The Latest in IT Security

edocinU edirrevO tfeL ot thgiR gnisU erawlaM (Malware Using Right to Left Override Unicode)

19
Aug
2011

According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have “resurfaced extensively in the past week”. Unicode character (U+202E) “reverses” text for languages that are traditionally read from right to left, and it’s a feature that can be used to obfuscate file names.

We examined a sample a few days ago.

Here’s the archive file viewed in Windows:

log_08.12.2011_P61602.zip

The Windows Compressed Folder view shows us that the extension is “.exe” and that the file type is an Application:

Compressed Folder

But once extracted, the file appears to have an extension of “.doc”.

Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.

Changelog_08.12.2011_Prophylexe.doc

Being curious, we decided to test some third-party archive managers.

Here’s the malware as viewed in WinZip:

WinZip

Here’s WinRAR:

WinRAR

And here’s 7-Zip:

7-Zip

Surprisingly to us, 7-Zip doesn’t display the file type even though it sorts by type.

In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments