Update : Metadata Consulting [dot] ca: How to fix right-to-left files - bulk command line tool
How is RTLO being abused by malware writers?
How is RTLO being abused by malware writers?
In apps that support Unicode like Window Explorer, the right-to-left override malware method uses a RTL Unicode character, that will reverse the order of the characters that follow it. It's used mainly for Middle Eastern/Asian languages that you read right-to-left.
RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.
Download RTLExamples.7z (it includes the above files, an .exe really disguised as ".PDF" example. The files contain no viruses or malware. The "PDF" is safe ".exe", and just opens this page in Chrome. But GDrive marks these examples "Sorry, this file is infected with a virus", which good because they are detecting the RTL character and exe. But it a false positive, since there is no virus in the files. You can create you own examples by inserting the RTL character into the filename, see this video https://youtu.be/n2kV3Q2eTCY).
RTLO can be used to spoof fake extensions. To do this we need a hidden RTL Unicode character in the file name.
So in example below, the 2nd file looks like a ".txt" file, but is really a ".docx" file (the 1st file). The 1st file has been cleansed of the RTL Unicode character, and ends in ".docx".
The PDF file is actually an ".exe" file, but looks like it will open with default PDF reader.
The PDF file is actually an ".exe" file, but looks like it will open with default PDF reader.
Download RTLExamples.7z (it includes the above files, an .exe really disguised as ".PDF" example. The files contain no viruses or malware. The "PDF" is safe ".exe", and just opens this page in Chrome. But GDrive marks these examples "Sorry, this file is infected with a virus", which good because they are detecting the RTL character and exe. But it a false positive, since there is no virus in the files. You can create you own examples by inserting the RTL character into the filename, see this video https://youtu.be/n2kV3Q2eTCY).
Here's the same files as viewed from the command (cmd.exe) line. The box character represents the RTL character.
What is “Right-to-Left Override” RTLO?
The RTLO method is used to hide the true type of a file, so it might trick you into open text file (.txt) which really is a Word file (.docx) with malicious malware. More recently this file could hide a .wav file. Audio files such .wav file are being embedded with malware, is on the forefront of malware maliciousness. Read about that on my post here.
The method exploits a feature built into Windows Explorer. Since Microsoft Windows does a great job of supporting different languages from around the world, some of those languages that are written from right-to-left (RTL).
Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support.
Bidirectional script support is the capability of a computer system to correctly display bi-directional text. In HTML we can use Unicode right-to-left marks and left-to-right marks to override the HTML bidirectional algorithm when it produces undesirable results:
How do you fix files that have the RTLO or other bad characters ?
Here's a tool I built to clean up Right-to-Left Mark (and many others) and Unicode Control Characters from your files. It's super fast, small and written in native C++. 100% no malware or spyware of any kind.
Download touchRTL.7z (you need https://www.7-zip.org/ to unpack) . Your browser may say this is unsafe, since any EXE that is downloaded raw or in an zip file is considered unsafe. Again, with all of my tools there 100% no malware. This is just one of many tools I provide on this blog.
Free for personal use, but will open this page.
To get touchPRO.7z, use contact form, Pro has flags to remove Unicode spaces and punctuations (math symbols, currency, open closing braces, and accent marks).
Just run this command and it will recursively rename filenames to remove those characters under the specified directory name. If directory name, contains spaces you need quotes.
touchRTL -v -l -R "directory name"
where
Usage: touchRTL [-acdhlmprRtuvx] [-r REFFILE | -t TIME | -d DATETIME] FILE... A FILE argument that does not exist is created empty, unless -c or --no-create is supplied. -a, --access-time change only the file access time -c, --no-create do not create any new files - If the file exists, touch will update the access time, else will do nothing. -l, --RTL remove Unicode control & format characters (esp. infamous right-to-left) from filename (ditto -u) -m, --modif-time change only the file modification time -p, --pause-exit pause on exit (non-GNU extra) -R, --recursive recursively touch files in specified directory and all subdirectories (non-GNU extra) -u, --uni-cntrl-chars remove Unicode control & format characters (esp. infamous right-to-left) from filename (ditto -l) -v, --verbose output the result of every file processed (non-GNU extra) -x, --creation-time change only the file creation time (non-GNU extra) -r, --reference REFFILE use this file's times instead of current time -t, --time TIMESTAMP use [[CC]YY]MMDDhhmm[.ss] instead of current time Where CC: First two digit of the year YY: Last two digits of the year MM: Month (two-digit numeric month) DD: Day (two-digit numeric day i.e. day of month) hh: Hour mm: Minutes ss: Seconds [] indicates that field is optional -d, --date DATETIME use YYYY-MM-DDThh:mm:ss[.ms] instead of current time (non-GNU, does not parse string) accepted "2033-04-01T07:07:07", "2033-04-01 07:07:07", "2033-04-01 07:07:07.1200" -h, --help Display this help and exit. --version Display version information and exit. Note: -d and -t options accept different time-date formats. Copyright © 2019 Metadata Consulting <metadataconsult@gmail.com> - https://metadataconsulting.ca/ Open source by Stephane Duguay <s@binarez.com> - https://www.binarez.com/touch_dot_exe/
the drive link is blocked because Google detects it as a virus.
ReplyDeleteHi trojkilla, I guess Google has ampted up it's check, but this is a false hit.
ReplyDeleteThe file you downloaded is the examples file, not the executable. The executable does not have this warning.
I would never try to sell or provide software with a virus, this would be shooting myself it the foot.
I recommend you upload to https://www.virustotal.com/gui/ to get definitive answer to quell your healthy suspicion.