Trying to determine if some RAR files contain malware

Hi Everyone. I downloaded some RAR files that pertained to the recent Ledger crypto wallet hack to see if my information was included. When I attempted to unRAR the RAR files, I received the following fatal error. “an error occurred while loading the archive.” No other information was included and the RAR file did not open using the standard Archive Manager application.

Eventually I was able to open the RAR using a web based unarchiver, but now I’m worried that I inadvertently unleashed some kind of malware on my Librem running the most up to date PureOS.

Can anyone help me determine if these files contained malware and possibly in relation also help me understand why the Archive Manager did not unarchive the RAR files?

I am happy to supply the files if anyone has tools that they can use to analyze them. I ran them through TotalVirus but they came back clean. Some people on Twitter said the RARs contained some malware that affected their iOS devices, but not much other info.

Thanks in advance.

Hi

Be rassured :

• Uncompressing an archive like rar or zip, or tar.gz only put files on your disk it doesn’t execute them, so if you didn’t try to open any uncompressed file nothing can happen to your computer
• A malware for IOS won’t work on windows or linux (and vice-versa), the executables are not cross-platform (unless java)
• You can have a malware or virus on your computer, it doesn’t mean it’s activated
  you only copied the files, not executed them, so nothing will happen

You can safely run the following commands in the folder you have the uncompressed files :

ls -l *
file *

ls will list the files present in the folder showing the executable flag (or not)
file will analyse what kind of file it is (an image ? an executable ? a text file ? a script ? …)

It will give you a first overview of what you have here

You can try uploading the RAR file to https://virustotal.com/ and check the results (try to be critical - especially the lesser-known Anti-Virus solutions).

As for the Ledger leaks, you could look into https://www.argent.xyz/ledgerhack/ - someone made this page to help you discover whether or not you’ve been affected. Then again I don’t know this person so use it at your own risk.

What were the exact names of the files that you saved the downloaded files to?

How did you attempt to do that?

As @fralb5 says, using the file command would be your first option to see whether it looks like a valid RAR file. Here’s example output for file on what I believe to be a valid .rar file

foo.rar: RAR archive data, v4, os: Win32, flags: ArchiveVolume NewVolumeNaming FirstVolume

Yes and no. History contains any number of clever intentionally malformed files that are designed to exploit coding errors in the program to manipulate a certain type of file, with the hoped for result being a Remote Code Execution (RCE) exploit.

However before we get to that explanation, let’s eliminate simpler less malicious explanations.

I appreciate your help, All.

Ledger.rar
Ledger(1).rar (duplicate download because the first time it didn’t unzip)
files.zip (this one was one of the Ledger.rar files that was unRARed via a website and not locally, it created this zip file which I downloaded to access the text files inside)

I attempted to unRAR via the desktop GUI using the built-in Archive Manger application. I right clicked and selected the ‘extract here’ option. It only results in the error message “An error occurred while loading the archive. Fatal error.”

Here is the output of fralb5’s commands:

frank@librem:~/Downloads$ ls -l *
-rw-r--r-- 1 frank frank 23880631 Dec 20 22:05  files.zip
-rw-r--r-- 1 frank frank 19229175 Dec 20 21:48 'Ledger(1).rar'
-rw-r--r-- 1 frank frank 19229175 Dec 20 21:22  Ledger.rar

frank@librem:~/Downloads$ file *
files.zip:     Zip archive data, at least v2.0 to extract
Ledger(1).rar: RAR archive data, v5
Ledger.rar:    RAR archive data, v5

I believe that the problem is that the extract process fills the disk. That’s what the “fatal error” is. Would I be right in thinking that the error comes up after some time?

Whether that’s because the archive is ‘corrupt’ in some way or because the software that Archive Manager is using to extract from a RAR file is buggy I don’t know.

RAR is a proprietary format and support for proprietary formats is often less than perfect in the non-proprietary world. Really someone should be distributing this file in a non-proprietary (compressed) format e.g. gzip (of a tar file, for example)

The error appears pretty quickly. Is it possible that the RAR is corrupt because it’s malicious and it’s not able to execute on PureOS? I wish I could submit the file for some kind of analysis. VirusTotal says it’s clean but I’m guessing there is something malicious about it based on the comments about popups from iOS users.

The fact that it works using a web-based unarchiver makes me lean towards … it’s not corrupt, the code used by Archive Manager is just buggy.

Maybe the RAR file uses some newer features that are misimplemented in the Linux code base.

Depends on how fast your disk is and how full your disk is though, doesn’t it?

What CPU? I suppose it also depends on how fast your CPU is.

Which web-based unarchiver did you use?

One more comment: There are two packages for the unrar command - one is unrar-free and one is unrar

The former (unrar-free) is, I suspect, very old and would not support more recent RAR versions, and would not be usable here.

From the naming, the latter is, I suspect, non-free and perhaps is deliberately excluded from PureOS.

So at the shell prompt what do you get for

which unrar
ls -l on the file given by the previous command (which you can achieve with: ls -l `!!` )
?

I would like to partially retract / modify this.

I think that Archive Manager fails horribly in extracting from a RAR file if neither rar nor unrar exists as a command.

Of course, the RAR should have been an attack specific to a flaw in a specific software (here unrar-free or unrar), which is very low rewarding doing this on gnu/Linux
In frankbeans case it is possible, but very very unlikely, especially if it’s targeting IOS
My goal here was to first reassure, then take a look

@frankbeans :
The following would also give a look at what is installed with which version

dpkg -l | grep unrar

I used something called Unrar Online (unrar.online)

Ah-ha! When I type in which unrar as you suggested, I get nothing! When I checked to see if unrar was installed on my computer before, it appeared to be installed as part of the unarchiving app - I really could have sworn I checked to see if unrar was installed in the initial hubbub of trying to extract the file. Using apt-cache policy unrar shows:

unrar:
Installed: (none)
Candidate: (none)
Version table:

And sudo apt install unrar:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package unrar is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or is only available from another source

Both which rar and which unrar return nothing. I’m pulling my hair out wondering how I mistakenly verified that unrar was installed.

Also returns nothing.

I must have been very panicky to have misread unrar not installed as installed. Or possibly so panicky that I thought I verified something I didn’t. I feel so stupid right now. Thanks for all your help, Everyone.

Just an observation, if neither rar nor unrar is installed then that should be pretty safe against even a malicious RAR file - because you have no way of doing anything with the RAR file. Archive Manager itself is (reportedly) just a front end for the appropriate specific command(s) needed to manipulate the specific type of archive.

So for the problem as originally raised, I think this is solved. Very likely you have not triggered malware or extracted malware - because you can’t successfully do anything with a RAR file.

However that leaves open the question of what options for manipulating RAR files are available with PureOS.

Needless to say that you should never use an online unarchiver unless you trust that web site regarding both the confidentiality of the results and the integrity of the results.

At least in this case the confidentiality is not an issue because anyone can download that RAR file from around the internet.

This will work:
$ sudo apt update && sudo apt upgrade
$ sudo apt install unrar-free

However (if above doesn’t help), perhaps @frankbeans likes to try this:
$ sudo apt install unar, as it is included within PureOS repo.
cd to where is Ledger.rar File
$ mkdir LedgerFolder
$ file-roller -e LedgerFolder Ledger.rar

I don’t think it will. It looks to be years out of date and will work with maybe RAR version 2 or earlier but not RAR version 5 - which the specific RAR file in question is.

7zip is LGPL and has support for rar archives. There’s a chance it defers to unrar or unrar-free in its backend (I’ve never tried it on a machine without unrar-free), but I think it handles unraring directly. It should be available in PureOS.

Edit: Just checked the 7z page. They used code from the unrar package, which is GPL compatible except for restriction that it cannot be used to reverse-engineer the rar protocol for the purpose of creating a program to create rar archives. Not quite up to Purism’s standard of free software, but not that encumbering.

I have no clue, yet think that if unar package comes originally from the Unarchiver, and this particular .rar file was originally compressed for iOS users, it might (perhaps) extract it under PureOS. Please, feel free to take a look at this .deb package.