Off Topic: Unicode Right-to-Left Override character used by malware

Here's an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don't unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, "innocuous_cod.exe" could have the RLO character inserted after the underscore, and then it would read as "innocuous_exe.doc" (everything after the "_" is read right-to-left).

Here's a write-up with links to detected variants: https://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

Comments

  • Anonymous
    September 14, 2011
    The comment has been removed