New Malware Changes Order of Reading Filenames Otherwise Unsafe

According to a warning by a security investigator, one fresh malicious program is spreading across the Web which reverses the order of reading of a filename and thereby hides the 'exe' within it so that such a file looks from RLO, meaning "right to left override," Infosecurity published on August 19, 2011.

The investigator named Lordian Mosuela attached with Israel-based Commtouch a security company explains that RLO represents one unicode control letter (U+202E), which makes a user read the characters from right-to-left instead of the usual left-to-right. Naturally, the mechanism is useful for languages which are based on right-to-left reading like Hebrew and Arabic. However, cyber-criminals are now abusing it in a manner that end-users will double-click seemingly harmless files, Mosuela warns. Infosecurity published this.

Moreover according to Mosuela, the Commtouch security team reported the technique during 2010, however, over the 3rd-week of August 2011, it has reappeared widely for deceiving end-users into clicking and viewing malware executables. Commtouch's blog posted Mosuela's observations on August 18, 2011.

Reportedly, as per Windows Explorer, the file is another software program, nevertheless the malware, playing a social engineering tactic, utilizes the icon of Microsoft Word.

Furthermore, the malware employs RLO for changing the text's direction to the opposite within a filename. Consequently, an executable or .exe file can look an innocuous .doc file. Citing one e.g., Mosuela shows how the original executable filename 'CORP_INVOICE_08.14.2011_Pr.phylcod.exe' is made to read 'CORP_INVOICE_08.14.2011_Pr.phylexe.doc.'

Apparently, the objective behind using RLO is to make recipients inadvertently click on a file, which maybe unsafe, states the investigator according to whom, the file in the e.g., contains Trojan Bredolab.

Further Mosuela says that the new technique is indicative of cyber-criminals who've become extremely innovative and sophisticated with respect to their attacks while they're attempting all possible tricks for duping unwary end-users.

The specialist therefore advises that users must know about the latest RLO trick while minutely look at file attachments prior to opening them. Moreover, they shouldn't go for suspicious attachments no matter whether a trusted source has sent them as also must ensure that their anti-virus solutions are up-to-date to ward off malware.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 9/3/2011