Jump to content

Right-to-Left Override unicode exploit


Amaroq_Starwind

Recommended Posts

I believe I wrote about this file naming trick years ago.

EDIT:  RE: Post #11 (2014) , Post #20 (2017)

12 hours ago, Amaroq_Starwind said:

Welp. Looks like Right-to-Left support can be a bad thing at times. Maybe Malwarebytes should be updated to detect these sorts of things during filesystem scans.

I have also replied to your posts Amaroq_Starwind with specific information.

Please stop suggesting what MBAM should do.  Write you own anti malware application.

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these file types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.  This includes file names that use Right to Left Override to obfuscate an executable file extension.

MZ-binary.jpg

Reference:
https://en.wikipedia.org/wiki/Bi-directional_text
https://en.wikipedia.org/wiki/Right-to-left

 

EDIT:

Here's a file I submitted years ago.

https://www.virustotal.com/en/file/3ac80eecd863e0f33fa124d5ae13bbbf070672d03628415823cbd0397aa100fc/analysis/

First submission 2013-08-07 18:58:40 UTC ( 5 years, 8 months ago )

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

Just to quote the article linked above by David H. Lipman as it's relevant to this issue:

Does this have any effect on the detection of these files?

No. Detection of malicious file is never done by a filename alone. So your AV and Malwarebytes Anti-Malware will still recognize these files if they were added to their detection, no matter what they are called or how they are written.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.