if you use winrar, uninstall it. Like NOW! - AVS Forum | Home Theater Discussions And Reviews
Forum Jump: 
 27Likes
  • 1 Post By markmon1
  • 14 Post By corradizo
  • 1 Post By Augerhandle
  • 5 Post By SuperFist
  • 1 Post By Augerhandle
  • 1 Post By drewp29
  • 2 Post By Augerhandle
  • 1 Post By markmon1
  • 1 Post By notnyt
 
Thread Tools
post #1 of 21 Old 12-15-2019, 05:16 AM - Thread Starter
AVS Forum Addicted Member
 
BassThatHz's Avatar
 
Join Date: Apr 2008
Location: Northern Okan range (NW Cascades region)
Posts: 11,055
Mentioned: 244 Post(s)
Tagged: 0 Thread(s)
Quoted: 3895 Post(s)
Liked: 4395
if you use winrar, uninstall it. Like NOW!

Hackers are using an ad javascript/jpg exploit to infect computers running winrar with an admin level remote backdoor and keyloggers for stealing usernames and passwords (banking, work, home etc etc).

Our system runs Microsoft ATP (among others), which is Microsoft's Enterprise-level Windows kernel-level anti-virus system.

and it detected this threat vector.

Put short: WinRAR can no longer be trusted. Uninstall it NOW

If you had it installed. You should consider that your entire network is compromised.

It attaches itself to the boot loader process. It starts the moment Windows powers up.
Consider your system toast. You'll have to format it clean from a BIOS boot iso.

Evidence:


We are running other well-known Enterprise anti-virus software too and it didn't even detect this one...
Attached Thumbnails
Click image for larger version

Name:	winRAR.png
Views:	135
Size:	59.2 KB
ID:	2654290  
BassThatHz is offline  
Sponsored Links
Advertisement
 
post #2 of 21 Old 12-15-2019, 06:31 AM
AVS Forum Special Member
 
markmon1's Avatar
 
Join Date: Dec 2006
Posts: 6,827
Mentioned: 121 Post(s)
Tagged: 0 Thread(s)
Quoted: 5704 Post(s)
Liked: 3772
Quote:
Originally Posted by BassThatHz View Post
Hackers are using an ad javascript/jpg exploit to infect computers running winrar with an admin level remote backdoor and keyloggers for stealing usernames and passwords (banking, work, home etc etc).

Our system runs Microsoft ATP (among others), which is Microsoft's Enterprise-level Windows kernel-level anti-virus system.

and it detected this threat vector.

Put short: WinRAR can no longer be trusted. Uninstall it NOW

If you had it installed. You should consider that your entire network is compromised.

It attaches itself to the boot loader process. It starts the moment Windows powers up.
Consider your system toast. You'll have to format it clean from a BIOS boot iso.

We are running other well-known Enterprise anti-virus software too and it didn't even detect this one...
I dunno this feels like a dramatic overreaction. Without more details, how exactly does an ad javascript/jpg exploit cause winrar to launch with admin privileges? The last winrar exploit was documented in feb 2019 and it was around ACE files. It could do most of what you said above, but not via an ad / javscript. It required user to open an email or downloaded file with winrar. If they did this, then some obsolete DLL could extract files to basically anywhere. This is a pretty good analysis of what that exploit was about:
https://www.microsoft.com/security/b...vulnerability/

The solution also was to update winrar, something almost no one ever does. Or simply not to open and extract unknown archives.

Your whole network is compromised etc is really an overreach and your files you posted were not proof of this. Further, the files you posted did not show any of the bootloader files compromised. It just showed some windows startup files compromised, something that could be cleaned via booting into safe mode and removing the entries.

Not seeing any other warnings on this threat anywhere else. Do you have links?
drewp29 likes this.

Video: JVC RS4500 135" screen in pure black room no light, htpc nvidia 1080ti.
Audio: Anthem mrx720 running 7.1.4, McIntosh MC-303, MC-152, B&W 802d3 LR, B&W HTM1D3 center, B&W 805d3 surround, B&W 702S2 rear, B&W 706s2 x 4 shelf mounted for atmos, 2 sub arrays both infinite baffle: 4x15 fi audio running on behringer ep4000 + 4x12 fi audio running on 2nd ep4000.
markmon1 is online now  
post #3 of 21 Old 12-15-2019, 01:19 PM
Member
 
Join Date: Jan 2017
Posts: 18
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 9 Post(s)
Liked: 0
I'd love some source on this.
ccarrigan1 is offline  
Sponsored Links
Advertisement
 
post #4 of 21 Old 12-15-2019, 04:48 PM
AVS Forum Special Member
 
corradizo's Avatar
 
Join Date: Aug 2009
Location: near Chicago
Posts: 3,485
Mentioned: 83 Post(s)
Tagged: 0 Thread(s)
Quoted: 1552 Post(s)
Liked: 1628
My subwoofers were acting weird, sounded like a Star Wars character. I uninstalled winrar, problem solved! Going to reformat my inuke6000dsp just in case and replace my speaker wire with a more secure wire.
corradizo is offline  
post #5 of 21 Old 12-15-2019, 05:50 PM
AVS Forum Special Member
 
Join Date: Sep 2016
Posts: 1,292
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
Quoted: 485 Post(s)
Liked: 404
Hasn’t WinRar always attached itself to the boot loader? I remember this being a thing back in 98SE.


Sent from my iPhone using Tapatalk
Trimlock is online now  
post #6 of 21 Old 12-15-2019, 08:00 PM
AVS Forum Special Member
 
Augerhandle's Avatar
 
Join Date: Jan 2009
Location: About 25" away from my computer screen
Posts: 5,571
Mentioned: 37 Post(s)
Tagged: 0 Thread(s)
Quoted: 1387 Post(s)
Liked: 1349
I don't get good sound unless I unzip my subs. What am I gonna do now?
drewp29 likes this.

"The wise understand by themselves; fools follow the reports of others"-Tibetan Proverb
_____________________ http://www.scientificamerican.com/article/auger-handle/ ________________________
Augerhandle is offline  
post #7 of 21 Old 12-16-2019, 01:17 AM
AVS Forum Special Member
 
markmon1's Avatar
 
Join Date: Dec 2006
Posts: 6,827
Mentioned: 121 Post(s)
Tagged: 0 Thread(s)
Quoted: 5704 Post(s)
Liked: 3772
Quote:
Originally Posted by Trimlock View Post
Hasn’t WinRar always attached itself to the boot loader? I remember this being a thing back in 98SE.
I'm not sure if I should take this post seriously or as a joke like the rest of teh posts in this thread. But just in case, no, winrar does not "attach itself to the boot loader". Winrar is just an app. It's harmless.

The problem in the link I pasted had been explained because winrar extracts archives. The problem with the way ACE was handled and the archive, itself, could extract malware to harmful locations and then when you reboot, those things run. None of this is stuff in the bootloader. Its simply running in startup, or in startup services or such.

Video: JVC RS4500 135" screen in pure black room no light, htpc nvidia 1080ti.
Audio: Anthem mrx720 running 7.1.4, McIntosh MC-303, MC-152, B&W 802d3 LR, B&W HTM1D3 center, B&W 805d3 surround, B&W 702S2 rear, B&W 706s2 x 4 shelf mounted for atmos, 2 sub arrays both infinite baffle: 4x15 fi audio running on behringer ep4000 + 4x12 fi audio running on 2nd ep4000.
markmon1 is online now  
post #8 of 21 Old 12-16-2019, 02:54 AM
AVS Forum Special Member
 
SuperFist's Avatar
 
Join Date: Aug 2007
Posts: 2,269
Mentioned: 72 Post(s)
Tagged: 0 Thread(s)
Quoted: 1460 Post(s)
Liked: 6065
Ever since I discovered 7-Zip many years ago, I've been like WinRAR who!?
SuperFist is offline  
post #9 of 21 Old 12-16-2019, 05:43 AM
AVS Forum Special Member
 
m0j0's Avatar
 
Join Date: Jul 2003
Location: Florida
Posts: 2,196
Mentioned: 39 Post(s)
Tagged: 0 Thread(s)
Quoted: 930 Post(s)
Liked: 1128
As far as I understand it, WinRAR had a vulnerability in how it handled ACE files, which could be exploited. Since Jan 28th, they have removed ACE file support to close up the vulnerability (version 5.7 Beta 1 and later). And to get malware on your system, you have to actually open an infected rar file with the old version of the program. I myself mostly use 7-Zip, though I do have WinRAR installed. Just because I have it installed doesn't make it a threat vector. However, I do appreciate someone calling it out and I will go uninstall the old version and install a more recent one, just in case I need it at some point.


Edit: Actually, it looks like I have version 5.70 installed on 3/24/2019, so I must have updated it earlier and didn't remember....
m0j0 is online now  
post #10 of 21 Old 12-16-2019, 06:24 AM
Advanced Member
 
Join Date: Dec 2017
Location: Hudsonville, MI
Posts: 549
Mentioned: 6 Post(s)
Tagged: 0 Thread(s)
Quoted: 234 Post(s)
Liked: 221
Quote:
Originally Posted by corradizo View Post
My subwoofers were acting weird, sounded like a Star Wars character. I uninstalled winrar, problem solved! Going to reformat my inuke6000dsp just in case and replace my speaker wire with a more secure wire.
Thank you for actually bringing this thread back on topic.

--
Epson 2030 - Denon X1300W - Eosone RSF 1000 - Eosone RSC 300 - Volt-10 - Micca M-8C for ATMOS
2 @ VBSS End Tables - 2 More VBSS complete!
DIY 110" AT Screen
jevchance is offline  
post #11 of 21 Old 12-16-2019, 11:43 AM
Member
 
drewp29's Avatar
 
Join Date: Mar 2010
Location: Southern Colorado
Posts: 185
Mentioned: 4 Post(s)
Tagged: 0 Thread(s)
Quoted: 83 Post(s)
Liked: 70
Quote:
Originally Posted by m0j0 View Post
As far as I understand it, WinRAR had a vulnerability in how it handled ACE files, which could be exploited. Since Jan 28th, they have removed ACE file support to close up the vulnerability (version 5.7 Beta 1 and later). And to get malware on your system, you have to actually open an infected rar file with the old version of the program.
In other words, don't download and open *.ace files with winrar. This being the first time I have even heard of ACE files, and I am decently adept at these things, this really feels like a huge "SKY IS FALLING" post. Though coming from the guy who runs eleventy billion super hardcore firewalls on his home network and recommends that all people should be using this kind of security (or else... what?), it does not strike me as surprising in the least. And yet - Windows Enterprise? Hahaha, talk about breach of security.

BTH - as much as I truly respect you, and think you are an extremely intelligent person (with exception to your entire belief structure on 'The End is Nigh, humans are killing everything! Oh, and Tesla...'), sometimes working for the super secret uber clandestine gubment will do screwy things to people. I get it, I have a family member that is in the tinfoil hat club due to having top level access to things that make you start to see Baba Yaga at every turn. Those of us who are in the private sector, and don't deal with new and inventive ways of killing things and weighing the dead carcasses, don't have knee jerk reactions to things that take a specifically rare circumstance to actually become an issue.

I will agree that most people need to be a little bit more paranoid about their online activities, having repaired many infected computers that could have been avoided altogether by just thinking before clicking the OK button.

For the rest of you - these are not the droids you are looking for, move along...
drewp29 is offline  
post #12 of 21 Old 12-16-2019, 05:16 PM
AVS Forum Special Member
 
Augerhandle's Avatar
 
Join Date: Jan 2009
Location: About 25" away from my computer screen
Posts: 5,571
Mentioned: 37 Post(s)
Tagged: 0 Thread(s)
Quoted: 1387 Post(s)
Liked: 1349
Quote:
Originally Posted by drewp29 View Post
...I will agree that most people need to be a little bit more paranoid about their online activities, having repaired many infected computers that could have been avoided altogether by just thinking before clicking the OK button....
So, it's NOT OK to hit the OK button? But it says OK....
BassThatHz likes this.

"The wise understand by themselves; fools follow the reports of others"-Tibetan Proverb
_____________________ http://www.scientificamerican.com/article/auger-handle/ ________________________
Augerhandle is offline  
post #13 of 21 Old 12-16-2019, 07:59 PM - Thread Starter
AVS Forum Addicted Member
 
BassThatHz's Avatar
 
Join Date: Apr 2008
Location: Northern Okan range (NW Cascades region)
Posts: 11,055
Mentioned: 244 Post(s)
Tagged: 0 Thread(s)
Quoted: 3895 Post(s)
Liked: 4395
Just ask the City of Pensacola how lax security practices are working out for them...
BassThatHz is offline  
post #14 of 21 Old 12-17-2019, 10:03 AM
AVS Forum Special Member
 
Join Date: Sep 2016
Posts: 1,292
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
Quoted: 485 Post(s)
Liked: 404
Dude....


Sent from my iPhone using Tapatalk
Trimlock is online now  
post #15 of 21 Old 12-18-2019, 06:54 PM
Member
 
drewp29's Avatar
 
Join Date: Mar 2010
Location: Southern Colorado
Posts: 185
Mentioned: 4 Post(s)
Tagged: 0 Thread(s)
Quoted: 83 Post(s)
Liked: 70
Quote:
Originally Posted by Augerhandle View Post
So, it's NOT OK to hit the OK button? But it says OK....
One of the worst things Microsoft ever did with Windows was make it default to hide file extensions. I always change that for myself and any computer I work on. Anyone can change an icon to make it look like a PDF document instead of an executable, but if people could see that it says *.exe, then they could determine that it is not okay to open. The obvious popup that says 'Are you sure you want to run this?' should be enough, but people have gotten so used to just clicking ok, next, next, next, next, next, finish - in addition to having to tell Windows it is alright to perform ANY function due to the idiotic and overbearing UAC, they just instinctively click the button. I try to teach people these things, but I still end up repairing machines over and over and over. Many of them run obtrusive and asinine programs like McAfee or Symantec, and STILL get viruses and malware. Personally, I don't run anything for virus protection, and I turn off Windows Defender and Firewall. None of those are going to protect you from your own stupidity anyway, so other than slowing your computer down, there really is no point.


Quote:
Originally Posted by BassThatHz View Post
Just ask the City of Pensacola how lax security practices are working out for them...
This is an ENTIRELY different situation than someone's home network. See above comment about stupidity, which I guarantee is exactly how that ransomware happened to infect their network. Some idiot employee just clicking 'Run' instead of thinking first - probably in accounting, after receiving an e-mail that looked like an invoice PDF. This is why network backups exist. Replace all data with the backup, and move on with life. Easier said than done with the large amount of data they likely have, but that's the best solution to ransomware.
SuperFist likes this.
drewp29 is offline  
post #16 of 21 Old 12-18-2019, 08:07 PM
AVS Forum Addicted Member
 
noah katz's Avatar
 
Join Date: Apr 1999
Location: Mountain View, CA USA
Posts: 23,277
Mentioned: 16 Post(s)
Tagged: 0 Thread(s)
Quoted: 2276 Post(s)
Liked: 834
As an everyday not-so-savvy computer user, I've got to know - are you saying no anti-virus/malware product works, or just some like your examples?

I have Norton AntiVirus and Malwarebytes.

Noah
noah katz is offline  
post #17 of 21 Old 12-18-2019, 11:05 PM
AVS Forum Special Member
 
Augerhandle's Avatar
 
Join Date: Jan 2009
Location: About 25" away from my computer screen
Posts: 5,571
Mentioned: 37 Post(s)
Tagged: 0 Thread(s)
Quoted: 1387 Post(s)
Liked: 1349
I always try to use someone else's computer. That way my computer never gets infected.
SuperFist and BassThatHz like this.

"The wise understand by themselves; fools follow the reports of others"-Tibetan Proverb
_____________________ http://www.scientificamerican.com/article/auger-handle/ ________________________
Augerhandle is offline  
post #18 of 21 Old 12-18-2019, 11:41 PM
AVS Forum Special Member
 
markmon1's Avatar
 
Join Date: Dec 2006
Posts: 6,827
Mentioned: 121 Post(s)
Tagged: 0 Thread(s)
Quoted: 5704 Post(s)
Liked: 3772
Quote:
Originally Posted by BassThatHz View Post
Just ask the City of Pensacola how lax security practices are working out for them...
I doubt they were hit by "the great winrar exploit"

Video: JVC RS4500 135" screen in pure black room no light, htpc nvidia 1080ti.
Audio: Anthem mrx720 running 7.1.4, McIntosh MC-303, MC-152, B&W 802d3 LR, B&W HTM1D3 center, B&W 805d3 surround, B&W 702S2 rear, B&W 706s2 x 4 shelf mounted for atmos, 2 sub arrays both infinite baffle: 4x15 fi audio running on behringer ep4000 + 4x12 fi audio running on 2nd ep4000.
markmon1 is online now  
post #19 of 21 Old 12-19-2019, 12:29 AM - Thread Starter
AVS Forum Addicted Member
 
BassThatHz's Avatar
 
Join Date: Apr 2008
Location: Northern Okan range (NW Cascades region)
Posts: 11,055
Mentioned: 244 Post(s)
Tagged: 0 Thread(s)
Quoted: 3895 Post(s)
Liked: 4395
The employee had taken the computer home, it was off-site and off-network during the attack.
Microsoft ATP logged every detail of it in real-time!

That's what I like about using Window 10 Enterprise and Microsoft ATP, no matter where the computer is on the planet, if it has an internet connection (LTE, wifi, VPN, regular LAN etc). ATP is monitoring it in real-time, calling home to Microsoft's cloud, and then alerting us from there.

The users like it because they don't have to learn linux (no l33t required).



I looked at the contents of the .bat and .vbs and command-line switches to the net.exe and cmd exe and powershell that it was executing...

Whoever wrote this piece of software KNEW what they were doing.
It definitely hooked deep into the OS.

Definitely an experienced blackhat or state-actor.

They clearly had deep knowledge of full list of archaic 32bit sys32 executables.
(Either that or they were leveraging tools that other smarter people wrote )

They had added firewall rule exceptions for inbound proxified custom remote RDP over SSL, process escalation, admin side accounts, all-drive all-partition lookups, user-lists, and sysinfo, keyloggers. (The list goes on...)

Your typical stage1 backdoor + intel gathering.

I didn't waste time wading too deep into it really, I just ATP-isolated the machine while they were still at home.
Re-imaged it from baremetal when the employee arrived in the morning.
Added WinRar to the blacklisted software.
Problem solved!

They phoned and said "my computer is broken"
and I said: "I already know, it was hacked, I isolated it, see you in the am."

Had I not been my security-paranoid self, and had we not been using Win10 Enterprise + ATP, this wouldn't have necessarily ended so happily.
Their next move probably would have been ransomware "all-the-things!"

Asking users to learn and use linux is generally unrealistic.
85% of home and corporate desktops are Windows. 99% of gaming rigs are Windows.

Ignoring phones/tablets and IoT, you generally only see linux used for servers, and tech-oriented people for their desktops.
For example: every top 500 supercomputer is linux-based.


We use both linux and windows here.
I've seen both having multi-year up-times (with ease.)
Server grade stuff is generally rock-solid (especially if you don't mess with it.)
Installing software, changing settings and applying updates is generally when things break...

Last edited by BassThatHz; 12-19-2019 at 12:35 AM.
BassThatHz is offline  
post #20 of 21 Old 12-19-2019, 12:38 AM
AVS Forum Special Member
 
markmon1's Avatar
 
Join Date: Dec 2006
Posts: 6,827
Mentioned: 121 Post(s)
Tagged: 0 Thread(s)
Quoted: 5704 Post(s)
Liked: 3772
Quote:
Originally Posted by BassThatHz View Post
The employee had taken the computer home, it was off-site and off-network during the attack.
Microsoft ATP logged every detail of it in real-time!

That's what I like about using Window 10 Enterprise and Microsoft ATP, no matter where the computer is on the planet, if it has an internet connection (LTE, wifi, VPN, regular LAN etc). ATP is monitoring it in real-time, calling home to Microsoft's cloud, and then alerting us from there.

The users like it because they don't have to learn linux (no l33t required).



I looked at the contents of the .bat and .vbs and command-line switches to the net.exe and cmd exe and powershell that it was executing...

Whoever wrote this piece of software KNEW what they were doing.
It definitely hooked deep into the OS.

Definitely an experienced blackhat or state-actor.

They clearly had deep knowledge of full list of archaic 32bit sys32 executables.
(Either that or they were leveraging tools that other smarter people wrote )

They had added firewall rule exceptions for inbound proxified custom remote RDP over SSL, process escalation, admin side accounts, all-drive all-partition lookups, user-lists, and sysinfo, keyloggers. (The list goes on...)

Your typical stage1 backdoor + intel gathering.

I didn't waste time wading too deep into it really, I just ATP-isolated the machine while they were still at home.
Re-imaged it from baremetal when the employee arrived in the morning.
Added WinRar to the blacklisted software.
Problem solved!

They phoned and said "my computer is broken"
and I said: "I already know, it was hacked, I isolated it, see you in the am."

Had I not been my security-paranoid self, and had we not been using Win10 Enterprise + ATP, this wouldn't have necessarily ended so happily.
Their next move probably would have been ransomware "all-the-things!"

Asking users to learn and use linux is generally unrealistic.
85% of home and corporate desktops are Windows. 99% of gaming rigs are Windows.

Ignoring phones/tablets and IoT, you generally only see linux used for servers, and tech-oriented people for their desktops.
For example: every top 500 supercomputer is linux-based.


We use both linux and windows here.
I've seen both having multi-year up-times (with ease.)
Server grade stuff is generally rock-solid (especially if you don't mess with it.)
Installing software, changing settings and applying updates is generally when things break...
Again, just having winrar installed cannot cause all the above problems.
notnyt likes this.

Video: JVC RS4500 135" screen in pure black room no light, htpc nvidia 1080ti.
Audio: Anthem mrx720 running 7.1.4, McIntosh MC-303, MC-152, B&W 802d3 LR, B&W HTM1D3 center, B&W 805d3 surround, B&W 702S2 rear, B&W 706s2 x 4 shelf mounted for atmos, 2 sub arrays both infinite baffle: 4x15 fi audio running on behringer ep4000 + 4x12 fi audio running on 2nd ep4000.
markmon1 is online now  
post #21 of 21 Old 12-19-2019, 12:58 AM
AVS Forum Addicted Member
 
notnyt's Avatar
 
Join Date: Dec 2008
Location: Long Island, NY
Posts: 10,389
Mentioned: 331 Post(s)
Tagged: 0 Thread(s)
Quoted: 3880 Post(s)
Liked: 3816
Quote:
Originally Posted by markmon1 View Post
Again, just having winrar installed cannot cause all the above problems.
waste of keystrokes.
markmon1 likes this.
notnyt is offline  
Sponsored Links
Advertisement
 
Reply DIY Speakers and Subs

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off