NEWS FROM THE LAB - Friday, August 19, 2011

edocinU edirrevO tfeL ot thgiR gnisU erawlaM Posted by Sean @ 15:06 GMT

According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have "resurfaced extensively in the past week". Unicode character (U+202E) "reverses" text for languages that are traditionally read from right to left, and it's a feature that can be used to obfuscate file names.

We examined a sample a few days ago.

Here's the archive file viewed in Windows:


The Windows Compressed Folder view shows us that the extension is ".exe" and that the file type is an Application:

Compressed Folder

But once extracted, the file appears to have an extension of ".doc".

Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.


Being curious, we decided to test some third-party archive managers.

Here's the malware as viewed in WinZip:


Here's WinRAR:


And here's 7-Zip:


Surprisingly to us, 7-Zip doesn't display the file type even though it sorts by type.

In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.