Trojan.Radropper Exploits WinRAR Vulnerability
Recently, we have seen a trend in Trojanhorse programs exploiting popular desktop applications. Theapplications that have been exploited have included Microsoft Word,Excel, Powerpoint, and JustSystem's Ichitaro. Now, we have uncovered aTrojan horse exploiting a vulnerability in WinRar—software which maynot be quite as well known as those examples I have just mentioned.
Symantec Security Response has confirmed that Trojan.Radropper exploits the RARLAB WinRAR LHA Filename Handling Buffer Overflow Vulnerability.This vulnerability was first made public in July of this year and hassubsequently been fixed. The current version of WinRAR (version 3.61)does not contain this vulnerability.
The attack was email based and was executed when an email with a RARarchive attachment was sent to a user. Once the archive was opened, theRAR file would drop a file, which is detected as Backdoor.Trojan, ontothe user's computer.
This threat is considered a very low risk at this time, due to thefact that it was used in a targeted attack. Additionally, thevulnerability exploited here is not new and a patch is alreadyavailable. However, if you are using WinRAR, I fully advise you topatch the software as soon as possible.