Posted by: David Harley | July 15, 2013

Malice through the looking glass*: back to front malware

[Updated to include a reference to commentary by Thomas Reed on The Safe Mac]

Right to Left Override (RLO) is a special character used in Unicode to indicate the use of text intended to be displayed and read from right to left. This is used for displaying languages like Hebrew and Arabic. However, it also has its uses in malware, as Brian Krebs reported a couple of years ago (and it wasn’t actually new or unique then). Here’s the example he used: a malicious file used by Bredolab called CORP_INVOICE_08.14.2011_Pr.phyldoc.exe.

Except that the insertion of the RLO character into the name – CORP_INVOICE_08.14.2011_Pr.phyl[RLO character]doc.exe – resulted in the filename being displayed as CORP_INVOICE_08.14.2011_Pr.phylexe.doc. (The RLO character itself isn’t displayed.) So people who’ve been educated into thinking that .EXE files are suspicious and potentially dangerous, but that a Word .DOC file isn’t*, may happily click on a ‘document’ that is actually a malicious executable.

(Of course, danger in this case is relative. While the era of the Word macro virus may be long gone, the use of document formats (MS Office documents, PDFs etc.) booby-trapped with various exploits has not. Such exploits are particularly commonly used by targeted threats.)

However, F-Secure have spotted a novel variation:  a Mac app that uses the same trick. In this case, the idea is to pass RecentNews.[RLO character] off as a PDF rather than an app. Frankly, I can’t see many people being suckered by the attack in this form (see the F-Secure blog and comment by The Safe Mac). But it’s interesting, and I can think of variations that might work better.

*Yes, I did use that title for a paper I wrote with Jeff Debrosse back in 2009. Recycling is good for the environment.

Small Blue-Green World

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: