With over 500 million users, it is the most popular compression tool. It is the best way to compress files for efficient and secure file transfer, also it helps in faster email transmission and enables the user to organize the data appropriately. It has been used by the user since mid 90’s and was really appreciated when windows itself wasn’t able to handle zip archives but as windows developed further these software like WinRAR also kept updating adding more archive types and features such as RAR, ZIP, 7z, ACE and more. But who would have thought that this user friendly software can be used to take over your computer.
However, recently a 19 year old bug was found in WinRAR. The company tried their best to fix the issue, for which the users had to update the software to keep their information safe but still there are many who haven’t.
In a recent report by the researchers at the Check Point Software it was highlighted that the vulnerability was actually found in the UNACEV2.DLL library, which was basically used in older versions of WinRAR to decompress the ACE archives, this format is very rare nowadays.
Moreover, McAfee which is one of the leading antivirus and software Protection Company stated that that there was a probability of more than 100 exploits that could have occur because of the bug.
The potential of a Trojan horse
A Trojan horse is a malicious software that disguises itself as a very potential and helping software but it is used by the hackers to overtake your computer or to download some harmful files on to your computer.
Due to this bug in WinRAR it could have been used as a Trojan horse in which hackers could have disguised a malicious file on your computer and then whenever you have rebooted your computer it would have automatically become active.
The method of hack
Furthermore, as discussed earlier the hack is related to using the ACE archive, which goes undetected by the antivirus software. Moreover the hacker could then change the name of the ACE file to .RAR archive. Which when executed can be used to extract the malware on any specified arbitrary path
The bootlegged copy of “Thank U, Next” in WinRAR
As reported by one of the McAfee researcher Craig Schmugar in one of the recent attacks they discovered that the hackers were taking advantage of the victims by the help of a bootlegged copy of Ariana Grande’s album “Thank U, Next”
The process for the hack was that the bootlegged copy was transferred to an archive filed named “Ariana_Grande-thank_u,_next(2019)_.rar.” As discussed in the process previously, the file used a vulnerable WinRAR software to add a malicious Payload to the Widows Startup folder.
According to the researchers the initial victims were mostly the residents of United States. They further discovered more than 100 exploits followed by the first week of disclosure with numbers yet increasing.
Schmugar further explains that the User Access Control was bypassed, so no alerts were displayed to the users. And when the system restarts the next time this malicious program was run automatically.
Steps to cater the situation
Soon as the WinRAR Company was informed by the researchers, they fixed the vulnerability in a new patched version which came out as an update in the form of the version 5.70.
Also one of the WinRAR spokesperson mentioned to ThreatPost that they have also removed the support for the ACE file archive format in the latest update of WinRAR 5.70.
Moreover as WinRAR doesn’t have an automatically feature the users have to manually download the updated version. Therefore the users who don’t want to upgrade or is unable to find a localized version of WinRAR 5.70, the solution is to delete the “UNACEV2.DLL file from the current version of WinRAR installed in their computers. The UNACEV2.DLL is likely to be found in the WinRAR program folder for all users using version 5.10 and newer. For those that are using versions older than 5.10, they can find the UNACEV2.DLL file in the formats subfolder of the WinRAR program