Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.
But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.
When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.