Tuesday, October 29, 2019

How to fix PDFs ending in .EXE

Update : Metadata Consulting [dot] ca: How to fix right-to-left files - bulk command line tool

Malware writers can trick you in 2 ways into thinking your file is a "PDF looking" file. 


Firstly, maliciously constructed “.exe” can be built to display an PDF icon, so it looks like PDF default reader will open this file. If the filename is really long then, you can't see the extension (see image below). 

2ndly and may not be so obvious, malicious PDF filename is constructed as with a right-to-left override character is such a way that the file ends ".pdf" extension, but really is an ".exe".  


So in example below, the 2nd file looks like a ".txt" file, but is really a ".docx" file (the 1st file). The 1st file has been cleansed of the RTL Unicode character, and ends in ".docx". 

The PDF file is actually an ".exe" file, but looks like it will open with default PDF reader. 


Download RTLExample.7z ( it includes the above files with PDF ".exe" example. The files contain no viruses or malware. The PDF is safe ".exe", and just opens this page in Chrome). This may read as malicious files by your anti-virus software as it contains the left-to-right characters in filename. You can create these files yourself as well. 

Here's the same files as viewed from the command (cmd.exe) line. The box character represents the RTL character.


Note: Detection of malicious file is never done by a filename alone, so a good antivirus will flag the contents of this file, for known signatures. BUT you can remove the annoying RTL character with the free tool below! 

How is RTLO being abused by malware writers?

In apps that support Unicode like Window Explorer, the right-to-left override malware method uses  a RTL Unicode character, that will reverse the order of the characters that follow it. It's used mainly for Middle Eastern/Asian languages that you read right-to-left.

RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.

What is “Right-to-Left Override” RTLO?
The RTLO method is used to hide the true type of a file, so it might trick you into open text file (.txt) which really is a Word file (.docx) with malicious malware. More recently this file could hide a .wav file. Audio files such .wav file are being embedded with malware, is on the forefront of malware maliciousness. Read about that on my post here.
The method exploits a feature built into Windows Explorer. Since Microsoft Windows does a great job of supporting different languages from around the world, some of those languages that are written from right-to-left (RTL). 
Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support.
Bidirectional script support is the capability of a computer system to correctly display bi-directional text. In HTML we can use Unicode right-to-left marks and left-to-right marks to override the HTML bidirectional algorithm when it produces undesirable results:
left-to-right mark: ‎ (U+200E) Unicode character
right-to-left mark: ‏ (U+200F) Unicode character
How do you fix files that have the RTLO or other bad characters ? 

Here's a tool I built to clean up Right-to-Left Mark (and many others) and Unicode Control Characters from your files. It's super fast, small and written in native C++.

Download touchRTL.7z (you need https://www.7-zip.org/ to unpack). Free for personal use, but will open this page.

To get touchPRO.7z, use contact form, Pro has flags to remove Unicode spaces and punctuations (math symbols, currency, open closing braces, and accent marks).  

Just run this command and it will recursively rename filenames to remove those characters under the specified directory name. If directory name, contains spaces you need quotes.


touchRTL -v -l -R "directory name"

where


Usage: touchRTL [-acdhlmprRtuvx] [-r REFFILE | -t TIME | -d DATETIME] FILE...

A FILE argument that does not exist is created empty, unless -c or --no-create
is supplied.

  -a, --access-time        change only the file access time
  -c, --no-create          do not create any new files - If the file exists, touch will update the access time, else will do nothing.
  -l, --RTL                remove Unicode control & format characters (esp. infamous right-to-left) from filename (ditto -u)
  -m, --modif-time         change only the file modification time
  -p, --pause-exit         pause on exit (non-GNU extra)
  -R, --recursive          recursively touch files in specified directory and all subdirectories (non-GNU extra)
  -u, --uni-cntrl-chars    remove Unicode control & format characters (esp. infamous right-to-left) from filename (ditto -l)
  -v, --verbose            output the result of every file processed (non-GNU extra)
  -x, --creation-time      change only the file creation time (non-GNU extra)
  -r, --reference REFFILE  use this file's times instead of current time

  -t, --time TIMESTAMP     use [[CC]YY]MMDDhhmm[.ss] instead of current time
                           Where
                            CC: First two digit of the year
                            YY: Last two digits of the year
                            MM: Month (two-digit numeric month)
                            DD: Day (two-digit numeric day i.e. day of month)
                            hh: Hour
                            mm: Minutes
                            ss: Seconds
                           [] indicates that field is optional

  -d, --date DATETIME      use YYYY-MM-DDThh:mm:ss[.ms] instead of current time (non-GNU, does not parse string)
                           accepted "2033-04-01T07:07:07", "2033-04-01 07:07:07", "2033-04-01 07:07:07.1200"

  -h, --help               Display this help and exit.
  --version                Display version information and exit.

Note: -d and -t options accept different time-date formats.

Copyright © 2019 Metadata Consulting <metadataconsult@gmail.com> - https://metadataconsulting.ca/
Open source by Stephane Duguay <s@binarez.com> - https://www.binarez.com/touch_dot_exe/

Friday, October 25, 2019

Amazon Phishing Email - Fraud Activity Payment - Purchase of "AMAZON PRIME" on Amazon Market Place

For the record, this is an Amazon phishing email attempt that is recently going around and made it through spam filters. What to do?  Report them, goto bottom of page.


From : ​bi​ll​i​ng-​pr​ob​lem@amazon.com​
 
Subject
 : 
RE: [Payment Update] Case ID: #07777777 - Fraud Activity Payment - Purchase of "AMAZON PRIME" on Amazon Market Place on 22 October 2019 / Pago de actividad fraudulenta: compra de "AMAZON PRIME" en Amazon Market Place

Reply-to : ​bi​ll​i​ng-​pr​ob​lem@amazon.com​



Dear Customer, 
 

We believe that an unauthorized party may have accessed your account. To protect your information, we have:  
 

Disabled the password to your account. 

Reversed any modifications made by this party. 

Canceled any pending orders. You can ignore any confirmation emails that you received for these orders. 

If appropriate, refunded purchases to your payment instrument. 

Restored any gift card balance that may have been used. It may take 2 to 3 days for the gift card balance to be available in your account. 
 

Just log in https://amazon.com and follow the instructions in your account notifications to see what information you need to provide. Please send the missing information by 24 October 2019. 
 
 
Sincerely,  
 
 
Amazon.com  
========================= 

SPAM/ PHISHING LINKs;  

1. https://t.umblr.com/redirect?z=https%3A%2F%2Famazon-customer-service.accountunderreview.com%2F%3Famalsoleh&t=OsdfsfasdfasdfasfH:DSFDKJFHQ%3D%3D&b=t%)*(&)(DFDFDF-SDFDFD&p=https%3A%2F%2Frakaap182713.tumblr.com%2Fpost%2sdfdf9090892%2Fhttpsamazon-customer-serviceaccountunderreview&m=1

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the amazon.com site then forget it.

  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Amazon 

Send the e-mail to stop-spoofing@amazon.com
Note: Sending this suspicious e-mail as an attachment is the best way for us to track it.

Tuesday, October 22, 2019

Alternative to CCleaner, after Chinese attempt to insert malware into CCleaner





CCleaner is again in the news, last time affecting millions successfully. 

Security researchers increasingly believe that an elite Chinese hacking group broke into Czech antivirus company Avast (which bought Piriform's CCleaner) to booby trap popular file cleaning program CCleaner, according to research and private analysis provided to CyberScoop.

The attempt was thrawted, but who knows if other were not detected. Why take the risk?


Full details from https://www.cyberscoop.com/ccleaner-attack-china-intezer-labs-piriform-apt17/




CCleaner Alternative

A great and free alternative is BleachBit a new open-source privacy cleaner tool. 

Download open source BleachBit at 
https://www.bleachbit.org/download/windows - choose portable unzip and run


Use 

I wrote a blog post on how to clean re-spawning Adobe cookies using BleachBit.
How to Delete Google Chrome Adobe Flash Cookies (.sol files) - Respawning Cookies


Monday, October 21, 2019

How to fix files that disguise malware wt Right-to-Left characters and Control Characters

In apps that support Unicode like Window Explorer, the right-to-left override malware method uses a RTL Unicode character, that will reverse the order of the characters that follow it. It's used mainly for Middle Eastern/Asian languages that you read right-to-left.

RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.

So in example below, the 2nd file looks like a ".txt" file, but is really a ".docx" file (the 1st file). The 1st file has been cleansed of the RTL Unicode character, and ends in ".docx".

The PDF file is actually an ".exe" file, but looks like it will open with default PDF reader. 

Download 
RTLExamples.7z  (it includes the above files,  an  .exe really disguised as ".PDF" example. The files contain no viruses or malware. The "PDF" is safe ".exe", and just opens this page in Chrome. But GDrive marks these examples "Sorry, this file is infected with a virus", which good because they are detecting the RTL character and exe. But it a false positive, since there is no virus in the files. You can create you own examples by inserting the RTL character into the filename, see this video https://youtu.be/n2kV3Q2eTCY). 

Download touchRTL.7z (you need https://www.7-zip.org/ to unpack), this is command line executable.
No malware or viruses of any kind, like rest of my tools.



Here's the same files as viewed from the command (cmd.exe) line. The box character represents the RTL character.


Note: Detection of malicious file is never done by a filename alone, so a good antivirus will flag the contents of this file, for known signatures. BUT you can remove the annoying RTL character with the free tool below! 

What is “Right-to-Left Override” RTLO?
The RTLO method is used to hide the true type of a file, so it might trick you into open text file (.txt) which really is a Word file (.docx) with malicious malware. More recently this file could hide a .wav file. Audio files such .wav file are being embedded with malware, is on the forefront of malware maliciousness. Read about that on my post here.
The method exploits a feature built into Windows Explorer. Since Microsoft Windows does a great job of supporting different languages from around the world, some of those languages that are written from right-to-left (RTL). 
Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support.
Bidirectional script support is the capability of a computer system to correctly display bi-directional text. In HTML we can use Unicode right-to-left marks and left-to-right marks to override the HTML bidirectional algorithm when it produces undesirable results:
left-to-right mark: ‎ (U+200E) Unicode character
right-to-left mark: ‏ (U+200F) Unicode character
How do you fix files that have the RTLO or other bad characters ? 

Here's a tool I built to clean up Right-to-Left Mark (and many others) and Unicode Control Characters from your files. It's super fast, small and written in native C++. 100% no malware or spyware of any kind. 

Download touchRTL.7z (you need https://www.7-zip.org/ to unpack) . Your browser may say this is unsafe, since any EXE that is downloaded raw or in an zip file is considered unsafe. Again, with all of my tools there 100% no malware. This is just one of many tools I provide on this blog.

Free for personal use, but will open this page.

To get touchPRO.7z, use contact form, Pro has flags to remove Unicode spaces and punctuations (math symbols, currency, open closing braces, and accent marks).  

Just run this command and it will recursively rename filenames to remove those characters under the specified directory name. If directory name, contains spaces you need quotes.


touchRTL -v -l -R "directory name"

where


Usage: touchRTL [-acdhlmprRtuvx] [-r REFFILE | -t TIME | -d DATETIME] FILE...

A FILE argument that does not exist is created empty, unless -c or --no-create
is supplied.

  -a, --access-time        change only the file access time
  -c, --no-create          do not create any new files - If the file exists, touch will update the access time, else will do nothing.
  -l, --RTL                remove Unicode control & format characters (esp. infamous right-to-left) from filename (ditto -u)
  -m, --modif-time         change only the file modification time
  -p, --pause-exit         pause on exit (non-GNU extra)
  -R, --recursive          recursively touch files in specified directory and all subdirectories (non-GNU extra)
  -u, --uni-cntrl-chars    remove Unicode control & format characters (esp. infamous right-to-left) from filename (ditto -l)
  -v, --verbose            output the result of every file processed (non-GNU extra)
  -x, --creation-time      change only the file creation time (non-GNU extra)
  -r, --reference REFFILE  use this file's times instead of current time

  -t, --time TIMESTAMP     use [[CC]YY]MMDDhhmm[.ss] instead of current time
                           Where
                            CC: First two digit of the year
                            YY: Last two digits of the year
                            MM: Month (two-digit numeric month)
                            DD: Day (two-digit numeric day i.e. day of month)
                            hh: Hour
                            mm: Minutes
                            ss: Seconds
                           [] indicates that field is optional

  -d, --date DATETIME      use YYYY-MM-DDThh:mm:ss[.ms] instead of current time (non-GNU, does not parse string)
                           accepted "2033-04-01T07:07:07", "2033-04-01 07:07:07", "2033-04-01 07:07:07.1200"

  -h, --help               Display this help and exit.
  --version                Display version information and exit.

Note: -d and -t options accept different time-date formats.

Copyright © 2019 Metadata Consulting <metadataconsult@gmail.com> - https://metadataconsulting.ca/
Open source by Stephane Duguay <s@binarez.com> - https://www.binarez.com/touch_dot_exe/

Friday, October 18, 2019

Phishing emails harder to detect, now come with proper return email addresses

Spoofed e-mail messages just go harder to spot in your incoming mailbox. 

Normally you can spot a phishing email by the return address, which is usually fake. The dead giveaway is that it not the same as spoofing company they are trying fake. 

But there new technique just made this harder to spot. 



So if reply to this email, it will appear that it's going to dhlexpress@shipping.com as well. 

Solution

You have to now check individual links in the email or document (open online) to check if they are rogue URLs. 


Source: https://isc.sans.edu/diary/rss/25426



Thursday, October 17, 2019

.WAVs Audio files can have embedded Malware - Here's a work around

Well there goes another format down the drain, don't ever play .wav files again.




BlackBerry Cylance Threat Researchers recently discovered obfuscated malicious code embedded within WAV audio files. Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data. When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise).

"Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data," says the report. "When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise)."

Full details
https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html


Solution

Use an online convert for best safety
https://www.onlinevideoconverter.com/convert-wav-to-mp3

What Happened to OnlineVideoConverter.com - VideoProc

Or you can do it on your own, download the following

Convert your Wav files to AC3
https://github.com/wieslawsoltes/wavtoac3encoder

Wednesday, October 16, 2019

On Iphones with iOS13 Safari browser now sending data to Chinese Tencent Company, use Microsoft Edge instead

Another blow in trust with Apple. 


Most may not be aware of it, but Apple's web browser has been sending data to Google Safe Browsing for years. This is done to protect users against phishing scams, by using an interstitial screen that prevents you from visiting a known fraudulent website from Google's list.

Now it appears that for everyone running the latest version of iOS, Apple is sending some of your web browsing history to Chinese Internet giant Tencent. This has sent critics up in flames about the potential privacy implications, especially since the feature is enabled by default and requires some digging to find it.

Apple says that it may send some user IP addresses to Tencent in the “About Safari & Privacy” section of its Safari settings which can be accessed on an iOS device by opening the Settings app and then selecting “Safari > About Privacy & Security.” Under the title “Fraudulent Website Warning,” Apple says:

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”

Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat. The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.


Solution



Use Microsoft Edge as your browser on your iPhone
https://apps.apple.com/us/app/microsoft-edge/id1288723196


Of course you cannot set it a default browser on iOS, unlike Microsoft who settle a $731 million EU lawsuit for the identical issue. Why the double standard ? 




Source: https://reclaimthenet.org/apple-safari-ip-addresses-tencent/