Hackers are using a new trick to cloak malicious files by disguising their Windows file extensions to make them appear safe to download, a Czech security company warned today.
The exploit, dubbed "Unitrix" by Avast Software, abuses Unicode for right-to-left languages, such as Arabic or Hebrew, to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc).
Unicode is the computer industry standard for representing text with alphanumeric codes.
The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly safer photo_D18727_Coll exe.jpg by reversing the last six characters of the former.
"The typical user just looks at the extension at the very end of the file name, for example, .jpg for a photo. And that is where the danger is," said Jindrich Kubec, head of Avast's lab. "The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file."
Microsoft's Internet Explorer 9 (IE9) uses a technology called "Application Reputation" to warn users of potentially dangerous files downloaded from the web.
Avast said that malware using the Unitrix tactic, primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code, increased in volume last month, hitting a peak of 25,000 detections daily. The pattern of detections, high on workdays and dropping by 75% or more on weekends, shows that the attackers are targeting business users, Kubec argued.
Additional analysis done by Avast said that Windows PCs infected with the disguised Trojan were part of a "pay-per-installation" network rented to other criminals, who plant their own malware on the machines.
"[They] provide outsourced infection and malware distribution services for other cyber gangs... apparently based in Russia and the Ukraine," said Avast researcher Lyle Frink.
Frink identified three command-and-control servers that issue instructions to the infected PCs. The servers were located in China, Russia and the US.
Combating Unitrix is difficult, said Kubec. He suggested that users open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.