Filename extension illusion

I

iamdd

New member
Local time
7:07 AM
Messages
2
The filename below was recieved in a malicious email. It appears to have a .jpg extension but windows will run it as an application. The trick appears to be using left to right then right to left characters so the last 7 characters are "jpg.exe" backwards. I suspect this will dupe a lot of windows users.



Actual name: photo_W71765413082011_Coll*gpj.exe

Appears as:

photo_W71765413082011_Collexe.jpg
 

My Computer

OS
Windows 7 Home premium 64 bit
To simulate your example, I have tried to rename one of my file to your file's first name
"photo_W71765413082011_Coll*gpj.exe"

But windows has given the error

A file name can not contain any of the following characters:
\ /:*?"<>|

The special character * is present in the file name and as such it is not possible to create or rename a file with this name.

So how that name is given to a file?
 

My Computer

Computer Manufacturer/Model Number
Toshiba Satellite P775-S7232
OS
MS Windows 7 Ultimate 64-bit SP1
CPU
i5-2410M 2.3GHz (2.9GHz Turbo-Boost) Sandy Bridge 32nm
Motherboard
Toshiba PHRAA ver. PSBY1U-00F003
Memory
4GB+4GB Samsung DDR3 PC3-10700 (1333 MHz)
Graphics Card(s)
Video Intel(R) HD Graphics Family, 1696MB available memory
Sound Card
Realtek High Definition Audio version=6.0.1.6323
Monitor(s) Displays
17.3 " Trubrite TFT LCD, LED Backlit
Screen Resolution
1600x900 32 bit, Native support for 720P content
Hard Drives
TOSHIBA MK6476GSXN
580.614 [GB] partitioned C: 80GB and D: 500GB with hidden recovery partitons.

Spare bay for 2nd HDD but no SATA connector :-(
PSU
Toshiba AC/DC Adapter
Case
Notebook
Cooling
Built-in Fan
Keyboard
Premium Raised Tile keyboard
Mouse
Logitech M215 wireless mouse
Internet Speed
Not fast enough
Other Info
Built-in Harman Kardon speakers with Dolby Advanced Audio, Waves MaxxAudio® 3. HDMI, 1xUSB3+3xUSB2 ports, WebCam, Battery life 4hrs 11mins, 4GB Readyboost SDHC card, WD My Book Essential Ext HDDs 2 TB, 2x1TB, My Passport SE 1TB and WDTV 1st Gen for Multimedia playing on a Sony Wega 32" LCD.
Recent addition to my toys are Asus Transformer Pad TF300T with 32GB onboard sd card + 32GB microsd card.
I don't know how it's done. Probably using special unicode character. The forum replaces special characters with a *
 

My Computer

OS
Windows 7 Home premium 64 bit
Windows stores file names in Unicode on disk, therefore it allows Unicode characters in file names. Unicode allows for what's called a "Right to Left Override" (RTLO), and vice versa, by putting a special set of Unicode characters in the string. In this case, the * is representing those Unicode characters because Windows explorer doesn't display Unicode. The file name on disk is photo_W71765413082011_Coll[RTLO]gpj.exe (where the RTLO code is actually 0x202E in hex) which would cause it to display as photo_W71765413082011_Collexe.jpg in Windows Explorer. If the malware author is good, they will also associate the shell extension JPG icon with it so it will even look like a non-thumbnailed jpeg in Explorer rather than the default icon Windows puts with exe's that it doesn't have a shell icon for.
 

My Computer

OS
XP / Win7 x64 Pro
CPU
Intel Quad-Core Q9450 @ 3.2GHz
Motherboard
Asus P5-E
Memory
2x2GB GSkill DDR2
Graphics Card(s)
NVIDIA GeForce 8600 GTS (EVGA)
Monitor(s) Displays
Dell 2408WFP
Screen Resolution
1920x1200
Given that windows STILL installs with extensions hidden by default and 99.9999% of people never bother to change it. Does it even matter? You can actually name a file Puppy.jpg.exe and NO ONE would even know given windows default settings it would appear as "Puppy.jpg" in any folder...

(Yes, I am a bit bitter about it. For all the hoopla over security, this is still by far the biggest "hole" in windows.)
 

My Computer

Computer Manufacturer/Model Number
Scratch built
OS
Windows 7 x64 Ultimate
CPU
i7 960
Motherboard
Asus P6X58D
Memory
12 Gig Corsair Dominator
Graphics Card(s)
Nvidia 480
Sound Card
Maudio Delta 44 + breakout box
Monitor(s) Displays
Dell UltraSharp U2410 24in and Samsung 21 dual monitors
Screen Resolution
1920x1200 and 1280x1024
Hard Drives
Primary: Intel X-25M G2 160G SSD
Secondary: Segate baracuda 1.0 TB
HDs in AHCI mode.
PSU
Corasair TX850
Case
Cooler Master HAF
Cooling
Corsair H50
Keyboard
Logitech G15 + N52 game pad
Mouse
Logitech MX518
Internet Speed
15kbs down 4.5kbps up
Other Info
WEI 7.6
CPU & RAM 7.6
Graphics 7.9
Hard disk 7.7
This is a trick to address those who don't hide filename extensions.
 

My Computer

OS
XP / Win7 x64 Pro
CPU
Intel Quad-Core Q9450 @ 3.2GHz
Motherboard
Asus P5-E
Memory
2x2GB GSkill DDR2
Graphics Card(s)
NVIDIA GeForce 8600 GTS (EVGA)
Monitor(s) Displays
Dell 2408WFP
Screen Resolution
1920x1200
Actually I won't want to downplay the severity of this particular hack as much as I'd love to ELEVATE the severity of the entire "hide extensions for known file types" "feature". It's completely a pie in the face to windows security that that even still exists let alone is the default setting for windows. :/
 

My Computer

Computer Manufacturer/Model Number
Scratch built
OS
Windows 7 x64 Ultimate
CPU
i7 960
Motherboard
Asus P6X58D
Memory
12 Gig Corsair Dominator
Graphics Card(s)
Nvidia 480
Sound Card
Maudio Delta 44 + breakout box
Monitor(s) Displays
Dell UltraSharp U2410 24in and Samsung 21 dual monitors
Screen Resolution
1920x1200 and 1280x1024
Hard Drives
Primary: Intel X-25M G2 160G SSD
Secondary: Segate baracuda 1.0 TB
HDs in AHCI mode.
PSU
Corasair TX850
Case
Cooler Master HAF
Cooling
Corsair H50
Keyboard
Logitech G15 + N52 game pad
Mouse
Logitech MX518
Internet Speed
15kbs down 4.5kbps up
Other Info
WEI 7.6
CPU & RAM 7.6
Graphics 7.9
Hard disk 7.7
Last edited:

My Computer

Computer Manufacturer/Model Number
Toshiba Satellite P775-S7232
OS
MS Windows 7 Ultimate 64-bit SP1
CPU
i5-2410M 2.3GHz (2.9GHz Turbo-Boost) Sandy Bridge 32nm
Motherboard
Toshiba PHRAA ver. PSBY1U-00F003
Memory
4GB+4GB Samsung DDR3 PC3-10700 (1333 MHz)
Graphics Card(s)
Video Intel(R) HD Graphics Family, 1696MB available memory
Sound Card
Realtek High Definition Audio version=6.0.1.6323
Monitor(s) Displays
17.3 " Trubrite TFT LCD, LED Backlit
Screen Resolution
1600x900 32 bit, Native support for 720P content
Hard Drives
TOSHIBA MK6476GSXN
580.614 [GB] partitioned C: 80GB and D: 500GB with hidden recovery partitons.

Spare bay for 2nd HDD but no SATA connector :-(
PSU
Toshiba AC/DC Adapter
Case
Notebook
Cooling
Built-in Fan
Keyboard
Premium Raised Tile keyboard
Mouse
Logitech M215 wireless mouse
Internet Speed
Not fast enough
Other Info
Built-in Harman Kardon speakers with Dolby Advanced Audio, Waves MaxxAudio® 3. HDMI, 1xUSB3+3xUSB2 ports, WebCam, Battery life 4hrs 11mins, 4GB Readyboost SDHC card, WD My Book Essential Ext HDDs 2 TB, 2x1TB, My Passport SE 1TB and WDTV 1st Gen for Multimedia playing on a Sony Wega 32" LCD.
Recent addition to my toys are Asus Transformer Pad TF300T with 32GB onboard sd card + 32GB microsd card.
You must log in or register to reply here.
Back
Top