What are ways to prevent files with the Right-to-Left Override Unicode character in their name (a malware spoofing method) from being written or read?
Posted
by
galacticninja
on Super User
See other posts from Super User
or by galacticninja
Published on 2012-04-05T07:46:16Z
Indexed on
2012/04/06
5:33 UTC
Read the original article
Hit count: 229
What are ways to avoid or prevent files with the RLO (Right-to-Left Override) Unicode character in their name (a malware method to spoof filenames) from being written or read in a Windows PC?
More info on the RLO unicode character here:
- http://www.fileformat.info/info/unicode/char/202e/index.htm
- http://en.wikipedia.org/wiki/Bi-directional_text
Info on the RLO unicode character when used by malware:
http://www.ipa.jp/security/english/virus/press/201110/E_PR201110.html
Mirror link: http://webcache.googleusercontent.com/search?q=cache:KasmfOvbVJ8J:www.ipa.jp/security/english/virus/press/201110/E_PR201110.html+&cd=1&hl=en&ct=clnk
You can try this RLO character test webpage: http://www.fileformat.info/info/unicode/char/202e/browsertest.htm
The RLO character is also already pasted in the 'Input Test' field in that webpage. Try typing there and notice that the characters you're typing are coming out in their reverse orders (right-to-left, instead of left-to-right).
In filenames, the RLO character can be specifically positioned in the filename to spoof or masquerade as having a filename or file extension that is different than what it actually has. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)
The only info I can find that has info on how to prevent files with the RLO character from being run is from the Information Technology Promotion Agency, Japan website:
http://www.ipa.jp/security/english/virus/press/201110/E_PR201110.html (Mirror link).
They adviced to use the Local Security Policy settings manager to block files with the RLO character in its name from being run.
Can anyone recommend any other good solutions to prevent files with the RLO character in their names from being written or being read in the computer, or a way to alert the user if a file with the RLO character is detected?
My OS is Windows 7, but I'll be looking for solutions for Windows XP, Vista and 7, or a solution that will work for all those OSes, to help people using those OSes too.
© Super User or respective owner