Attackers Change Filenames’ Directions Making .exe Files Look Harmless .doc Files
A Czechoslovakia based security firm has cautioned that hackers are sneakily spreading malware files via camouflaging the extensions of their Windows filenames so they may look genuine and safe, reported ComputerWorld dated 7th September 2011.
Further according to the firm's analysts, the attack is fresh as it uses Unicode features for displaying executable files as seemingly innocuous, while the exploit is named "Unitrix."
Unitrix, as per the researchers, is used when languages follow the right-to-left pattern of reading as also the .exe files' real nature is to be concealed. Also, with Unicode, it becomes possible for making an installation file's .exe suffix look like an image file's .jpg or a Word file's .doc extension.
According to Chief of AVAST Virus Laboratory Jindrich Kubec, a standard user merely sees the file name's extension i.e. the characters displayed at any file name's end like .jpg, which indicates a photo file. Thus, emerges the risk. For, an end-user will only get to know a file is an executable when there's certain extra info exhibited elsewhere on his PC alternatively when an alert message surfaces at the time of running the file, Kubec explains. ComputerWorld published this.
Notably, in the above context, researchers at the AVAST Virus Laboratory traced an uninterrupted rise in the total identifications of such files in August 2011 when the peak detections were around 25,000/day. Moreover, the attacks occurred nearly solely in the working days of the week when detections/day fell less than 5,000 on Saturdays and Sundays.
Reportedly, the commonest Unitrix is apparently a malware installer having links with many URLs, which issue instructions to the installer as to what it should take down and run on the infected system.
Meanwhile, attacks involving 'file-extension masquerading' isn't new. During August 2011, Commtouch another security firm cautioned about a malware of the same kind which flips and conceals a filename's '.exe' characters, so that a malicious executable file looks related to RLO i.e. from right-to-left override. By utilizing RLO, malware can change a filename's direction of text to the opposite that can make an .exe file look like an innocuous .doc file.
Related article: Attackers Use Another ‘Word Flaw’ To Plant Trojan
» SPAMfighter News - 20-09-2011