Before You Read

Warning: If you are Resistant to Logic, please stay away from this page. Because we will be Persistent with Logic to wear down your Resistance.

Monday, September 22, 2014

File Extension Appearing to Viewer Can be Faked

Verdict :

Possible time of origin : September 2011
Circulation platforms : All
Circulation geography : Global

Original Threat Description (compiled) Under Analysis: 
Recently cyber criminals included in their arsenal a way to pass off malicious file as legitimate files by disguising Windows file extensions, and making them appear safe to download. Avast, the major digital security firm dubs this operation by malware operators as “Unitrix”. The “Unitrix” exploit takes several Unicode features designed for right-to-left languages and uses them to mask malicious executables as safe text, image, audio or video files. Combating Unitrix is difficult. The typical user looks only at the file extension, and allows a file to stay, or download a new file based primarily on the file extension. Unless the user is an expert with a thorough knowledge of the files that a system or application requires, the only way users can detect such malware-in-disguise is when the system displays additional details or the anti-virus or browser shoots up a warning message.
 Analysis by Merofact Awareness Team:   

Most avid internet users have been naturally trained not to launch untrusted *.exe files download from the Internet as they may be malicious. Though there are many other file extensions that can cause damage to your digital security, most users are not aware of them (Click here for a extensive yet incomplete list of executable file extensions). Most users have rather better knowledge about what types of files are safe (eg. *.doc, *.jpg, *.png, *.avi, *.mp3). Security concerned users apply a positive selection while choosing to download and open a file, i.e. they will allow the download to take place and will open the file only if the file extension shown are familiar and the user regard that as safe. 

But there’s one problem; by default Windows operating system hides file extensions in the file explorer. So the image.jpg present in your download folder file may actually be image.jpg.exe, and when you double-click it'll launch the potentially unwanted variety of *.exe file. So if you are a person who frequently downloads from internet, we expect you have checked the "Show file extensions" menu in your Windows settings, if not do that NOW. Once you were aware of the safe file extensions you could have opened them without any risk of security breach, but sadly only until around 2011. 

Net security scenarios have changed since Avast reported the Unitrix exploit. Simple yet factual description of the Unitrix exploit is under the head "Original threat ..." in this post. Hackers are using this new trick to cloak malicious files by disguising their file extensions to make them appear to user as safe to download and open i.e. run inside your computer with all the permissions available to the logged in user. A regular user just looks at the extension at the very end of the file name; for example, .doc for a Word document, and that is where the danger is, as .doc seen in user's file explorer window does not ensure that the file will open with default Word document viewer (usually MS Word) set in user's computer. Because Unitrix exploit can make the Windows operating system read the file name including the extension differently than what user sees on the screen. 

For a live example download a compressed file ( by clicking on this line then unzip the downloaded file in a preferable location in your computer. You should get a file named like egUnitrixGNP.doc with a supposed .doc extension. So if you double click on this file it should open with document viewer right? But it won't, if you try to open this file by double clicking you'll see the file is using the default *.png image viewer set in your computer to open the exactly same image you are seeing on this page above. 

Understandably if this example trick can work, it is also possible that any other seemingly safe file extension can be engineered to load a malicious infection in the users' computer. We found a simple way to check whether a suspected file is hiding its true file extension using Unitrix exploit. Just try to rename the file and it will tell Windows operating system to select the name and not the extension and magically you'll see a discontinuous selection, the part beyond the selection is having the real extension information, what will not fall in the safe category of file extensions. Other than this, the only other way a user may know something is a malicious executable file is if they scan the file with detecting security software. (You might say for the example provided, you can tell that is a image file from the associated icon. But that can be engineered too, we didn't indulged into that because that will take little more effort and might cross the line between an innocuous example and potentially unwanted.)

So start taking measures and restrict yourself to downloading files from trusted sources only. If you show interest in this post through comments we'll also write on whether a file with legitimate safe file extension can  carry potentially unwanted piece of code.


  1. is that file harmful?

    1. not at all, the link provided here will get you a zipped file, unzipping that will give .png image file. its just an example of the unitrix tactics.

  2. nice post. didn't know about unitrix

  3. Merofact Awareness Team,

    How do you actually add unicode symbols in the file name?

    Thanks in advance