Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-10 > #187051
| From | Paul <nospam@needed.invalid> |
|---|---|
| Newsgroups | alt.comp.os.windows-10, alt.comp.os.windows-11, comp.os.linux.advocacy |
| Subject | Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection |
| Date | 2025-08-28 07:54 -0400 |
| Organization | A noiseless patient Spider |
| Message-ID | <108pg25$1ahah$1@dont-email.me> (permalink) |
| References | <f316bcee397ee302412a58851009d7e7@dizum.com> <108n81e$orq6$1@toylet.eternal-september.org> <108o3vk$vok4$10@dont-email.me> <108o7f8$10ph7$1@dont-email.me> <108pael$191t5$1@dont-email.me> |
Cross-posted to 3 groups.
On Thu, 8/28/2025 6:19 AM, Daniel70 wrote:
> On 28/08/2025 10:21 am, Hank Rogers wrote:
>> Lawrence D’Oliveiro wrote on 8/27/2025 6:22 PM:
>>> On Wed, 27 Aug 2025 23:25:34 +0800, Mr. Man-wai Chang wrote:
>>>
>>>> I think I have seen many bug reports about WinRAR ....
>>>
>>> This isn’t one of them, but I still don’t understand how the vulnerability is supposed to work. The proofs of concept on the
>>> Trellix page all seem to rely on wantonly dangerous use of the
>>> “eval†command, which would be a dumb thing to do indeed.
>>
>> I thought Linux didn't have any bugs or malware. Damn, things are getting bad.
>>
> Does ANYTHING ever get to "didn't have any bugs or malware" state??
>
> "didn't have any *UNDISCOVERED* bugs or malware" today, sure, but who know what will be the state tomorrow!!
A lot of mistakes, are implementation mistakes like not
using a hardened routine for this or that. And, we can estimate
how many unclassified mistakes there are in a work. Like some
version of Windows, the estimate was 50,000 just based on the KLOC count.
Microsoft would have automatic scans for the easy stuff -- even the
compiler can slap your fingers for some of those.
This is a different class of bug, in that it is an architecture bug.
It could be, that the private RAR module could be doing this, rather than
the Archive Manager applying this recipe to everything it does. There
is no mention of ZIP files having specially crafted filenames, for example.
The RAR decoder module is free. The only question I would have about
it, is whether it is Open Source and all the code for RAR in the
Archive Manager, can be read by anyone ("many eyes"). If Mr.Roshal
coded this up, and the activity is hidden in a binary blob, that would
make it easier to understand. It just doesn't seem like an activity you
would do at that level, and logically the place to be attempting
stuff like this, is the Archive Manager.
And once the Linux people find where in the code this is happening,
this will lead to an examination of the ecosystem, to make sure there
are no more of these (obviously bad) things out there. I doubt anyone
signed off on this as being "particularly clever". This might well be
code that was never reviewed.
The RAR encoder module costs money. That's how its author keeps himself fed.
That only gets on a computer if you bought a copy.
7ZIP comes with an SDK, and the Archive Manager version could be based
on the SDK materials. (Even Windows uses libarchive, a recent addition.)
Whereas the Windows 7Z executable version (from its web site) is closed
source as far as I know, but still free. The Windows version was recently
modified to include a higher threads-of-execution count, so that it could
be used on machines with "processor groups" (you can finally compress with
your 96 core computer and use all 96 cores). The article describing this,
was VERY strangely worded, and the reporter was obviously in a shit-disturbing
mood.
One of the acid tests for compressors, is getting two different versions
of code, to produce roughly the same file size. You can't expect an exact
match, due to time stamps, but if the byte counts are the same, that is
a positive sign. When I tried to get Linux and Windows to make the same
7Z, it didn't work out that well. Generally I do not hear comments about
"this version could not decode the output of that version", that
seems handled pretty well. The two ecosystems could still read each others output.
It may have started with an email, but only part of the attachment handling
would be done there, and handoff of any further layers of decoding needed,
could end up with the Archive Manager. As a software dev, when you
"use someone elses services", you don't know how stupid they are. And
it may not be apparently, that something as silly as the problem description,
is happening when you call that service. But some Black Hat figured it out.
Paul
Back to alt.comp.os.windows-10 | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Symon <symon@notice.org> - 2025-08-27 09:14 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2025-08-27 23:25 +0800
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-27 23:22 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Hank Rogers <Hank@nospam.invalid> - 2025-08-27 19:21 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 00:41 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 08:45 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:36 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:39 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 00:16 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Hank Rogers <Hank@nospam.invalid> - 2025-08-29 20:02 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 03:35 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection pothead <pothead@snakebite.com> - 2025-08-28 15:45 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 03:28 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Daniel70 <daniel47@somewhere.someplaceelse> - 2025-08-28 20:19 +1000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 07:54 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-28 14:57 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 09:02 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-28 23:17 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:35 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:38 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-29 10:35 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 10:55 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-08-31 02:35 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-31 01:21 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Char Jackson <none@none.invalid> - 2025-08-31 12:58 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-31 22:46 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-01 02:44 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-09-01 07:56 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-01 14:21 +0200
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Char Jackson <none@none.invalid> - 2025-09-01 16:26 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:34 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:32 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 19:18 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 00:50 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 22:44 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 04:02 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-29 00:53 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 05:31 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-28 08:44 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection chrisv <chrisv@nospam.invalid> - 2025-08-28 16:30 -0500
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:35 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-28 22:29 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection CrudeSausage <crude@sausa.ge> - 2025-08-29 08:36 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-30 05:39 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-30 07:25 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Paul <nospam@needed.invalid> - 2025-08-28 19:40 -0400
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-08-29 00:51 +0000
Re: Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection "Carlos E.R." <robin_listas@es.invalid> - 2025-09-02 12:45 +0200
csiph-web