Before You Read

Warning: If you are Resistant to Logic, please stay away from this page. Because we will be Persistent with Logic to wear down your Resistance.

Monday, September 22, 2014

File Extension Appearing to Viewer Can be Faked

Verdict :

Possible time of origin : September 2011
Circulation platforms : All
Circulation geography : Global

Original Threat Description (compiled) Under Analysis: 
Recently cyber criminals included in their arsenal a way to pass off malicious file as legitimate files by disguising Windows file extensions, and making them appear safe to download. Avast, the major digital security firm dubs this operation by malware operators as “Unitrix”. The “Unitrix” exploit takes several Unicode features designed for right-to-left languages and uses them to mask malicious executables as safe text, image, audio or video files. Combating Unitrix is difficult. The typical user looks only at the file extension, and allows a file to stay, or download a new file based primarily on the file extension. Unless the user is an expert with a thorough knowledge of the files that a system or application requires, the only way users can detect such malware-in-disguise is when the system displays additional details or the anti-virus or browser shoots up a warning message.
 Analysis by Merofact Awareness Team:   

Most avid internet users have been naturally trained not to launch untrusted *.exe files download from the Internet as they may be malicious. Though there are many other file extensions that can cause damage to your digital security, most users are not aware of them (Click here for a extensive yet incomplete list of executable file extensions). Most users have rather better knowledge about what types of files are safe (eg. *.doc, *.jpg, *.png, *.avi, *.mp3). Security concerned users apply a positive selection while choosing to download and open a file, i.e. they will allow the download to take place and will open the file only if the file extension shown are familiar and the user regard that as safe. 

But there’s one problem; by default Windows operating system hides file extensions in the file explorer. So the image.jpg present in your download folder file may actually be image.jpg.exe, and when you double-click it'll launch the potentially unwanted variety of *.exe file. So if you are a person who frequently downloads from internet, we expect you have checked the "Show file extensions" menu in your Windows settings, if not do that NOW. Once you were aware of the safe file extensions you could have opened them without any risk of security breach, but sadly only until around 2011. 

Net security scenarios have changed since Avast reported the Unitrix exploit. Simple yet factual description of the Unitrix exploit is under the head "Original threat ..." in this post. Hackers are using this new trick to cloak malicious files by disguising their file extensions to make them appear to user as safe to download and open i.e. run inside your computer with all the permissions available to the logged in user. A regular user just looks at the extension at the very end of the file name; for example, .doc for a Word document, and that is where the danger is, as .doc seen in user's file explorer window does not ensure that the file will open with default Word document viewer (usually MS Word) set in user's computer. Because Unitrix exploit can make the Windows operating system read the file name including the extension differently than what user sees on the screen. 

For a live example download a compressed file (egUnitrix.doc.zip) by clicking on this line then unzip the downloaded file in a preferable location in your computer. You should get a file named like egUnitrixGNP.doc with a supposed .doc extension. So if you double click on this file it should open with document viewer right? But it won't, if you try to open this file by double clicking you'll see the file is using the default *.png image viewer set in your computer to open the exactly same image you are seeing on this page above. 

Understandably if this example trick can work, it is also possible that any other seemingly safe file extension can be engineered to load a malicious infection in the users' computer. We found a simple way to check whether a suspected file is hiding its true file extension using Unitrix exploit. Just try to rename the file and it will tell Windows operating system to select the name and not the extension and magically you'll see a discontinuous selection, the part beyond the selection is having the real extension information, what will not fall in the safe category of file extensions. Other than this, the only other way a user may know something is a malicious executable file is if they scan the file with detecting security software. (You might say for the example provided, you can tell that is a image file from the associated icon. But that can be engineered too, we didn't indulged into that because that will take little more effort and might cross the line between an innocuous example and potentially unwanted.)

So start taking measures and restrict yourself to downloading files from trusted sources only. If you show interest in this post through comments we'll also write on whether a file with legitimate safe file extension can  carry potentially unwanted piece of code.

15 comments:

  1. is that file harmful?

    ReplyDelete
    Replies
    1. not at all, the link provided here will get you a zipped file, unzipping that will give .png image file. its just an example of the unitrix tactics.

      Delete
  2. nice post. didn't know about unitrix

    ReplyDelete
  3. These are really fantastic ideas in concerning blogging.
    You have touched some nice factors here. Any way keep up wrinting.


    Feel free to surf to my blog post: Free music downloads
    (Twitter.com)

    ReplyDelete
  4. El inconveniente es que son más caros, haciendo que los
    fabricantes reserven estas mejoras para sus gamas altas.


    M� homepage : homepage ()

    ReplyDelete
  5. Tenemos los mejores vídeos x en castellano y muchos en inglés,
    además de que asimismo tenemos muchos vídeos
    porno en HD (alta definición).

    Mi webpage descargar peliculas xxx en hd; http://www.Silverdoctors.com/members/debbrakhull87/activity/218277/,

    ReplyDelete
  6. Desmoldar en una charola y decorar con higos orgánicos frescos,
    lista para gozar.

    M� homepage - mejores blog de moda argentina nigeria ()

    ReplyDelete
  7. Se trata de desarrollar la velocidad de ejecución de los ademanes técnicos deportivos de cara
    a prosperar el desempeño y eficiencia en ese deporte.), los relieves de la calzada de la pirámide de Sahura (cara el año 2500 De C.) el sepulcro de Ptahhotep en Saqqara (hacia el dos mil trescientos cincuenta Las grasas
    monoinsaturadas que se encuentran en el aceite de oliva podrían potencialmente encender genes relacionados
    con quemar grasa y almacenaje. de México 1968 y en los En el siglo XVII empezaron a abundar las
    competiciones y se empezaron a organizar de manera que las pudiera continuar la gente.


    Revisar la salida my blog post - site

    ReplyDelete
  8. Very energetic article, I enjoyed that bit. Will there be a
    part 2?

    Feel free to visit my page ... CT limousine prices per hour

    ReplyDelete
  9. Su médico asimismo puede sugerirle otros tratamientos sin medicamentos que puedan ayudarle a sobrellevar su enfermedad y los síntomas.


    Tambi�n puede visitar website - webpage

    ReplyDelete
  10. Hi there i am kavin, its my first occasion to commenting anywhere, when i read
    this article i thought i could also make comment due to this brilliant post.


    Take a look at my web-site; Air Conditioning Simi valley

    ReplyDelete
  11. I love reading a post that can make men and women think.
    Also, thanks for permitting me to comment!

    Look at my website smog check - certified auto repair oxnard

    ReplyDelete
  12. Hey this is kind of of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually
    code with HTML. I'm starting a blog soon but have no coding knowledge so I wanted
    to get guidance from someone with experience.
    Any help would be greatly appreciated!

    Also visit my homepage ... Paramotor how much are hang gliders - Paramotoring Expert

    ReplyDelete
  13. Amazing! Its really remarkable paragraph, I have got much
    clear idea about from this paragraph.

    Here is my blog :: Oxnard No Air

    ReplyDelete
  14. Merofact Awareness Team,

    How do you actually add unicode symbols in the file name?

    Thanks in advance

    ReplyDelete