<<<
NEWS FROM THE LAB - Friday, August 19, 2011
>>>
 

 
edocinU edirrevO tfeL ot thgiR gnisU erawlaM Posted by Sean @ 15:06 GMT

According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have "resurfaced extensively in the past week". Unicode character (U+202E) "reverses" text for languages that are traditionally read from right to left, and it's a feature that can be used to obfuscate file names.

We examined a sample a few days ago.

Here's the archive file viewed in Windows:

log_08.12.2011_P61602.zip

The Windows Compressed Folder view shows us that the extension is ".exe" and that the file type is an Application:

Compressed Folder

But once extracted, the file appears to have an extension of ".doc".

Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.

Changelog_08.12.2011_Prophylexe.doc

Being curious, we decided to test some third-party archive managers.

Here's the malware as viewed in WinZip:

WinZip

Here's WinRAR:

WinRAR

And here's 7-Zip:

7-Zip

Surprisingly to us, 7-Zip doesn't display the file type even though it sorts by type.

In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.