The use of the right-to-left override (RLO) character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or a registry key, is seeing a rebirth.
Malware writers have been using the RLO technique for years, as it’s a simple and effective method for disguising the names of malicious files. Typically, attackers will try to make their malware appear to be something benign, such as a music player or setup file for a popular application. The RLO technique helps then accomplish this goal.
Malware authors give a malicious file a name that is somewhat close to a legitimate file name, and append an extension such .exe. But hidden in the file name will be a Unicode character that will reverse the order of the characters that follow it. So, for example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg” when the Unicode character ends up used after the word “malware.”
Security researchers and malware analysts have known about this technique for quite a while, but it is beginning to surface once again.
Researchers at Microsoft have seen new malware samples attempting to impersonate the Google service that keeps software updated on users’ machines, and the malware is using the RLO technique in order to look like a legitimate registry key.
The malware is Sirefef, which is about a year old. It uses the RLO method to trick users into thinking the entries it puts into the infected machine’s registry are legitimate ones.
“The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation,” said Raymond Roberts of Microsoft.
When the Sirefef malware infects a new machine, it creates a registry entry that looks identical to the legitimate Google Update service. Even clicking on the entry to view its properties will show what appears to be a legitimate entry, aside from some odd-looking characters in the path of the executable. However, looking at the registry entry without Unicode support will reveal the problem. The Sirefef registry entry will show up as “etadpug” and the key will contain a slew of random characters rather than the description of the legitimate Google Update service.
“This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not,” Roberts said. “It may make it difficult for someone doing a cursory check to determine if they are infected.”