Computer crooks and spammers are abusing a little-known encoding method that makes it easy to disguise malicious executable files (.exe) as relatively harmless documents, such as text or Microsoft Word files.
The “right to left override” (RLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used. Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations, and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020”.
The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous.
This threat is not new, and has been known for some time. But an increasing number of email based attacks are taking advantage of the RLO character to trick users who have been trained to be wary of clicking on random .exe files, according to Internet security firm Commtouch.
Take the following file, for example, which is encoded with the RLO character:
Looks like a Microsoft Word document, right? This was the lure used in a recent attack that downloaded Bredolab malware. The malicious file, CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.
I wanted to see this work on my Windows 7 system, but found that I had to enable a registry tweak to allow the insertion of unicode into file names. After a reboot, I was able to rename any executable by holding the ALT key, then pressing the “+” sign on the keypad and typing “202e” in front of the targeted area while renaming a file.
According to Commtouch, this technique is being used to conceal malicious files in an unusually aggressive series of spam blasts that have been ongoing since mid-August.
“The average outbreak during 2010 occurred every 10-14 days and consisted of 5-10 billion messages sent by botnets,” Commtouch co-founder Amir Lev said. “The outbreak distribution kept enough bots alive to manage [a] certain level of malicious activity.”
In contrast, Lev said, recent malware spam outbreaks have been far more frequent – sometimes three per day. The malware variants embedded in the spam include many password-stealing bots used in high-profile cyber heists, such as SpyEye and Zbot/ZeuS, in addition to Sasfis and fake antivirus. The lures used include UPS package notifications, credit card errors, inter-company invoices, and supposed notifications from NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.
Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:
Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.
This class of attack is a good reminder that there is no substitution for being careful with unbidden documents and attachments sent to you via email. If you receive a message with an attachment you weren’t expecting — even if it appears to come from someone you know — the safest option is to take a second and reply back to the person to verify the contents of the message and that they meant to send it.
I have not had an opportunity to test this on other operating systems or email clients (although my Mac happily displayed the cmd.exe file as evilexe.doc). I’d be interested in comments from readers who have broader experience with this approach in manipulating file types.