This Insane Virus Trick Would Have Fooled Me - Watch Out!
Vložit
- čas přidán 5. 07. 2024
- I can't believe I didn't know about this until now 🤔
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: czcams.com/users/ThioJoejoin
▼ Time Stamps: ▼
0:00 - Intro
0:54 - The RTLO Character
3:19 - Explaining the First Example
4:44 - Explaining the File Icon
5:18 - Ways to Spot It
This video explains how a special invisible Unicode character called a right-to-left override (RTLO) can be used to trick users into running malicious files, and how to protect yourself from it. The RTLO reverses any text that comes after it, which can be used to make a file appear to be a spoof or hide the true filetype, even if viewing file extensions is enabled. For example, I show a file which appears to be a Word document, but it is actually an executable file.
The Unicode code for the RTLO character is 202E and is normally used for languages that are read from right to left, however there are other similar Unicode characters besides that one. Even though the text appears reversed, it is still interpreted by the computer from left to right, meaning a malicious file could display any characters at the end of a filename and pretending that is the file extension, but the computer sees the true extension as if the text is not reversed.
This trick is not limited to .exe files and has been used in several real malware campaigns with other file types, such as .scr files and VBS scripts. Also importantly, the file icon can be changed to match the spoofed file type. As always, the best way to protect against this type of trick is to know about it. Never open or run any suspicious files, no matter how benign they may appear. And also verify the actual filetype before opening anything.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Věda a technologie
Big bruh moment
>>> I'll also emphasize the point I make at 3:49 in case people comment before watching that long - There doesn't have to be 2 periods in the filename, so "Test.exe.docx" could very well just be "Testexe.docx" - I put the other period there to make it easier to show the real file extension. So it might not be very obvious at all that this trick is used, depending on the real file extension and how they name it. For example, "arcs.docx" could really be a .scr file and the filename might not be suspicious, especially depending on the context, like naming it "character_arcs.docx" or something. There are tons of potentially malicious / exploitable filetypes out there that could be used.
Bruh.exe
Bruhgpj.exe
Why?
not a bruh.not a exe
Bruh
I worked professionally on computers since Win 3.1, read everything religiously and never heard of anything close to this. Stunning.
if you wanted some real fun , you should’ve tried the latest and greatest version of DOS and Dbase v. anything to create some major havoc … lol
Try reading it secularly then
@@CXLVII Like the lived reads the elbib.
couldn't use question marks in filenames in older windows
based shit-in-street pajeetsoft fucking everything up
@@CXLVII apt reply
I still don't understand why Microsoft had ever chosen to hide file extensions as a default. It's the first thing I fix when I install Windows. In this case it's not the same cause, but having file extensions enabled helps.
To prevent novices from unintentionally changing the filetype and thus making the file seem corrupted.
@@ZipplyZane while that's true, since at least 7 maybe even vista, when you rename a file it only selects/highlights the name, not the extension. So unless you go out of your way to delete the extension, it won't be touched. Plus (again, idk when this started) windows *warns* you everytime you change an extension.
It should really be on by default again.
In general, we desperately need an "i am an adult" button in Windows' settings.
@@andreewert6576 In a sense we already have an "I am an adult" setting. It's accessed through the Edge browser, just type in the bar "best linux distros 2023". Seriously though, MS has been actively hiding basic computer knowledge to make things seem "simpler" or "cleaner", but I suspect if they did more to just teach users what a file extension was (maybe through a help icon that did something other than inserting some vaguely relevant words into Bing) by now the general populous would be much more tech savvy on average.
Because it's noise?
What they should really do is change "show file extensions" to "allow editing file extensions"
As a security professional and having been in IT over 40 years I am also surprised that I hadn't come across this before too. Very informative, thank you.
@@ts757arse Sounds fun. I would do that
Unicode support - and in particular support for these text-direction-reversing characters in Unicode - hasn't been around for 40 years. It's not a thing in DOS and probably also not thing in the earlier versions of Windows (though I haven't actually checked, nor researched the exact dates when MS implemented Unicode support). My guess is that this MS Windows vulnerability started in the 2000s or maybe even 2010s (but I'm too lazy to research it.).
I've seen this character used online before but I never thought Windows would allow it in filenames.
Maks you think what we don't know.
I fully agree with you.
Fun fact: At the old days of youtube, you can put RTLO in your username. So when somebody attempting to mention you, they probably confused and accuse you of being a witch
Hilarious 😂
Fun fact: youtube's mobile app is _still_ confused by RTL text in usernames. K Klein just made a video about this.
@@lassipulkkinen273 Does Google Chat also suffer from this RTL problem?
youtube history :3
I have a RTLO In my username
AV software COULD scan for these "control" type characters within file names. Seems like an obvious thing to scan for.
They do actually, as long as the file has mark of the web (Zone Identifier).
There are legitimate foreign language scenarios, which is why this feature exists
@@davidbangsdemocracy5455 They should just make it so if your language is not set to one that uses these these characters, that it would just show the text normally without reversing it.
@@davidbangsdemocracy5455 Extensions in filenames should have been always out of this consideration. This should be an operating system thing and not a language direction reading thing (only in the case of extensions I mean). Or even if the filename reads backwards (for the ones we don't use right to left languages), even then extensions should be "the last after the last dot". No matter what. IMHO.
@@davidbangsdemocracy5455 why would a filename need one though? And I'm pretty sure most text renders do what the control character does anyway so it's pretty redundant now
Here's the crazy part: you can nest the overrides. You can move the extension to the beginning and mask it as a file that has a . to appear at the top... [RTL]txt.sevituc[LTR].exe will appear as .executives.txt
you're a sorcerer.
damnnn
1:20
There's a faster way if you already know the character's Unicode number.
Type in 202E into notepad (or anywhere else) and press Alt + X. This will convert it to the unicode character. If you hit Alt + X again it will revert it back.
Although the "reverting to number" part doesn't work for letters from A to F because they can already be considered to be hexdecimal numbers.
Very cool tip, I had no idea that was possible
doesnt work for me.
@@Elementening probably a Windows 11-only feature
@@QuantumScratcher As far as I know this feature has been around for a long time, maybe since Win XP. But I also know that Notepad can be a bit buggy when it comes to "Alt magic". Try it in Word, hopefully it will work there.
@@QuantumScratcher good call - works on my Win11, but not Win10 computer.
I think the simplest trick is to just rightclick and check properties, as it tells it's an executable. Or hovering over it.
hmm.. well if it's a zero day exploit, just merely right-clicking on it would still have you doomed.
Or use the details view and see it label it as an executable
A better trick would be for the OS NOT to use the extension to identify executables. Seriously, it's not the 1980s anymore.
@@justsomeguywithoutamustang6436 if you are targeted with 0-days you have bigger problems to worry about
@@theguyfromsaturn That doesn't fix anything. It is still going to execute. Anyway opening a file to read the magic number and then figure out the file type is crazy inefficient so that's why file exts are the norm; just imagine this happening on a folder with many files...
10/10 The IT department footage is the most accurate depiction of what we do that I've ever seen in my entire life.
Exatcly, I was like "Has this guy been spying on me at work?"
another simple way to spot it is to use detail view. it shows the extension correctly there.
What version of Windows are you talking about? Maybe Windows 11 File Explorer has broken Unicode filenames. 🤔 (Also, it doesn't show it if extensions are hidden.)
@@I.____.....__...__ it works for Win 11 as well. What he means is instead of “small icons/ large icons” etc under the view setting, change it to “Detail”. The default columns are “Name, Date Modified, Type” etc. “Type” would show what the file is. So it would show “Windows Batch File” for example, irrespective of file extension being hidden.
@@honeypeadigital あっぷ
I already use detail view because I like to be able to quickly sort files by date/type/size, so knowing that the file extension may be lying, but the "Type" field is not will make me rely on that column even more.
@@Bayonet1809 the only time where I would use another view other than detail is when browsing folders with pictures
Windows should really really implement a special icon that indicate a file is a executable. Like how shortcut have a arrow pointing at it on the bottom right.
The "EXE" extension should be sufficient if they stop allowing "hide extensions" and disable things like the override described in this video.
@@sexygeek8996 I'm taking about people who aren't computer literate enough to recognize it. Most of my friends don't know how to enable extensions and those that do would click on the exe anyway because they saw a Word icon.
@@theAcum Hide extensions should be disabled by default and there shouldn't even be an option to enable it. Those oddball features to manipulate the display of filenames should be disabled by default unless the computer is configured for a language that requires the feature. If the extension is EXE then there shouldn't be any way to display a different icon.
@@sexygeek8996 That is just not inclusive enough.
@@Korbus_Corax Why is that? I said the feature should only be enabled if the system is configured for a language that needs it.
There are way too many features nowadays and they cause a lot of security problems.
Just make sure your download folder's view style is set to Details mode. That way, you can see what type of file it is from the Type section. People should do this by default for a couple of reasons, anyway. First, some file names are too long to see the extension by default, so this is actually even easier. Second, the download folders is usually way too disorganised to to have large chunky icons like a Desktop. Third, the "Details" view has way more useful information like the Date Modified time stamp and size for easy location of files and deleting large files. I'm pretty sure Windows already sets the Downloads folder this way by default, anyway.
A useful suggestion, but details view shouldn't be "just" your only checkpoint before opening a file.
And have files ORDERED by type (extension). All the .exe files will be grouped together.
Fair point about the downloads folder, however I never use it. I always use save as and either save to desktop or save it directly to where it will live the rest of the time I own the computer. I only dislike using the downloads folder cause it turns into an out of sight out of mind sorting system, and I cant deal with that
@@legionofanonI often redirect downloaded files as you suggest. But sometimes a duplicate copy exists also in the downloaded folder...
insane this is allowed to happen man
keeping folder view on detail & showing "file type" off to the right as a column might help, i usually glance at that to be sure of what im clicking on
Yeah my file explorer defaults to details view, but you might have a usb drive full with pictures and documents, in which case the large icons view is more convenient for image previews, so the trick could work. Realistically anyone who might be affected by this should have all Windows Defender features on, so SmartScreen will alert them about executing an unknown file, even if not detected as a virus you'd immediately know it's an executable.
What's insane about it? These are the sorts of problems that come up when trying to accommodate things like other languages, which of course, can't be just ignored. What's insane is that it took as long as it did for the Unicode Consortium to be established (1991) to standardize this sort of stuff, causing all the other countries in the world to have to hack bespoke and incompatible systems back in the day. That's why things are a hodgepodge mess now.
youd imagine that its possible for windows to just print "&rlm" by default if youre using a system locale that doesn't use these types of characters or formats
hasnt been a problem in web browsers for a while right?
I’ve been working with pcs since the stone ages of DOS and I suspected something like this was behind some of the weird attachments I’ve seen, but didn’t get it until your vid. Thx.
I’ve been raging at Microsoft for years for hiding file extensions and not just forcing users to understand what they are and how they work. It’s a simple concept and there’s no reason any pc user couldn’t learn it, but when you try to make things idiot proof, all you do is turn your users into idiots because they never learn the basics. Today I see so many users that don’t know the difference between a shortcut, and a folder, and a zip archive because they have all been confusingly glossed over and never taught to users.
Good vid! I recommend!
Couldn't have said it better! That's why I hated Windows when it first came out. Because it hid everything going on behind a colorful GUI. I think it still lacks a 'programming mode' to this day.
Mac OS is no better in this regard. Finder is so information sparse by default.
Idk the difference betwen them 💀
All I know is Dat zip is compacted and shortcuts are, well, shortcuts
"when you try to make things idiot proof, all you do is turn your users into idiots" is a quote to be remembered
@@November The way I heard it. If you make something idiot proof, they will just invent a better idiot next year.
I will say, Windows Defender/Security does detect this if you try and spoof another extension. That can be gotten around with spaces in the file name, Cyrillic characters/other look-alike characters, etc; but... it does at least try to stop this from harming you most of the time.
yea i just tried making one to test and couldnt run the file i just created.
@@SamsterBirdies You can get around it by naming the file using Cyrillic or other lookalike characters for the fake extension, just to re-affirm that.
@@Terraphice how do you get around it
@@cjcoleman8525 Look up lookalike Unicode alphabet characters and replace one of the letters in an extension with a lookalike.
@@SamsterBirdies I also couldnt run the program. I think windows prevents to run all .exe files where this right to left unicode is used
This is one of the reasons why you should always disable the "Hide extentions for known file types" in Folder Options.
An option which is phrased in the negative, itself a very poor design choice.
@@clickrick This obsolete feature goes back all the way to Windows 95. It's hard to imagine that it has remained in Windows for over 2 decades.
You could also just use a real operating system instead of using Windows.
@@networkedpersonYou could also get some maidens and stop being a geek
@@chrisdawson1776 lol, hating on new technology with your 1776 moniker and your Ben Garrison picture. Let me guess, you also hate desegregation and anti-monopoly anti-wealth-hoarding laws...
Wow, that's rad. I work in the IT industry and actually have a good knowledge. But this was completely new to me that there are Unicode characters with this effect. Thanks for the education! So many won't know that, let alone non-IT people out there.
as an IT Admin, I always use the windows sandbox to open files that I don't trust or generally download from the internet from an untrusted source! : )
You can create a hidden character rtl:rctrl+rshift and ltr:lctrl+lshift it’s commonly used with bilingual users who type rtl languages. This isnt override character tho, the normal rtl switch flips the orientation of the text box you’re typing into, usually causes issues when adding ltr numbers(or brackets)into an rtl text.
bookmark comment later
what is the rtl i know rctrl is right ctrl but i havw no ide what the rtl key is my oly guess could be tab lock but i dont think that key would ever have a major purpose so no sense in makeing it
I knew of that Unicode character but I didn't realize it could be used in this manner! Feels like an oversight for Windows Explorer to support that behavior in these cases, but I know it's difficult to determine if it's being used legitimately or not.
To note: legitimate use cases would be files that includes both Latin characters (A-Z) and characters from a language that is written right to left. Whether there'd ever be an executable like that, I'm not sure.
Still, the file extension should be special, ignore that character and stay at the end NO MATTER WHAT
@@guiorgy I would definitely agree with that. Unfortunately, Windows is based on very old technology and a filesystem that doesn't consider extensions "special" and just considers them part of the filename (I'm assuming, based on how it handles this).
A fix might be to take whatever code Windows uses to determine what to hide via "hide file extensions" and just always display that set of characters at the end. Not sure if that would break other things though.
@@gFamWeb yup, you are correct. In ntfs, file extensions are just considered part of the file name, and file type is derived from the filename. Most modern file systems work differently.
@@guiorgy EXACTLY!!!!!!!!! Finally someone!!!!!!!!!!
@@gFamWeb Well, if there is a way to update this without breaking compatibility, extensions should be an operating system thing. So should be the last after the last dot, as said: NO MATTER WHAT!!!!!!!!! 😅
Yeah this is a very old trick. Most people are not aware is this. I have used this trick for saving certain things and then renaming it when I needed it. Yes virus can hide in there but a there are ways that you can find them too. Or even prevent this from happening. Great video.
Fun fact: the maddening invisible character in the view certificate window (until it was finally fixed a couple of years ago) that is bound to have caught out anyone who ever tried to copy a certificate thumbprint was a LTR character.
explain
@@fss1704 if you ever needed to copy some details of a cryptographic certificate, you could view the certificate from Windows, then look at properties like its thumbprint, but the text box that showed those details had a unicode left to right character at the start of it, so when you try to e.g. copy that thumbprint to a configuration file, you would accidentally copy the LTR character and whatever software you were configuring would not accept it, but because it's a zero width character it's hard to track down the problem, because it's invisible.
What? That’s insane, lol. My trust in Windows’ ability to manage my certificates has decreased.
Thank you for explaining things as simple as possible. I always learn something new from your YT videos. Simple, short, and informative 👌
And it's actually one of a few channels I have notifications turned on.
Wow, I didn't know about this. I don't know why Microsoft chose to make file extensions turned off by default. I agree that it should be turned on, but people who are not very computer savvy wouldn't know to turn it on. This setting has been like this for a very long time
Indeed, probably the single worst decision in terms of making users more vulnerable to attack.
I think file extensions should have a neutralizing unicode character when displayed in Windows Explorer / force to be put at the back / front depending on Windows localization settings. Not sure why it wasn't implemented.
It's because normal users don't know about them at all and ignore it. It both wouldn't help those users anyway, and also lead to them renaming files and screwing up the file extension when they do it.
Dude! Never heard of that one until now, and that seems like a serious security issue to me. Thanks for keeping us informed!
I knew that one (because I work in IT security, and we've specifically dealt with malware campaigns using that trick). Good to see you're bringing attention to it.
It's good to see your channel still doing well, I haven't seen anything since the days of charging phones in the microwave and reading hate comments, I didn't even think your channel existed anymore, but I'm glad it does
Even as an engineer, I wasn't knowing this. Thanks a lot for the knowledge you share
Wow. This brings up some memories.
Using this trick, I made three batch files.
Any of the three would open, execute its program, which was to open the other two upon close.
Obviously, when you closed it, it would open the two other files, close one of them, another two.
A fun little Hydra, makes you restart your computer, pretty harmless.
At this point though, we had been tricking each other (I was in a class of folks learning all sorts of network related things) with .bat files for a bit, and I had discovered this to hide my files in plain sight.
It was perfect for my little Hydra.
Thanks for bringing up some memories, and making me feel old, this was back in '04. (I'm 36).
I have been building and using computers since my C-64 and this is absolutely astonishing. No matter how much you think you know, you can never know it all. Thaks very much Thio for this valuable information!
This brings back memories of using ASCII control codes on character-based ANSI terminals like the Digital Equipment Corp. (DEC) VT-100, VT-220 and later models. You could embed backspace or cursor movement characters within text so regular characters would be sent, but then the cursor could be repositioned, and new characters would overwrite the old so you wouldn't see them. Or special escape codes to control terminal functions, like putting the terminal into its self-test loop that required power cycling to get out of it. 🙂
( 0:58 ) to my knowledge this character can be use to put your CZcams verification tick (Thing) in to middle of the username
Pretty cool stuff
Very interesting
@@ThioJoe you have a verification mark you cloud try it
Yes, I have already heard of this a few years ago, but back then I didn't thought about how that could also be applied to filetypes other than .exe, and this Video probably helped me to be even more careful with suspicious looking files in the future.
I love how you show what you searched to get the stock footage, that's really interesting to me!
You got me; I'd NEVER heard about this. Amazing!! I'm sharing this far and wide as a warning. Thank you!
I do one more thing, I use list view/details view and categories/display file types, this helps to push suspicious files in categories like application or vb script etc thus preventing accidentally mistaking it for a harmless document or any other file.
I didn’t even know that there is a character that can reverse text like that on a file name. I’ll definitely be more careful when viewing files on my computer. Thanks for the info!
This is why files shouldn't be automatically executable based on file extension. On Linux you first need to explicitly mark a file as executable
It doesn't just run on Windows, it brings up the do you want to run the executable dialogue.
That's would break one thing that windows has over Linux, ease of use
@@jordanwardle11 so, how often do you need to execute randomly downloaded executable files that aren't installers? On linux we don't execute installers, but instead feed them to the central system installer, where it can be centrally tracked (and also uninstalled). So the amount of cases where this would add two more clicks, is almost none. (I'd even argue that for installers Linux's approach is more user friendly). I think that's a fair price to pay for anyone to prevent a huge swath of dumb viruses
@@jordanwardle11 true. But almost all the Microsoft created security holes in our computers were put there to make things easier to use.
It's easier to not bother locking the door when you leave the house, and makes it easier when you come home as well. But anyone spot the drawback?
Clever trick. You did a great job explaining this. Glad I use the Details view.
I tested this on a file on my pc and i think i may have found something that could help here:
If youre not sure whether or not a file is legit or not, try renaming the file and go through the characters with the arrow keys. Not only will the cursor start at funky locations, but it will also jump through the name, as it works through the chars. Also, in my case the blue marker for selected text didnt select the extension, which in this case was right in the middle of the displayed text.
Also, you can copy the filename and paste it into notepad, limit the charset to ansii and then see some broken mess if a unicode symbol was used. Although this only tells you THAT a unicode char was in there, not which one. But i think there are online sites that do that for you, usually for detecting email adresses that look legit but are using characters that look similar to normal characters, but arent.
Not a very good fix. Still wastes time having to use rename and slowly step through the name and prone to being forgotten.
Well I'm a trilingual person (I speak Arabic, English, Turkish)
Arabic script and Old Turkish script is RTL
while the New Turkish script and English is obviously LTL
Blocking RTL would limit my uses of the laptop as I use all the languages on my laptop.
We need a way for Microsoft to to warn users
I think a good way is showing a prompt to the user the first time he opens an executable even if it does not have admin rights
Honestly, Windows should add something similar to the Linux/Unix executable file permission thing, so like by default files you download from the internet can't be executed unless you edit their permissions, this would prevent this and all the other filename tricks. Or, they could add a thing to the file explorer that prompts you if you want to execute the file when double clicking on it if it is an executable, similar to what KDE's file manager does
It already does that for files downloaded from the Internet
The second option is better, as I would hate having to take the extra step of editing permissions for an executable.
@@lumer2b yeah the problem moreso there is that people tend to automatically click through those prompts. While the first suggestion prevents that, it's a hassle to users in the cases where it's unnecessary. It's difficult to balance the two.
It already does
I think the "File type" column should help a lot in this case. You will see something wrong right away if the extension doesn't match the filetype.
Really interesting to learn, thanks ThioJoe!
Idk Windows still have that disabled by default lol, by experience they already shoulve lmao. The weird RTLO character should'nt be shown and the file extension should ALWAYS be placed at the end of the file, disregarding any text thingy which pushes it forward
This is why we should sanitize our filenames. I don't know if rename can handle invisible Unicode characters, but if not then this might be a place where someone could fill a gap with a nifty utility.
What a great app to use as a Trojan to achieve two things: allow your own hacks through but deny any others, to gain an advantage over other state actors....
I think that this may have been the most important video I have watched for a while. Thanks for the heads up.
I can see how this would've fooled me too, so useful thank you!
You truly brought your channel the other way around since free wifi upgrades haha
Very dangerous. Microsoft should patch this straight away. But that will never happen. Cheers for sharing!
As of jan2024 it wont work for me so seems fixed
When it could even fool the Guru himself, you know it's real shiz
i learnt about cyber security from you more than my IT department ever did. and that is coming from the company with big emphasise on cyber security, with weekly elearning/module/compulsory assessment on cyber security
Fascinating. While I mainly just use Windows for playing games, I can see this tricking a lot of users, even the more sophisticated ones.
I've used this character so much that when you revealed file extensions i knew exactly what it was, never thought of using it this way though unless you directly share it from a usb stick or something, most CDNs will just change the name formatting or just completely deny uploading (i believe Discord denies the upload)
Discord renames it
If it is not zipped. If it is zipped which it is mostly zipped. Then it will be dangerous.
@@emmanuelmgbemena yes, I already know this. But if someone opens the folder with a program like winrar or 7zip (more common than you think), the zip is rendered completely useless, as rtlo is not rendered "properly" there
Another good strategy to avoid this is to open downloaded documents in the right program directly (eg open up Word and find the file from its file picker). That way it doesn't show any incompatible files. Obviously beware of things like macros regardless.
Loved ‘extremely realistic depiction of an IT department’-🤘🏻🤘🏻🤘🏻🤣🤣🤣
Great info, thanks as always!
Everybody is gangster until ThioJoe logs in
OS should show all executable types with additional sign on icon just like with the shortcut. That way, no matter the icon or name, it would be obvious from the start.
I saw a german video about this exact thing by SemperVideo like 10 years ago. How could microsoft not have fixes this in that long time? Seems like a pretty serious issue to me.
This is an advanced version of a prank I played on nocives in the old days of ASCII terminals on Unix, DEC RSX orVMS, or HP-RTE systems. Neat.
This is a pretty neat trick, I knew this existed, but never thought about using it to try to obfuscate a file extension this way.
This is NUTS! Windows should be updated to always show the extension last! I assume that Windows uses simple concatenation to display the filename but it should always resolve the filename first and then add the file extension. Like brackets in math. (I assume that for right to left user, they display the extension first but the same point applies.)
I'm going to guess the culprit is that the administrators failed to disable the GPO which hides known file extensions.
It's a very dangerous setting and should be disabled by default in my opinion.
EDIT:
Wow, I was completely wrong. I would never have guessed that in a million years. And I hate to admit it, but I would have opened that word document without hesitation.
From now on, I'll certainly be more cautious.
I wonder if there's some way I can implement a GPO setting from the domain controller to prohibit these characters being used as file names. Or perhaps I can create some software that would scan for files containing this character in their name, make a record of the original file name, and move the file to a different directory. A placeholder file could the be put in its place. When you run the placeholder file, the software runs and warns you about the file, and still gives you the option to restore it. Though it's only a passive process... If the file was opened before the scanner had a chance to find it, it would have no effect.
I was actually familiar with this trick as I've used it a few times for some fun and pranks. Great way to code a jump scare and hide it as an image.
Same! I used it once to get access to a scammers computer!
@@kaiduwu that's what I'm talking about. Some Gigachad stuff over here.
@@jmsether may I have your discord? I'd love to show you a similar trick that's a lot easier to share the files of over the web, though it is a bit easier to tell the file extension is faked if you know what to look for
Well thanks…. looks in part on how Paul Hibbard may have got hit. I can remember the days when .scr files were rampant with malware before AV became the must have
I've known about the character, but never knew it could be used like this! Thanks for saving us 😅
This is really interesting to see because I remember that I saw videos in 2015 of malware exploiting this. I thought that Microsoft would have worked on the issue since then but seems to not be the case! It would be interesting to see if you could bypass certain file checks using this method
I read about it on a German computer news site (heise online, article „Täuschende Dateinamen unter Vista“) in 2007 (!) a couple months after Windows Vista was released. Because Vista was the first Windows version vulnerable to this trick; XP doesn’t interpret the RTL characters.
@@HuskyNET I remember the video from Sempervideo - In the video they had the example "sexy-hexe.pdf" :D - seems like they took it down but you can find a mirror if you search for "Demo-RTLO-Angriff-auf-Windows-fuehrt-auch-aufmerksame-Nutzer-hinters-Licht" - the winfuture site actually has the removed youtube video :D
I wasn't aware of this trick, but at the same time I don't think I would have fallen for it, because I always make sure "Show File Extensions" is enabled (no idea why MS disables that by default), and seeing "Test.exe.docx" would still set off alarm bells in my head, even if the "exe" wasn't at the very end.
True but what if the name of the file was "annexe.docx", then you wouldn't find the "exe" part weird as an experienced user, and for standard users, they would still click on "ann.docx" out of curiosity.
Edit : I realized it'd say "anndocx" if we disable showing extensions, so the attack would only work if they know you have showing extensions enabled.
@@moncefbkb9353 I still think that sort of thing would be weird, but I suppose it also depends on what type of files you expect to encounter.
Regardless, I could easily see this tricking a lot of people. I just tend to be very suspicious of any attached files unless it's from someone I know and I'm explicitly expecting them to send something.
What about “n1c DOT executivesummary DOT doc”? This is an example from a German news outlet which published an article about that in 2011. I used “ DOT ” instead of an actual dot to avoid CZcams deleting the comment. The actual text would be “[RTLO]cod DOT yrammusevituc[LTRO]n1c[LTRO] DOT exe”.
Wow. I knew about the unicode RTL character, but didn't know windows supports it in filenames. Thanks for the heads up. The type field in the details view is a bit harder to fool, so I'm going to start using that more, in addition to checking the extension.
Your new channel is pretty good! I remember viewing your channel back when it was mostly pranks and parody, but I like this more informative channel a lot more, nice change!
new? lol. Yes I too remember the pranks and stuff he did way back. But this type of content he's doing now isn't exactly new either. :D
@@ttkftykyfts well, I didn't expect him to be that knowledgeable. His parodies I think cheapened his more serious content, it's good that he got rid of them.
This is still the same channel. He just switched to actual helpful IT tips rather than joke videos.
It would be interesting to see which antivirus software looks for that in the names of files or their extenstions. Also Windows should treat that like a special character and not allow it to be used in file names. It could also automatically change that to something that renders the exe extension harmless if that character is anywhere in the file name. Also in the future Windows could alert us to suspicious file names. One more thing they can do is force extensions to be revealed for a file that has any of those characters in the name whether you wanted to see extensions or not and refuse to run it, warning you about the file every time.
as soon as he said "i guarantee you're wrong" at the start, i was like "that's gotta be the unicode reverse thing, right?" and as soon as he said it was using an invisible character i was like " C A L L E D I T "
I feel like I just want to show off, but I paused the video before he gave the answer and thought about it and that was the only thing that I could come up with on how to do it, because Windows shows this file as an executable. However, I would have assumed that Microsoft had prevented this security flaw long ago, because this was already in the news during Windows Vista times.
i thought its too obvious that it's just a hidden file extension so I put my bet on weird unicode magic and I was right lol
funky stuff, I would never had any idea, thanks!
Those unicode characters are pretty well known in the IT security industry, but a great reminder, I'll try and find a way to get these on our systems.
A simple way to avoid this when opening an unknown file to always right click and choose "open with" and the relevant program. So if it is a fake DOCX file and you choose "Open with Microsoft Word" , it would try to open the EXE file in Word, which might fail, but it doesn't matter, it just won't launch the file.
Or just open the file from the Open command in the program itself, not by running it on the Desktop.
The whole concept of "opening" a file by double-clicking it was a bad idea from the start. Some naive users might have liked it but it was never worth all the problems it caused.
@@ZipplyZaneYeah but that and all other workarounds that is not "explorer view" costs some time. Safety has a price. Not much but still. Some programs might have bad file selectors.
I think Tiles view is a workaround that doesn't sacrifices too much. Guess one needs to use that or simply toggle between views.
On Windows, if you use the "tiles" view in file explorer, it will tell you what type of file it really is off to the right
quite ingenious! unicode did open the door for many security concerns, such as character that look like standard roman characters in URLs and stuff like that.
There are also alternate data streams. These are not usually directly executable, but they can be used to hide executables and scripts, and at least back on the days of Windows 2000, you could call the visual basic interpreter and pass it an alternative data stream and it would execute it. The only thing that keeps it from being weaponized is that so far no email client or web browser understands alternative data streams. I did try putting the love bug in an alternative data stream (in an air-gapped lab setting), and if you called it with the visual basic interpreter it would run and spread, but since outlook does not understand alternative data streams the version that was spread in my experiment was not able to spread by people just opening the email attachment. The worrying thing was that none of the antivirus or anti-malware scanners detected it in an alternative data stream.
There was also a time back in the days when a lot of people here (without technical background) used special Unicode characters on Facebook to cause all kinds of strange effects. I think I have also seen something similar on Twitter once. Not sure if this is still a thing.^^
The Twitter thing was recently covered by David Bombal and TheXSSRat I think?
He used a script in a tweet and I forget what it caused. But it made it retweet itself through people who saw it it think? Or something silly.
But stuff like that is always interesting to see!
@@TheJoshShephard That was in 2014, but it was more due to a bug in Tweetdeck that for some inexplicable reason, they used the heart emoji to indicate preceding text was to be rendered as HTML.
@@Joooooooooooosh noted! My memory is a little fuzzy. So I forgot some specifics. So thanks for the clarification!
Usually when you hit F2 to rename a file, it doesn't include the extension. Could this be a quick and easy way to check a new file before opening it?
Wow, thanks for sharing this information; this is a major security flaw! I hope Antivirus companies will do something to protect users against files with UTF characters.
I knew about the unicode character but I didn't know it can be used for something like file extensions, that is just wicked. This was taught to us, as well as some other unicode characters, as a side note by our professor in university and he just said that it was something cool but doesn't really have any real-life use.
File names can include right to left script from other languages, but I don't know if that needs the rtl character.
The biggest issue is that operating systems like to hide extension information and love to make it easy for software to auto-run. Every time I get a new computer I need to spend time fixing those issues to improve safety.
Right-to-left text doesn't need the right-to-left override character in a proper text rendering engine, but right-to-left text in the middle of left-to-right text might need the right-to-left embed character before it and the pop directional formatting character after it if there are directionally ambiguous characters (like ASCII numbers and punctuation) around the right-to-left text that need to display right-to-left. For instance if there is English text, Arabic text beginning with a quotation mark and followed by a period and quotation mark, and more English text, it is probably a quotation containing a period and you would want a RLE character after the opening quotation mark and a PDF character before the closing quotation mark. That makes the period behave like a right-to-left character and display to the left of the Arabic text rather than to the right. In HTML, it's best to omit the invisible characters and use CSS (unicode-bidi: embed; direction: rtl;) equivalent to the RLE and PDF characters.
I remember learning this when I was learning ethical hacking.
And mark my words most of the CZcamsres who got hacked was due to this.
Always informative, thanks.
Thank you ThioJoe. Very interesting, informative, and educational
Great video!! Possibilities are endless!!!🤣
It's not the first evil trick that people do with Unicode characters. There exists also some messing with what sites show in google search results by looking like official websites but actually exchanging characters for very simular other Unicode characters.
Learning new things everyday!!!🙃🙃
Could this same trick be used on URLs in the browser? If it is possible to swap characters in the domain name, you can be redirected to a malignant site even after checking the URL for easy to miss variations such as "m" being replaced by "rn".
2:04 In Linux (Ubuntu Unity 22.04) the text cursor is where you type after the RTL character, in Windows 11 the cursor is on the right so you can't even reliably see where the next typed character will show up... Only after a space character does it jump to the right, but after a printed character it is where the next letter will show up.
How ty type in reverse in Linux: Ctrl+Shift+u, let go then type 202e followed by Enter.
That's how easy it is. And to type the right way around again, just use the U+200E character.
With an executable, it's easy to change the icon as you can just embed it as a resource and Windows Explorer will use that icon to display the file, but with stuff like VBS scripts or images, you can't embed icons in them, so they should be easy to spot via their icon.
There is also a now patched exploit in Microsoft Office where a document can launch any executable and I thought this video was going to be about that.
Ya but in this the exe is running. Which can me made to make a docx open in word and keep doing its work in background.
I could've guessed there were RTL shenanigans the moment you showed extensions and .exe appeared in the middle of the filename. But I'm somewhat used to unicode shenanigans because I spend time thinking about how to render the text "as intended". That's nasty and gonna bite a lot of people! Might've bitten me if I hadn't just dealt with RTL stuff just a few weeks ago! 😬
What if it was written as
ReadmeXE.docx?
Actually learnt something new - I could have fallen for this too. Thanks for making the awareness vid.
Retired Unix/Linux user here now using a Mac. I'm just starting to explore Unicode and I had never heard of this/these class of characters (Right to Left ... ).
Would love to see similar videos re Mac exploits.
Very interesting, I knew about the unicode character, but didn't think it would be allowed in filenames. Wtf? Windows prevents you from having : or / in the filename, but allows non-printable characters?
You can't have \ or / in a file name because they are used for path names. C:\windows\system32 for example.
Thank you Thio Joe! I'm a programmer since 1975 and this is a new thing for me. If Microsoft doesn't fix Windows to prevent Unicode characters in filenames then this bug is on them. I'm sure the Linux geeks are working on it now (prolly thanks to you!).
And props to the hackers for being so inventive, damn their eyes.
Wdym "prevent Unicode characters in filenames"? All letters would be blocked if they did that
Plus, the character is used in loads of languages -- not every language is left-to-right
@@aMySour hence the LTRO. Yeah I know even English wasn't originally left to right only but alternated from one line to the next. MSDos doesn't have the LTRO but Windows does - but it's not an option. I'm sure you know that I mean non-ASCII characters when I mentioned blocking Unicode. It made for a shorter comment that was already too long.
Wow! Well this was very interesting! I remember the web site where you go and type something and it will appear as upside down - and it just work anywhere. I didn`t know that Unicode characters have ability to type upside-down... Who knows what is possible...
Good Video as always.
I have few custom file icon (for txt and video files) so at least i would see a difference immediately.
That is really really smart. I can see myself falling for this too.
Yes, this is somewhat dangerous, but the file would mostly come to you as an email attachment.
Your antivirus would warn you in the same way that it does for any other EXE.
Unfortunately not always the case. If something is configured correctly, it's possible to bypass virus detection software in various ways.
If it's not an email attachment, it's via a link. And may bypass detection because of file size or something else.
Paul Hibbert had this happen via a fake sponsor and a fake pdf file.
Then with most CZcamsrs. The malware is being packed in zip folder and auto downloading after being directed to a pdf with a script.
The browser and virus detectors miss it. And if the person finds it and unpacks it, they usually run Redline Stealer and get their accounts and many other things hacked.
Usually it's in the form of a WMG, UMG, Copyright claim or Strike.
But unfortunately for Paul, it came in the form of a fake sponsor campaign
it'd be in a .zip, .rar, .ace, .tgz ... most AVs *should* handle them fine, but I can imagine other scenarios that would be trickier. Like passworded zips - the con would be in convincing the victim that there was a legitimate need for the file to be password protected. and I can see my folks falling for this. Can't you?
@@TheJoshShephard can i get some videos of this?
This is why you should use an OS that doesn't allow random files to become executable just by including four characters in it's name.
This is basically a variation on an unfixable security blunder that was inherited from CP/M -> MS-DOS -> Windows
Super interesting! It's always fun playing around with obscure Unicode characters.
Specifically, there's this zalgo-like Arabic character I found that breaks everything!