SEARCH

How-To Geek

How Hackers Can Disguise Malicious Programs With Fake File Extensions

image

File extensions can be faked – that file with an .mp3 extension may actually be an executable program. Hackers can fake file extensions by abusing a special Unicode character, forcing text to be displayed in reverse order.

Windows also hides file extensions by default, which is another way novice users can be deceived – a file with a name like picture.jpg.exe will appear as a harmless JPEG image file.

Disguising File Extensions With The “Unitrix” Exploit

If you always tell Windows to show file extensions (see below) and pay attention to them, you may think that you’re safe from file-extension-related shenanigans. However, there are other ways people can disguise the file extension.

Dubbed the “Unitrix” exploit by Avast after it was used by the Unitrix malware, this method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name.

The Unicode character is U+202E: Right-to-Left Override, and it forces programs to display text in reverse order. While it’s obviously useful for some purposes, it probably shouldn’t be supported in file names.

image

Essentially, the file’s actual name can be something like “Awesome Song uploaded by [U+202e]3pm.SCR”. The special character forces Windows to display the end of the file’s name in reverse, so the file’s name will appear as “Awesome Song uploaded by RCS.mp3”. However, it’s not an MP3 file – it’s an SCR file and it will be executed if you double-click it. (See below for more types of dangerous file extensions.)

image

This example is taken from a cracking site, as I thought it was particularly deceptive – keep an eye on the files you download!

Windows Hides File Extensions By Default

Most users have been trained not to launch untrusted .exe files download from the Internet as they may be malicious. Most users also know that some types of files are safe – for example, if you have a JPEG image named image.jpg, you can double-click it and it will open in your image-viewing program without any risk of getting infected.

There’s just one problem – Windows hides file extensions by default. The image.jpg file may actually be image.jpg.exe, and when you double-click it you’ll launch the malicious .exe file. This is one of the situations where User Account Control can help – malware can still do damage without administrator permissions, but won’t be able to compromise your entire system.

Worse yet, malicious individuals can set any icon they want for the .exe file. A file named image.jpg.exe using the standard image icon will look like a harmless image with Windows’ default settings. While Windows will tell you that this file is an application if you look closely, many users won’t notice this.

image

Viewing File Extensions

To help protect against this, you can enable file extensions in Windows Explorer’s Folder Settings window. Click the Organize button in Windows Explorer and select Folder and search options to open it.

image

Uncheck the Hide extensions for known file types checkbox on the View tab and click OK.

image

All files extensions will now be visible, so you’ll see the hidden .exe file extension.

image

.exe Isn’t the Only Dangerous File Extension

The .exe file extension isn’t the only dangerous file extension to look out for. Files ending with these file extensions can also run code on your system, making them dangerous, too:

.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh

This list isn’t exhaustive. For example, if you have Oracle’s Java installed, the .jar file extension can also be dangerous, as it will launch Java programs.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 10/22/12

Comments (33)

  1. john

    ‬‮redro esrever ni siht etirw I

  2. rKiller

    I know all this like 99.99% of the “Geeks”!!

  3. D. G.

    There is NO ” Hide File Extensions” in my advanced tab ….
    What are talking about ???

  4. runningbear

    I used this great utility. Hifito version 1.1 after installing right option on your taskbar to to hidding files or extension.

  5. spike

    @D. G.: What OS are you on? Are you local admin?

  6. cnels

    Hey D.G.: …”my advanced tab…” What are YOU talking about? This can be found on the VIEW tab of FOLDER OPTIONS, unless of course it isn’t done that way in Windows on your planet. On Earth, it is done via the VIEW tab.

  7. Lisa Wang

    @rKiller:There are less than advanced users in HtG too, as well as beginners, so you shouldn’t make such comment. You would be surprised by the amount of people ignoring the simple advice to uncheck ‘hide known file extensions’, causing their PCs to be infected by virus, adwares, roguewares, etc, then passing the headache to someone else they forced to ‘help’ clean their machines.

    @D.G :I’m running Windows 7 and I can find it under Organize>Folder and Search Options>view
    There would be some list there. Uncheck the ‘hide known file extensions’. On many occassions, choosing to show hidden files and folders while you’re at it proves to be useful too, especially when you’re recovering files hidden by virus.

  8. Nathan

    If you aren’t sure about a file you have downloaded you can often times use your anti virus to open then in a sandbox environment it will keep them isolated from your Computer.

  9. Paul O' Sullivan

    you forgot .PDF. since they can contain .exe files which are run upon opening.

  10. Kevin

    out of 100% of the population only .09% of them are Geeks, so count yourself as one of the few rKiller.

    D. G. – Go into the control panel and under the folder Options click the View tab and you will find it there.

  11. Chad

    If the hacker used encoding, or attached the virus to a legitimate file . . . the extension wouldn’t necessarily matter, because it would match the host file. Am I right? (This is not exactly my forte)

  12. imanoldgoat

    Methinks the majority of HTG subscribers are not aware of all the “tricks” employed in Basic Computer Survival (myself included). That’s why HTG is so important- either for new knowledge, or refresher courses. Hey- how many of us could repair our cars when malfunctioning? Yet we depend upon them for basic mobility.That’s why we all need each other, to protect ourselves from Bill Gates and his demons.

  13. Greg

    Why would Microsoft ever have created the “Right-to-Left Override” in the first place??? And why would they now not fix that problem?!?

    It seems not just foolish, but outrageously so!

    Of what PRACTICAL USE is such a feature?

  14. Tom

    OK, yup that is an interesting and bad exploit. Um, after we set Windows to show us the file extensions (that is one of the very first things I do when installing Windows) how do we protect outselves from this?

  15. Dan Flak

    Well, for one thing, be wary of potentially maclicious file extensions spelled backwards immedatiatly before the plain extension. If in doubt, download and scan before opening.

  16. WhytteDragun

    One trick for finding fake picture files is to make sure the “Always show icons, never thumbnails” checkbox is UNchecked (like is is in the pic above) and set your folder view to medium or larger icons. If it’s a legit picture file, a smaller version of it will show in place of an icon. If it still shows an icon, it’s either a corrupted image or not an image at all.

  17. a.oryema

    It very easy to find it,am using window 7, click start burton,click picture,click organise and the view and you are there.

  18. OnTheFly

    Thanks for a great article. Now that I know how to fiddle with the file extensions, can you help me locate a few malware programs so I can send them to people I don’t like?
    Really, give us all the cautions and show us how to un-hide the file extensions, but keep this Unicode trick and others to yourselves.
    PS: Any hints on how to make an atomic bomb? I’m sure you’d post that too if you knew how to.

  19. Joe P

    Don’t all geeks have all the scripting extensions associated with Notepad and the scripting hosts nuked anyway?

  20. bedlamb

    @D.G
    Another path….. Might be easier…..

    control panel
    folder options
    view
    [ ] hide extensions for known file types (uncheck this)

  21. Keith

    One of the fastest ways I know of to Folder Options is:

    control folders

    ^^ type that at a Run dialog or at a cmd prompt and press enter

  22. Keith

    But at HTG, some like it geeky. So if you wanted Folder Options to open with the View tab already selected, try this:

    On a blank area of the Desktop, right-click and create a New Shortcut. Give it this line for a target:

    RunDll32.exe shell32.dll,Options_RunDLL 7

    Then name it whatever you like.

  23. TheFu

    Just so the GUI-Linux users don’t feel left out …

    over the last 5+ (maybe 15?) yrs, Linux GUI desktops have become similar to Windows in hiding some extensions AND allowing end-users to be tricked into running programs. The “.desktop” extension is like the old “.PIF” files in Windows. Execute file permissions are not required for the .desktop file to run the program/script referenced inside. Very dangerous.

    With Linux scripting, imagine all the damage that could be done on a system if someone uninformed ran a program, even a script? There is pretty much nothing that couldn’t be done. Hooks back into the system would almost always be possible. Heck, I think it is a 30 minute problem (how long to create a fairly bulletproof script) to setup something that would gain root access the next time this user needed root authority.

    Heck, the first thing the script would do is download a newer version of itself, then setup to restart every time that userid logs in, then modify the PATH to insert some other location where a clone of gksudo sits waiting to capture root access … of course, after the credentials are entered, this simple script pwons the box completely. To keep the end-user from knowing any better, just pass through the desired action to sudo + cmd. If the programmer were smart, she’d ensure the new root processes all have common names and run at very low priority to avoid issues.

    This attack method will probably work on most Linux desktops that are unmanaged, over 90% aren’t, but properly managed servers would see the changes, notify someone and might even put the correct settings back thanks to chef or puppet. How often do you check the root crontab on your Linux boxes?

    Of course, the .desktop extension isn’t anything magical. It is just a text file, so looking inside to see where it points is easy. Very few people bother looking.

    Anyone with a tiny bit of Linux scripting knowledge probably wouldn’t be fooled by this attack method, but as more and more people try Linux out, more and more “stupid user tricks” will become effective against larger Linux user populations.

    OS-X is probably just as susceptible to this sort of attack, but I can’t recall the details based on 1 week of use earlier this year. The extension is almost certainly different, but the scripting capabilities are just as potent.

  24. Conrad

    Thank you very much HTG, for the reminder. Especially the Unitrix Exploit. It actually made me thing of how great it is that the extension of files on my Linux partition is always visible since I move files across to my Windows partition from time to time.What would we do without the HTG Team?!!

    Even advanced superusers FORGET from time to time, even forgetting to apply these same protection mechanisms to other person’s system for their own awareness and protection… Thank you.

  25. Lambada

    How do you insert [U+202e] in a file name anyway????

  26. Ushindi

    “Uncheck the Hide extensions for known file types checkbox”. Thanks very much – I just did that very thing. Hadn’t even thought about it before.

  27. SugarFluff

    @imanoldgoat
    What does Bill Gates have to do with this?

  28. Erik

    Wow… that’s slick!
    Not good though. Microsoft needs to disallow such Unicode control characters in filenames ASAP!

  29. ubutnut

    this is why i’m always a true believer in identifying files using there header instead of extension just like unix/linux – the benefit of using said approach is that we can save lotsa space and confusion over naming convension becuz many of the crap living in HKCR registry hive wiped out! imagine: just becuz they can weird file extenshun popped up elsewhere, every programs seem to be having there own. pptx, oex, xpi, safariextz, crx and so on which if you simply rename them to zip you can open them using windows’ in-built compression software!

  30. indianacarnie

    Nice informative article, exactly the kind of thing that drew me here long long ago. Just because “Geek” is in the name doesn’t mean that everyone here is one. Yes , this “trick” is one of the first things I do when reinstalling, and HAS been, but this is important and I thank HTG and Chris for posting this article.

  31. Keith

    @WhytteDragun: Good comment. One of the better ones.

  32. udayatom

    i likes your post always… and also with the correct taste of the each information always……………….

    Please be give the security and exploit related information………………….

    ALWAYS AM FAN OF YOU…..www.howtogeek.com

    Thanks…. Keep me on this post

  33. Al

    This was very useful to me as I had problems recently.I know about computers but I am not a programmer..thanks for the info.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!