Hackers flip characters to disguise malware

Infected Windows PCs outsourced to other cyber criminals, who install more attack code

Hackers are using a new trick to cloak malicious files by disguising their Windows file extensions to make them appear safe to download, a Czech security company warned today.

The exploit, dubbed "Unitrix" by Avast Software, abuses Unicode for right-to-left languages -- such as Arabic or Hebrew -- to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc).

Unicode is the computer industry standard for representing text with alpha-numeric codes.

The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly-safer photo_D18727_Coll exe.jpg by reversing the last six characters of the former.

"The typical user just looks at the extension at the very end of the file name; for example, .jpg for a photo. And that is where the danger is," said Jindrich Kubec, head of Avast's lab, in an email today. "The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file."

Microsoft's Internet Explorer 9 (IE9) uses a technology called "Application Reputation" to warn users of potentially-dangerous files downloaded from the Web.

Avast said that malware using the Unitrix tactic -- primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code -- increased in volume last month, hitting a peak of 25,000 detections daily.

The pattern of detections -- high on workdays, dropping by 75% or more on weekends -- shows that the attackers are targeting business users, Kubec argued.

Additional analysis done by Avast said that Windows PCs infected with the disguised Trojan were part of a "pay-per-installation" network rented to other criminals, who plant their own malware on the machines.

"[They] provide outsourced infection and malware distribution services for other cyber gangs...apparently based in Russia and the Ukraine," said Avast researcher Lyle Frink in a post to the Avast blog Wednesday.

Frink identified three command-and-control (C&C) servers that issue instructions to the infected PCs: The servers were located in China, Russia and the U.S.

Combating Unitrix is difficult, said Kubec; he suggested that users open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about AppleAvastetworkGoogleMicrosoftTopicUnicode

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

More videos

Blog Posts

Market Place