Extremely sneaky malicious file technique

[Saracen999]

I've just watched a ThioJoe file (good site, for those not familiar, BTW) outlining a VERY crafty method for getting you to run malicious files.

It's based on "RTLO" characters (Right-To-Left-Override) characters designed, I think, for right to left languages but, combined with another common trick or two (like just changing a file icon), it can make an executable file look like something innocuous, like .... oh, ParyInvite.docx, complete with the relevant file icon.

Now sure, the common advice of not running ANY file you're not confident of stands good, if you receive a file from family/friend (hacked email, perhaps) which LOOKS like a bland file (.txt, .png, whatever) with an innocent looking name. it would only take a moment's lack of concentration to click it and .... BAM. Executable exectured.


I think everyone on this site is savvy enough to catch most of this stuff on the basis I mentioned above (if in ANY doubt, bin it), but I still recommend watching this video, because the technique used is VERY sneaky. Interesting, pretty simple IF you're aware of RTLOs, but very sneaky indeed.

Like ThioJoe said, and I'm not as technical as he is, this one could have caught me out.

https://www.youtube.com/watch?v=nIcRK4V_Zvc


BTW .... one method that MIGHT help catch this out is a sructured approach to categorising your email accounts and aliases. There is one email account I have, fairly recently set up, that I don't give to ANYBODY except close family and very close friends. It's a pretty short list.

Any mail at all on that account from ANYBODY else is automatically binned. Period.

Similarly, if i get mail from that shortlist on any other account, I'm pretty suspicious about it. It MIGHT just be legit, and they forgot which account to use, or .....

A similar but different approach could be used for banking, tax, medical etc. i.e. ONLY strictly necessary but sensitive stuff.

It is not a complete email setup by any means, but it is the start of an approach to reduce risk.

[Pob255]

That's sneaky, although as he shows at the end if you don't have file extensions on then and only the single . then the file extension gets merged with the file name
As most people have it as the default off the 2nd . will make it more obvious at a glance, so two . is probably going to be the common form

Pay attention to things you get is still a solid defence

Could you put in a mail rule to block any attachment with more than one . in it?

[Apex]

am pretty sure this is what was used to hijack the LTT session cookie and allow it to be taken over....

[ik9000]

oh crap. Now I have to find a way to get the various people I help to understand this. How hard is it to do some sort of script that adds a right-click menu option to test a file name for these dodgy characters, and file property class? It can't be that difficult can it?