Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Off Topic: Unicode Right-to-Left Override character used by malware

Off Topic: Unicode Right-to-Left Override character used by malware

  • Comments 1

Here's an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don't unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, "innocuous_cod.exe" could have the RLO character inserted after the underscore, and then it would read as "innocuous_exe.doc" (everything after the "_" is read right-to-left).

Here's a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

 

 

Comments
  • It took me a while to get this to work. Any good e-mail filter should catch

    them still, but this would be useful for hosted files, and possibly

    files inside archived directories.

    Here are some (Win) methods for inserting Unicode characters into text:

    www.fileformat.info/.../enter_unicode.htm, to input

    The codes for RLO are 202E (hex) and 8238 (dec) and for LRO they are 202D (hex) and 8237 (dec).

    I've made a copy of cmd.exe on my Win 7 (64 bit) desktop, renamed it

    as "This is my cod.exe" and pasted the override character just before

    the "c" in "cod" so that it is rendered as "This is my exe.doc" (a

    working string is below for you to copy/paste). The icon still showed

    as a command-line executable on my desktop so if I were compiling my

    own exe, I'd be sure to make it appear as a Word 2003 doc.

    Here is the working string, the RLO character seems to be just after

    the 'c' i.e. at the end of the line, but is actually just before the

    'c' in the middle of the string:

    This is my ‮cod.exe

Page 1 of 1 (1 items)
Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post