Archive

Archive for the ‘Unicode’ Category

Off Topic: Unicode Right-to-Left Override character used by malware

August 22nd, 2011 No comments

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, “innocuous_cod.exe” could have the RLO character inserted after the underscore, and then it would read as “innocuous_exe.doc” (everything after the “_” is read right-to-left).

Here’s a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

 

 

Categories: malware, Unicode Tags:

Off Topic: Unicode Right-to-Left Override character used by malware

August 22nd, 2011 No comments

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, “innocuous_cod.exe” could have the RLO character inserted after the underscore, and then it would read as “innocuous_exe.doc” (everything after the “_” is read right-to-left).

Here’s a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

 

 

Categories: malware, Unicode Tags:

Off Topic: Unicode Right-to-Left Override character used by malware

August 22nd, 2011 No comments

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, “innocuous_cod.exe” could have the RLO character inserted after the underscore, and then it would read as “innocuous_exe.doc” (everything after the “_” is read right-to-left).

Here’s a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

 

 

Categories: malware, Unicode Tags:

Can we believe our eyes?

August 11th, 2011 No comments

Several days ago, one of our customers submitted a sample (SHA1: fbe71968d4c5399c2906b56d9feadf19a35beb97, detected as TrojanDropper:Win32/Vundo.L). This trojan hijacks  the hosts “vk.com” and “vkontakte.ru” (both social networking sites in Russia)and redirects them to 92.38.209.252, but achieves this in an unusual way.

A common  method used to hijack a website and redirect it to a site of the attacker’s choice is to add an entry in the Windows hosts file located in the %SystemRoot%\system32\drivers\etc directory. However, when we open this file on an affected computer, it doesn’t contain any entries related to “vk.com” and “vkontakte.ru”, as you can see in the following example:

 

But when we show hidden files, we can see another “hosts” file. It is hidden, as in the following example:

 

There are two files with exactly the same name, “hosts”, in the etc directory! How can this happen?

As we know, it is not possible for a directory to contain two files with the same name. When we copy the file names to notepad, save them as a Unicode text file and open them with a hex editor we see the following (the upper is for the first “hosts” file, the lower is for the second “hosts” file):

For Unicode (UTF-16), the 0x006F is the same as 0x6F in ASCII, which is the character “o”. But what’s the 0x043E in Unicode? We can find it in Unicode chart table (Range: 0400-04FF). The following is part of this table.

 

We can see that Unicode 0x043E is a Cyrillic character, and it looks very much like the English character “o”.
So the hidden “hosts” file is the real hosts file in fact. When we open this file, we can see that two entries have been added to the end of the file:

 

Mystery solved!

This is not the first time we’ve seen a hacker using Unicode characters to mislead people. In Aug 2010, a Chinese hacker disclosed a trick with a Unicode control character used to mislead people into running an executable file. Hackers use Unicode control characters 0x202E (RLO) to reverse parts of a special file name, which changes the look of the file name in Windows Explorer.

For example, there is a file named as “picgpj.exe”, as the following:

The “gpj.exe” part of this name is specially crafted. When inserting an RLO character before “gpj.exe” in this name, the whole name appears as the following:

Hackers also usually use a picture as the file icon. Unwary people treat this file as a picture, and blindly double-click to open it, thus running the executable. Obviously, this type of trick is useless for Unicode aware programs, but it is not easy for the eyes of people to identify the problem.

Can we believe our eyes? The answer is… not always.

Zhitao Zhou

Categories: Cyrillic, hacking, Unicode, Vundo Tags: