Hackers are using a new trick to cloak malicious files by disguising their Windows file extensions to make them appear safe to download, a Czech security company warned today.
The exploit, dubbed “Unitrix” by Avast Software, abuses Unicode for right-to-left languages — such as Arabic or Hebrew — to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc).
Unicode is the computer industry standard for representing text with alpha-numeric codes.
The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly-safer photo_D18727_Coll exe.jpg by reversing the last six characters of the former.
“The typical user just looks at the extension at the very end of the file name; for example, .jpg for a photo. And that is where the danger is,” said Jindrich Kubec, head of Avast’s lab, in an email today. “The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file.”
Microsoft’s Internet Explorer 9 (IE9) uses a technology called “Application Reputation” to warn users of potentially-dangerous files downloaded from the Web.
Avast said that malware using the Unitrix tactic — primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code — increased in volume last month, hitting a peak of 25,000 detections daily.
The pattern of detections — high on workdays, dropping by 75% or more on weekends — shows that the attackers are targeting business users, Kubec argued.
Additional analysis done by Avast said that Windows PCs infected with the disguised Trojan were part of a “pay-per-installation” network rented to other criminals, who plant their own malware on the machines.
“[They] provide outsourced infection and malware distribution services for other cyber gangs…apparently based in Russia and the Ukraine,” said Avast researcher Lyle Frink in a post to the Avast blog Wednesday.
Frink identified three command-and-control (C&C) servers that issue instructions to the infected PCs: The servers were located in China, Russia and the U.S.
Combating Unitrix is difficult, said Kubec; he suggested that users open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld.