One Flip Means Victims for Hackers

Friday, September 9, 2011 @ 02:09 PM gHale


Hackers are all about deception. A juke here; a jive there and all of a sudden he has a cache of unsuspecting victims. Now these cyber bad guys are using a new trick to cloak malicious files by disguising Windows file extensions to make them appear safe to download.

The exploit, called “Unitrix” abuses Unicode for right-to-left languages — such as Arabic or Hebrew — to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc), said Czech security company Avast Software.

RELATED STORIES
SCADA Security Alert: Mobile Workers
Breach: More SCADA System Holes
ICS, SCADA Security Boot Camp
SCADA Hacking via Search Engines

Unicode is the computer industry standard for representing text with alpha-numeric codes.

The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly-safer photo_D18727_Collexe.jpg by reversing the last six characters of the former.

“The typical user just looks at the extension at the very end of the file name; for example, .jpg for a photo. And that is where the danger is,” said Jindrich Kubec, head of Avast’s lab. “The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file.”

Microsoft’s Internet Explorer 9 (IE9) uses a technology called “Application Reputation” to warn users of potentially-dangerous files downloaded from the Web.

Avast said malware using the Unitrix tactic — primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code — increased in volume last month, hitting a peak of 25,000 detections daily.

The pattern of detections — high on workdays, dropping by 75% or more on weekends — shows the attackers are targeting business users, Kubec said.

In addition, Windows PCs infected with the disguised Trojan were part of a “pay-per-installation” network rented to other criminals, who plant their own malware on the machines, Avast said.

“[They] provide outsourced infection and malware distribution services for other cyber gangs … apparently based in Russia and the Ukraine,” said Avast researcher Lyle Frink in a post to the Avast blog.

Frink identified three command-and-control (C&C) servers that issue instructions to the infected PCs: The servers were in China, Russia and the U.S.

Combating Unitrix is difficult, said Kubec, adding users should open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.



Leave a Reply

You must be logged in to post a comment.