Hackers flip characters to disguise malware

Infected Windows PCs outsourced to other cyber criminals, who install more attack code

Hackers are using a new trick to cloak malicious files by disguising their Windows file extensions to make them appear safe to download, a Czech security company warned today.

The exploit, dubbed "Unitrix" by Avast Software, abuses Unicode for right-to-left languages -- such as Arabic or Hebrew -- to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc).

Unicode is the computer industry standard for representing text with alpha-numeric codes.

The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly-safer photo_D18727_Coll exe.jpg by reversing the last six characters of the former.

"The typical user just looks at the extension at the very end of the file name; for example, .jpg for a photo. And that is where the danger is," said Jindrich Kubec, head of Avast's lab, in an email today. "The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file."

Microsoft's Internet Explorer 9 (IE9) uses a technology called "Application Reputation" to warn users of potentially-dangerous files downloaded from the Web.

Avast said that malware using the Unitrix tactic -- primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code -- increased in volume last month, hitting a peak of 25,000 detections daily.

The pattern of detections -- high on workdays, dropping by 75% or more on weekends -- shows that the attackers are targeting business users, Kubec argued.

Additional analysis done by Avast said that Windows PCs infected with the disguised Trojan were part of a "pay-per-installation" network rented to other criminals, who plant their own malware on the machines.

"[They] provide outsourced infection and malware distribution services for other cyber gangs...apparently based in Russia and the Ukraine," said Avast researcher Lyle Frink in a post to the Avast blog Wednesday.

Frink identified three command-and-control (C&C) servers that issue instructions to the infected PCs: The servers were located in China, Russia and the U.S.

Combating Unitrix is difficult, said Kubec; he suggested that users open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about AppleAvastetworkGoogleMicrosoftTopicUnicode

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts