mzreveal shows disguised executables

I have never seen this exploit in the wild -- just read articles about it, such as the ones I cited. You might email the author to see if he has an example.

With proper protection in place, I can't see that RTLO is any more dangerous than the old double-extension trick, where the true (last) extension does not show if Windows is configured to hide certain file extensions.

To test, I renamed a trojan.exe to financials.pdf.exe. With file extensions hidden, I pretended to be tricked into opening it:



-rich

 

Method #2 at Insert Unicode characters via the keyboard? worked for me on Win 7. The character code to use is 202E.

AppLocker stopped the exe with RTLO from executing. Also, Avast Free didn't allow this character in a filename.

 

Just wanted to mention that, with regards to RLO, Software Restriction Policies work effectively as well. I just tested this thoroughly. SRP determines that the underlying file/code is executable and thus blocks it.

 

thanks for clarifying Rmus

 

Thanks for the explanation Rmus and MrBrian.

 

That is good to know. Thanks for testing. Did you make a screen shot of the Applocker message? I would like to see what it looks like.

-rich

 

You both are welcome!

----
rich

 

I didn't but it was the standard "This program is blocked by group policy" message.

@Rmus and J_L: you're welcome .

 

OK, thanks!

-rich

 

That is good to know. Good old reliable SRP!

----
rich

 

Hi,
The download link for MZReveal seems off ? Any mirror ?
Thanks.

 

A new version should be released shortly. (I've been testing it last night.)

Edit: apparently you can get an early download link by following the developer's Twitter account @HexAtomium and requesting the new version by DM (private message)

 

Thanks !

 

The link is now up again.
The updated version can now show full file paths, and automatically saves results in a "MZreveal.log" file.

 

Thanks. Now Avast reports it as a malware a refuses to save it.

 

Confirmed.

Spoiler: screenshots

 

Looks like a false positive to me. I will inform the developer about it. Perhaps it should be reported to Avast as well. What is the detection name you are getting?

 

Will try again and let you know.

 

@ flatfly

Thanx for helping with getting the LOG file included, & the updates.

 

Version 1.11 is available! List of changes (got this info from @hexatomium):

- a bug causing some files to go undetected has been fixed
- performance enhancements in the scanning routine
- fewer AV false positives (hopefully)
- first build with ASLR and DEP memory protection