Hackers are all about deception. A juke here; a jive there and all of a sudden he has a cache of unsuspecting victims. Now these cyber bad guys are using a new trick to cloak malicious files by disguising Windows file extensions to make them appear safe to download.
The exploit, called “Unitrix” abuses Unicode for right-to-left languages — such as Arabic or Hebrew — to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc), said Czech security company Avast Software.
Unicode is the computer industry standard for representing text with alpha-numeric codes.
The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly-safer photo_D18727_Collexe.jpg by reversing the last six characters of the former.
“The typical user just looks at the extension at the very end of the file name; for example, .jpg for a photo. And that is where the danger is,” said Jindrich Kubec, head of Avast’s lab. “The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file.”
Microsoft’s Internet Explorer 9 (IE9) uses a technology called “Application Reputation” to warn users of potentially-dangerous files downloaded from the Web.
Avast said malware using the Unitrix tactic — primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code — increased in volume last month, hitting a peak of 25,000 detections daily.
The pattern of detections — high on workdays, dropping by 75% or more on weekends — shows the attackers are targeting business users, Kubec said.
In addition, Windows PCs infected with the disguised Trojan were part of a “pay-per-installation” network rented to other criminals, who plant their own malware on the machines, Avast said.
“[They] provide outsourced infection and malware distribution services for other cyber gangs … apparently based in Russia and the Ukraine,” said Avast researcher Lyle Frink in a post to the Avast blog.
Frink identified three command-and-control (C&C) servers that issue instructions to the infected PCs: The servers were in China, Russia and the U.S.
Combating Unitrix is difficult, said Kubec, adding users should open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.