File Extension Trick Using RTLO

Always wanted people to open your malicious msfpayload executable but failed to do so because they knew it was an executable? Here is a neat (albeit trivial) file “extension” trick to fool unsuspecting users into opening executables. The Unicode RTLO (U+202e) character can be used to reverse the order in which text is displayed by the Windows operating system. The legitimate use of this character is for languages such as Hebrew, which is displayed from right to left. Suppose you have a malicious executable file disguised as SysInternals “Procmon.exe”:

procmon_icon

1. Open the Character Map and type a sample text as shown below in the following format (can be found under Start -> Accessories -> System Tools):

Format:
[file name][insert U+202e char here][fake extension in reverse i.e. piz for .zip][.real extension]

charmap

2. Next, copy the contents by clicking on the “Copy” button. Now rename the file by pasting the copied text:

testRTLO

3. That is all! You should have a “zip” file now. 🙂

fakezip

A good trick would be to make it a “png” file and give the file an interesting name that is usually tied to *HOT* pictures. If it is an executable file, you can change the icon to a “png” thumbnail before compilation.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s