91
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection
(thehackernews.com)
this post was submitted on 23 Aug 2025
91 points (96.0% liked)
Linux
9406 readers
291 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It's a good explanation and analysis of what it is and what it does.
There's just one thing that I didn't see mentioned and it's about the prevalence of having a software installed to extract rar files in the first place.
AFAIK there's nothing installed by default on Debian to open rar files. You kind of have to go out of your way to extract one. Unless this changed with the latest release.
I'm not much of a distro hopper so I'd be curious to know, are there distributions where opening and extracting a rar file only requires to click it?
Isn't that irrelevant? According to the article, the archive itself doesn't contain any malicious code. Rather, it's encoded in the file name, and can start executing itself when being parsed by the shell - no extraction needed.
It seems to me that avoiding rar files, or limiting your ability to extract them will provide a false sense of security at best. Seems to me that this could be done using any file type at all.
Doesn't it mean that a rar archive contains the malicious file?
Right you are! I'm not sure how that went over my head. Eh, too much morning, too little coffee. Thanks for correcting me.
It's also worth saying that as much as I don't have an antivirus on Linux, and that I'm generally not too worried about malware and viruses, I have backups, follow the 3-2-1 rules, and my OS can be scarified if there is ever a problem.
But I must admit that being infected is not always detectable and taking extra care probably wouldn't hurt.