was no machine damage done, no files harmed or exported.
As the rootkit technology passes into meaner hands, I expect a lot of horror stories. WinXP users should start now to relearn the Win3.x ways of wipe disk and reinstall. The process takes planning, and it will be the only real removal tool that we'll have for a long while..
The hacker learned a lot from me -- and I from him. I think we're all in for a long run of rootkit dominance.