[Updated to include a reference to commentary by Thomas Reed on The Safe Mac]
Right to Left Override (RLO) is a special character used in Unicode to indicate the use of text intended to be displayed and read from right to left. This is used for displaying languages like Hebrew and Arabic. However, it also has its uses in malware, as Brian Krebs reported a couple of years ago (and it wasn’t actually new or unique then). Here’s the example he used: a malicious file used by Bredolab called CORP_INVOICE_08.14.2011_Pr.phyldoc.exe.
Except that the insertion of the RLO character into the name – CORP_INVOICE_08.14.2011_Pr.phyl[RLO character]doc.exe – resulted in the filename being displayed as CORP_INVOICE_08.14.2011_Pr.phylexe.doc. (The RLO character itself isn’t displayed.) So people who’ve been educated into thinking that .EXE files are suspicious and potentially dangerous, but that a Word .DOC file isn’t*, may happily click on a ‘document’ that is actually a malicious executable.
(Of course, danger in this case is relative. While the era of the Word macro virus may be long gone, the use of document formats (MS Office documents, PDFs etc.) booby-trapped with various exploits has not. Such exploits are particularly commonly used by targeted threats.)
However, F-Secure have spotted a novel variation: a Mac app that uses the same trick. In this case, the idea is to pass RecentNews.[RLO character]fdp.app off as a PDF rather than an app. Frankly, I can’t see many people being suckered by the attack in this form (see the F-Secure blog and comment by The Safe Mac). But it’s interesting, and I can think of variations that might work better.
*Yes, I did use that title for a paper I wrote with Jeff Debrosse back in 2009. Recycling is good for the environment.
David Harley CITP FBCS CISSP
Small Blue-Green World