The filename below was recieved in a malicious email. It appears to have a .jpg extension but windows will run it as an application. The trick appears to be using left to right then right to left characters so the last 7 characters are "jpg.exe" backwards. I suspect this will dupe a lot of windows users.
Actual name: photo_W71765413082011_Coll*gpj.exe
Appears as:
photo_W71765413082011_Collexe.jpg
To simulate your example, I have tried to rename one of my file to your file's first name
"photo_W71765413082011_Coll*gpj.exe"
But windows has given the error
A file name can not contain any of the following characters:
\ /:*?"<>|
The special character * is present in the file name and as such it is not possible to create or rename a file with this name.
So how that name is given to a file?
I don't know how it's done. Probably using special unicode character. The forum replaces special characters with a *
Windows stores file names in Unicode on disk, therefore it allows Unicode characters in file names. Unicode allows for what's called a "Right to Left Override" (RTLO), and vice versa, by putting a special set of Unicode characters in the string. In this case, the * is representing those Unicode characters because Windows explorer doesn't display Unicode. The file name on disk is photo_W71765413082011_Coll[RTLO]gpj.exe (where the RTLO code is actually 0x202E in hex) which would cause it to display as photo_W71765413082011_Collexe.jpg in Windows Explorer. If the malware author is good, they will also associate the shell extension JPG icon with it so it will even look like a non-thumbnailed jpeg in Explorer rather than the default icon Windows puts with exe's that it doesn't have a shell icon for.
Given that windows STILL installs with extensions hidden by default and 99.9999% of people never bother to change it. Does it even matter? You can actually name a file Puppy.jpg.exe and NO ONE would even know given windows default settings it would appear as "Puppy.jpg" in any folder...
(Yes, I am a bit bitter about it. For all the hoopla over security, this is still by far the biggest "hole" in windows.)
This is a trick to address those who don't hide filename extensions.
Actually I won't want to downplay the severity of this particular hack as much as I'd love to ELEVATE the severity of the entire "hide extensions for known file types" "feature". It's completely a pie in the face to windows security that that even still exists let alone is the default setting for windows. :/
This is something new I came to know about unicode characters in file names..... Well! learning never ends......
The RTLO unicode hole - sequence manipulation as an attack vector
Last edited by rraod; 15 Sep 2011 at 10:00.
Quote