Malware discovered exploiting 19-year-old vulnerability in WinRAR

Researchers have discovered e-mailed malware packaged in a malicious ace archive. It may be the first abuse of a 19-year-old ace vulnerability that affects, among other things, the WinRAR program.

The discovery was made by the research department of security company 360 Enterprise Security Group, which reported the news via a tweet made public. The company found an email distributing an ace file that, when the user unzips it, infects the computer with a backdoor. Employees of the tech site BleepingComputer looked at the suspicious ace archive in a hex editor and determined that the malware wants to extract a file in the computer’s startup folder.

Check Point researchers reported on February 20 that they had discovered a vulnerability that had gone undetected for 19 years. The vulnerability resides in unacev2.dll, a library for the old ace compression format used by WinRAR, among others. The vulnerability allows that program to place a custom ace archive in the startup folder upon extraction. When the user restarts the computer, that file is automatically loaded, after which malicious parties can take complete control of the machine.

The developer of WinRAR has since stopped supporting the ace format due to the vulnerability. The ace library was developed by third parties and there was no access to the source code anymore. The latest version of the program, WinRAR 5.70, should therefore be safe to use again. However, according to Check Point, that does not solve the problem; there are said to be more than 500 million users of WinRAR worldwide and the majority of them still work with a version that is susceptible to malware.