Reverse direction file names & hidden extensions hide malware installers
Most computer users are aware that particular file extensions will open in the program associated with that file type, which typically has the format of a prefix (file name), a period, then a suffix or extension. Double click on a .doc file and it will open in either Microsoft Word, or Oracle's OpenOffice, if either is installed and associated as the default program for the .doc file type. Double click on a .jpg file and the the graphics program associated with .jpg files will launch and display that image.
The majority of computer users are using computers that operate on various Microsoft operating systems. All operating systems published by Microsoft recognize .exe and .scr (screensaver) files as executables and will launch the program compiled inside those files, when they are double clicked. That .exe program may be a self-contained, stand-alone application, or the file might be a "setup" container for a program that needs to be "installed" into your computer before it can run.
It is a fact, that Microsoft operating systems are shipped out with a default folder view setting that hides the extensions of known file types; including .exe and .scr file types. If you haven't changed your Windows computer's default folder view settings, when you download a setup or installer file, all you see is the prefix, or file name, without the .exe extension. Thus, "Setup.exe" will usually appear on your PC as just "Setup". Similarly, a downloaded screensaver will appear without the .scr extension.
Windows is designed to extract information buried within most files, to display an "icon" that represents the type of file it claims to be. This allows Windows users, with default view settings that turn off file extensions, to get an idea about what type of file they are looking at, before they open it. So, an exe file might have an icon an open floppy disk box in front of a stacked PC and monitor, or an icon representing the program or its brand. That is what you might normally see for an executable file, unless the writers have embedded a custom display icon.
If a setup program has a manufacturer's custom icon, it is there because the writers inserted that icon into the program when it was "compiled." The people compiling that program can cause it to display any icon they choose to embed, including those representing a graphics image, or common text document, or a brand logo, or program name or initials. There is nothing stopping a malware distributor from having his installer compiled so it displays a .jpg image icon.
Now that you have these basic facts in mind, I am going to educate you (Windows users) about how these facts can be used against you, to trick you into manually installing malware.
If you allow a malicious program installer, or hostile coded screensaver to Run As (an) Administrator, and/or allow it when a Windows Vista, or newer UAC challenge prompts if you really want to continue, you could turn your PC into a remote controlled spam zombie, or install a key logging Trojan that steals your bank accounts and other important login credentials.
If you are fooled into downloading a rogue program, or Trojan Horse installer, thinking it is something else that is useful or desirable (remember the fall of Troy!), you will probably also be shown an innocent icon to set your mind at ease. The writers and distributors are going to assume that most victims will have not changed their default view settings, which turn off displaying extensions for known file types. You might think you are going to open a photo, or video, or sound track, or a document, when in reality you are giving away the keys to your digital kingdom.
But wait, there's more!
Back in 2007, H-Security published an article describing in theory how a Windows Vista computer could be tricked into displaying a file name and extension backwards! Using special "Unicode" characters in the file name, authors can cause it to be read from right to left, and displayed as such. Thus, a file named "jpg.zeustrojan.exe" can be crafted to actually be displayed on your Windows Vista, or Windows 7 PC as "exe.najortsuez.jpg". But, if your default display settings hide known extensions, all you would see is "najortsuez.jpg" - or even just "najortsuez" - if ,jpg extensions are also hidden on your PC.
This right-left text trick is no longer theoretical. There is now Chinese malware in the wild that uses this tactic to hide its real file type, in order to fool people into manually installing the Trojan Horse into their computers. Soon, other cyber-criminals will have their code writers apply the same right to left tricks and this exploit will come to a Windows Vista or Windows 7 computer near you (XP computers don't have native support for this Unicode RTLO text display, unless you install a special package to allow it).
How to protect against right to left text attacks
This is a no-brainer: unhide known file types! Here's one easy way to proceed:
Open your "Folder Options" by clicking the Start button/orb, click on Control Panel, then click on Appearance and Personalization, and then on "Folder Options."
Click the "View" tab, then, then under "Advanced" settings, clear the Hide extensions for known file types check box, and then click OK, to display file extensions.
This should make it easier for you to know if a downloaded file that claims to be a video or audio, or image, is in fact an executable. Then, if you don't have the best anti-virus and malware protection money can buy, don't open that program! If you accidentally open it and UAC pops up, don't allow the installer to continue. If it requests Administrator privileges, don't grant them.
Next, make sure you have set Windows Updates to Automatically download and install, at a time when your PC is normally powered on. Microsoft usually releases their monthly and sometimes bi-monthly Windows Updates at about 2 PM, in the Eastern Time Zone.
Unless Microsoft issues a patch to halt this right to left encoding trick, or forces the unhiding of known file types, you need to protect your computer by your own actions. So follow my advice in this article and un-hide known file extensions!
Additionally, do not think that you can operate without any up-to-date anti-virus and anti-malware protection, which monitors your system in real time (not an after the fact, on-demand scanner). If you want a recommendation for a top-notch anti-malware solution, I recommend that you try out Trend Micro Internet Security (Titanium). It is industrial strength, with all manner of protection systems, but with very little impact on your PC's performance.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.