lowmanio.co.uk title image

Unicode making malware easier

Sun, 16 Oct 2011 04:09PM

Category: Digital Forensics & Malware

Written by Sarah | No comments

I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print "Hello[U+202E]World", produces the output: Hello dlroW. I'm not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people are wary that .exe files might be harmful, but extensions like JPG and other images are generally not. You can 'trick' a user into thinking a file is a JPG by using this special unicode character. If you named your malware executable ClickHer[U+202E]gpj.exe for example, you'd end up with a file called ClickHerexe.jpg.

I had a go at making a simple executable (don't worry, it's just some ASCII art). In true malwaresque style, I have named it something enticing (see screenshot below). You can download the Python code to make the 'malware' here. Essentially I made a batch file, and then used Bat To Exe Convertor to change this into an exe file. I then opened this up into a hex editor, copied out the hex and then used Python to recreate the file with the dodgy name. I didn't have any luck just renaming the file, Windows was being awkward when I tried to paste in the unicode character. I know this is a very roundabout way of doing it, but I leant a bit about exe files and Python's hex capabilities. Python has a very easy way to convert pure hex into a file:

import binascii
hex = '4D5A90' # shrunk massively to be an example. 
# Note that the first two characters are 4D5A, which is MZ: the standard .exe header.

hb = binascii.a2b_hex(hex)
filename = u'EmmaWatsonS\u202Egpj.exe'	# unicode characters in Python start with \u

with open(filename, 'wb') as malware:

Note that Windows still thinks it is an application and not an image, so the tuned-in user should spot something is awry when the default icon is not of a JPG (and of course no mini preview of the image is available) but of an application.

Screenshot of my example executable disguised as a JPG.

Further reading:

Tagged with: Python, Malware, unicode


No comments.

Add a comment