Unicode making malware easier

I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print “Hello[U+202E]World”, produces the output: Hello dlroW. I’m not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people are wary that .exe files might be harmful, but extensions like JPG and other images are generally not. You can ‘trick’ a user into thinking a file is a JPG by using this special unicode character. If you named your malware executable ClickHer[U+202E]gpj.exe for example, you’d end up with a file called ClickHerexe.jpg.

I had a go at making a simple executable (don’t worry, it’s just some ASCII art). In true malwaresque style, I have named it something enticing (see screenshot below). You can download the Python code to make the ‘malware’ here. Essentially I made a batch file, and then used Bat To Exe Convertor to change this into an exe file. I then opened this up into a hex editor, copied out the hex and then used Python to recreate the file with the dodgy name. I didn’t have any luck just renaming the file, Windows was being awkward when I tried to paste in the unicode character. I know this is a very roundabout way of doing it, but I leant a bit about exe files and Python’s hex capabilities. Python has a very easy way to convert pure hex into a file:

import binascii
hex = '4D5A90' # shrunk massively to be an example. 
# Note that the first two characters are 4D5A, which is MZ: the standard .exe header.

hb = binascii.a2b_hex(hex)
filename = u'EmmaWatsonS\u202Egpj.exe'	# unicode characters in Python start with \u

with open(filename, 'wb') as malware:
    malware.write(hb) 

Note that Windows still thinks it is an application and not an image, so the tuned-in user should spot something is awry when the default icon is not of a JPG (and of course no mini preview of the image is available) but of an application.

Screenshot of my example executable disguised as a JPG.

Further reading:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s