Why questionable downloads use rar archives

Rar archives are the only compression type that preserve certain hidden files and most antiviruses don't scan for these hidden files.

Quick history

Alternate data streams were introduced in Microsoft's NTFS to match Apple's HFS concept of [forking](http://en.wikipedia.org/wiki/Fork(filesystem) to maintain some degree of compatibility. It allows a single file to have multiple files of different file types closely associated with the file. Windows uses ADS to store author, title, thumbnail, and other metadata of a file. However, ADS allows any file to be attached to any other file. It's actually trivial to attach files larger than the main data stream.

The Problem

Windows doesn't expose these data streams to the user. Windows Explorer doesn't show these streams; the file size isn't even affected. If a process is running from one of these data streams, Task Manager doesn't show it. The only Windows-shipped method to identify these files is to use "dir /r" on Windows Vista or greater. This makes ADS a perfect way to hide malware.

Or does it?

When a file with additional streams is moved outside of the NTFS filesystem, only the main data stream is sent. All major file compression formats also strip the alternate streams, except rar. WinRar offers the option to preserve hidden data streams in the rar archive.

Using WinRar, we can hide harmful executables in seemingly innocuous files. Any antivirus software worth its salt should pick this up, so I tested that theory.

The Setup

Create a file and add the standard, unmalicious test virus EICAR as an alternate data stream named deadly.txt.

:: Create the harmless file
C:\> echo Nothing here > harmless.txt

:: Create the test virus
C:\> echo|set /p="X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" > testvirus.exe

:: Add the test virus as an ADS
C:\> more testvirus.exe > harmless.txt:deadly.txt

:: Make sure it was added
C:\> notepad harmless.txt:deadly.txt

Compress harmless.txt using WinRar. Select "Save file streams".


The Test

I needed to ensure all the antivirus software tested saw testvirus.exe as a virus, so I used VirusTotal. Not all antivirus software is compliant, as the results show. ByteHero, MicroWorld-eScan and MalwareBytes did not recognize the test virus, so I was unable to determine if they handle rar archives.


When I tested harmless.rar only 17/43 identified the virus. Major antivirus software like AVG, Panda, SUPERAntiSpyware, PCTools, VIPRE, and Symantec were among the 60% that did not recognize the virus.



The rar format can be dangerous for Windows users and it's highly plausible those distributing questionable files know it. It would explain why there hasn't been a greater move to the open and higher compression 7z format.

Until antivirus companies can shape up their support for rar archives: use an antivirus that currently supports rar well, stop downloading rar archives, or use a different OS.


This post was inspired by Bartosz Inglot's 2011 article http://passionateaboutis.blogspot.com/2011/11/compressed-and-encrypted-alternate-data_22.html

A good explanation of ADS https://windowssecrets.com/top-story/hide-sensitive-files-with-alternate-data-streams/

This has been discussed on Hacker News.