Spoofed filenames in Windows using the RLO (Right-to-Left Override) Unicode Character

I've been looking for ways to avoid files that are masquerading or spoofing their filenames using the Right-to-Left Override Unicode Character from being run or written into my computer (OS is Windows 7). More info on the RLO unicode character here: http://www.fileformat.info/info/unicode/char/202e/index.htm

Some malware use the RLO unicode character to spoof or hide their real filenames or file extensions. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)

The only info I can find that offers info on how to do this is from the Information Technology Promotion Agency, Japan website: http://www.ipa.jp/security/english/virus/press/201110/E_PR201110.html It advices to use the Local Security Policy settings manager to block files with the RLO character in its name from being run.

Can anyone recommend any other good solutions to prevent files with the RLO character in their names from being run or be written in the computer, or a way to alert the user if a file with the RLO character is detected (OS: Windows 7)?

 

I would think that this would be a red flag to most AV heuristics.

 

@ freakish

Hi & Thanks for posting

I checked which fonts i had that were applicable, but it didn't seem to work for me Even with Scripting enabled !



Not sure why ? but

 

That's weird. It happens to all browsers I try too (Opera, Firefox, IE).

In Windows 7's Explorer or Internet Explorer, you can paste the RLO character by 'Right click > Insert Unicode Control Character > RLO (start of right-to-left override)'. Try testing it in filenames, for weird results.

The character is also already pasted in the 'Input Test' field in: http://www.fileformat.info/info/unicode/char/202e/browsertest.htm Try typing there and notice that the characters you're typing are coming out in a weird order.

 

Thanks for posting this. I didn't realize you could insert the RLO character into SRP.