Spreading malware via email has always been so effective, that it is still widely used by bad guys. As you may know, there were times when email worms like MyDoom, Brontok, etc. infected millions of computers worldwide. Nevertheless, due to efforts of security agencies and antivirus vendors to warn users, the attachment of virus onto emails is becoming less effective than it used to be. Users are now more watchful towards emails with attachments from unknown origins, pay more attention to files’ extensions despite how similar their icons may be. This has forced bad guys to change their methods.
One of the considerable new methods is to exploit RLO (Right to Left Override) to hide the files’ extensions so that users will think they are safe files.
What is the nature of this issue? With right to left languages such as Arabic or Hebrew, Microsoft supports the reserve display of a character set through the insertion of a code (U+202E) onto the beginning of that set. Let’s see the example of a file named XXXcod.exe. After U+202E is inserted before the character “c”, the file will be displayed as XXXexe.doc. In this case, if the bad guy cloaks his file with a .doc file’s icon, will you have a fleeting doubt or immediately open the file?
This is indeed a virus’ executable file.
It can be seen that this is quite a sophisticated technique, even experts might be cheated if they do not pay proper attention. To protect your computer, you should examine the files’ attributes before running them. If a file is specified to be an executable one (.exe, .scr, .pif, etc.) but displayed with another extension, it is a virus.
In a simpler way, you can run the files in Sandbox to ensure the safety for your computer. The best is to use a licensed antivirus program to have a comprehensive protection against viruses.
Phạm Tuấn Vũ – Bkav R&D