Spoofed filenames in Windows using the RLO (Right-to-Left Override) Unicode Character

Discussion in 'malware problems & news' started by freakish, Feb 5, 2012.

Thread Status:
Not open for further replies.
  1. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    I've been looking for ways to avoid files that are masquerading or spoofing their filenames using the Right-to-Left Override Unicode Character from being run or written into my computer (OS is Windows 7). More info on the RLO unicode character here: http://www.fileformat.info/info/unicode/char/202e/index.htm

    Some malware use the RLO unicode character to spoof or hide their real filenames or file extensions. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)

    The only info I can find that offers info on how to do this is from the Information Technology Promotion Agency, Japan website: http://www.ipa.jp/security/english/virus/press/201110/E_PR201110.html It advices to use the Local Security Policy settings manager to block files with the RLO character in its name from being run.

    Can anyone recommend any other good solutions to prevent files with the RLO character in their names from being run or be written in the computer, or a way to alert the user if a file with the RLO character is detected (OS: Windows 7)?
     
    Last edited: Feb 5, 2012
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would think that this would be a red flag to most AV heuristics.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ freakish

    Hi & Thanks for posting :thumb:

    I checked which fonts i had that were applicable, but it didn't seem to work for me :D Even with Scripting enabled !

    char.gif

    Not sure why ? but :)
     
  4. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    That's weird. It happens to all browsers I try too (Opera, Firefox, IE).

    In Windows 7's Explorer or Internet Explorer, you can paste the RLO character by 'Right click > Insert Unicode Control Character > RLO (start of right-to-left override)'. Try testing it in filenames, for weird results. :)

    The character is also already pasted in the 'Input Test' field in: http://www.fileformat.info/info/unicode/char/202e/browsertest.htm Try typing there and notice that the characters you're typing are coming out in a weird order.
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,051
    Location:
    USA
    Thanks for posting this. I didn't realize you could insert the RLO character into SRP. :thumb:
     
Loading...
Thread Status:
Not open for further replies.