“exe” read backwards spells “malware”

by
filed under Antivirus, malware.

RIGHT TO LEFT OVERRIDE (RLO) is a unicode control character (U+202E) that reverses the character reading order from the traditional left-to-right, to right-to-left.  This is mainly used for right-to-left languages (such as Arabic or Hebrew).  We reported this trick last year but it has resurfaced extensively in the past week to trick users into opening malware executables.  Malware uses RLO to reverse the direction of text in a filename.  This can make an “exe” file appear to be a harmless “doc” file.

These new variants of the Bredolab virus are distributed via emails that have a subject line similar to “inter-company invoice”.  A sample:

The attached zip file contains an executable which has a filename that appears to be:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Seems harmless enough right?  You can see how the filename is displayed in Winzip and in Windows Explorer below.

The RLO control character is not displayed.  It is placed just before the part of the filename “exe.doc”.  Therefore the actual filename is:

“CORP_INVOICE_08.14.2011_Pr.phylcod.exe”

This will definitely mislead recipients who will then execute the malicious file.

Command antivirus detects this malware as W32/Bredolab.IF. Keeping your antivirus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this.

Trackbacks/Pingbacks

  1.  edocinU edirrevO tfeL ot thgiR gnisU erawlaM | Just Got Hacked
  2.  Aparece un nuevo malware que invierte el texto en los nombres de archivo |
  3.  Aparece un nuevo malware que invierte el texto en los nombres de archivo | Antifraude
  4.  Off Topic: Unicode Right-to-Left Override character used by malware - MSDN Blogs
  5.  APARECE UN NUEVO MALWARE QUE INVIERTE EL TEXTO DE LOS NOMBRES DE ARCHIVO « SR HADDEN SECURITY CONSULTING
  6.  New malware–RIGHT TO LEFT OVERRIDE–RLO » RO Windows Administrators Weblog
  7.  Zet detailweergave altijd aan in Windows
  8.  ‘Right-to-Left Override’ Aids Email Attacks — Krebs on Security
  9.  Атаки по E-mail с использованием символа переключения направления текста | Rusecurity.com

Leave a Reply

(will not be published)