The Latest in IT Security

“exe” read backwards spells “malware”

18
Aug
2011

RIGHT TO LEFT OVERRIDE (RLO) is a unicode control character (U+202E) that reverses the character reading order from the traditional left-to-right, to right-to-left. This is mainly used for right-to-left languages (such as Arabic or Hebrew). We reported this trick last year but it has resurfaced extensively in the past week to trick users into opening malware executables. Malware uses RLO to reverse the direction of text in a filename. This can make an “exe” file appear to be a harmless “doc” file.

These new variants of the Bredolab virus are distributed via emails that have a subject line similar to “inter-company invoice”. A sample:

The attached zip file contains an executable which has a filename that appears to be:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Seems harmless enough right? You can see how the filename is displayed in Winzip and in Windows Explorer below.

The RLO control character is not displayed. It is placed just before the part of the filename “exe.doc”. Therefore the actual filename is:

“CORP_INVOICE_08.14.2011_Pr.phylcod.exe”

This will definitely mislead recipients who will then execute the malicious file.

Command antivirus detects this malware as W32/Bredolab.IF. Keeping your antivirus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this.

Leave a reply


Categories

SUNDAY, NOVEMBER 01, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments