The Inquirer-Home

Windows 7 malware is camouflaged using unicode filename trickery

Also affects Windows Vista
Fri May 13 2011, 12:27

LONG SUFFERING Windows PC users have been warned about malware Trojans that camouflage malicious executable files using a fancy unicode trick.

Unicode is a computing industry standard that provides a unique number for every character you use, no matter what system you are using. With malicious trickery, criminals have worked out how to fiddle with unicode so that some characters in a Windows filename can be reversed.

Security firm Norman found malicious email attachments that appeared on the surface to have filenames with standard alphabetical characters, with unicode-capable viewers seeing nothing out of the ordinary.

However, if you look at the file from a command prompt, it shows that the last bit of the filename has actually been reversed, and that this seemingly innocuous emailed file is actually an executable.

Norman tested other filenames, and found that the same unicode trick allowed files to hide the fact that they were executable in the email client Lotus Notes. The firm said that any filename could hide extensions like PDF and EXE using the trick.

The firm said that the issue only affects Windows Vista and Windows 7 users, as Windows XP users have to install support for right-to-left languages in order to be vulnerable.

Email clients other than Lotus Notes could also treat the issue differently, as some don't support unicode, while others are programmed to block executables even if the file's name doesn't display it as being executable.

Norman warned simply, "Do not rely on any file attachment or file on any device to be safe based on its file name." µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?