Social engineering tactics are vast and varied, and we see all sorts of methods being used on a daily basis by malware authors, in their attempts to compromise your machine. One such method that we see often is malware being distributed as an alluring or enticing link or file, and we know that some users (that are perhaps not as cautious as they should be) might click on such links, open such file, or accept file transfers from unknown sources…

As has been noted previously, the use of Unicode characters such as the Right to Left Override (U+202E) to alter the appearance of a file name, in an attempt to trick the user into clicking on that file, is not new. But that doesn't mean that this method is not used much; actually, we see this happening regularly.

Most users are aware of the dangers of clicking on unknown executables, so the attackers use the RLO characters to disguise the file name. Thus, <file name>gpj.exe with the Unicode character inserted after <file name> becomes <file name>exe.jpg, for example:


 
In a console the effect is not visible, for the same two file names, for example:


 
Because of where the real extension (in this case .exe) appears, a lot of file names will appear to end with the string 'exe'. In order to cover this up, the attackers attempt to make the name 'fit' better. What follows are some examples of file names used.

The most obvious attempt to get clicks has to go to the following file name:

sexe.jpg

Then there are attempts to come up with plausible sounding file names that end in exe:

  • Aelexe.jpg
  • Changelog_08.12.2011_Prophylexe.doc
  • coole-sexy-coole_sexy_hexe.pdf
  • DSC034239_by_Mexe.jpg
  • IMG_Leexe.jpg
  • Invoice_08.15.2011_Stropolexe.doc
  • UPS_DELIVERY_NOTICE_Manalexe.doc


You get the gist.

Or perhaps a file name that just appears as though an extra character has been 'erroneously' appended, such as:

  • 10 On my Blackberry At the house of my exe.jpg
  • mewithmyexe.jpg


Or maybe something that sounds similar but is not spelt quite the same:

The Theory of Poker by David Sklanexe.pdf

As always, one must be vigilant when dealing with unknown email attachments, and files may be transferred through an unknown or questionable source.

Raymond Roberts
MMPC