How Hackers Can Disguise Malicious Programs With Fake File Extensions

By Chris Hoffman on October 22nd, 2012

image

File extensions can be faked – that file with an .mp3 extension may actually be an executable program. Hackers can fake file extensions by abusing a special Unicode character, forcing text to be displayed in reverse order.

Windows also hides file extensions by default, which is another way novice users can be deceived – a file with a name like picture.jpg.exe will appear as a harmless JPEG image file.

Disguising File Extensions With The “Unitrix” Exploit

If you always tell Windows to show file extensions (see below) and pay attention to them, you may think that you’re safe from file-extension-related shenanigans. However, there are other ways people can disguise the file extension.

Dubbed the “Unitrix” exploit by Avast after it was used by the Unitrix malware, this method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name.

The Unicode character is U+202E: Right-to-Left Override, and it forces programs to display text in reverse order. While it’s obviously useful for some purposes, it probably shouldn’t be supported in file names.

image

Essentially, the file’s actual name can be something like “Awesome Song uploaded by [U+202e]3pm.SCR”. The special character forces Windows to display the end of the file’s name in reverse, so the file’s name will appear as “Awesome Song uploaded by RCS.mp3”. However, it’s not an MP3 file – it’s an SCR file and it will be executed if you double-click it. (See below for more types of dangerous file extensions.)

image

This example is taken from a cracking site, as I thought it was particularly deceptive – keep an eye on the files you download!

Windows Hides File Extensions By Default

Most users have been trained not to launch untrusted .exe files download from the Internet as they may be malicious. Most users also know that some types of files are safe – for example, if you have a JPEG image named image.jpg, you can double-click it and it will open in your image-viewing program without any risk of getting infected.

There’s just one problem – Windows hides file extensions by default. The image.jpg file may actually be image.jpg.exe, and when you double-click it you’ll launch the malicious .exe file. This is one of the situations where User Account Control can help – malware can still do damage without administrator permissions, but won’t be able to compromise your entire system.

Worse yet, malicious individuals can set any icon they want for the .exe file. A file named image.jpg.exe using the standard image icon will look like a harmless image with Windows’ default settings. While Windows will tell you that this file is an application if you look closely, many users won’t notice this.

image

Viewing File Extensions

To help protect against this, you can enable file extensions in Windows Explorer’s Folder Settings window. Click the Organize button in Windows Explorer and select Folder and search options to open it.

image

Uncheck the Hide extensions for known file types checkbox on the View tab and click OK.

image

All files extensions will now be visible, so you’ll see the hidden .exe file extension.

image

.exe Isn’t the Only Dangerous File Extension

The .exe file extension isn’t the only dangerous file extension to look out for. Files ending with these file extensions can also run code on your system, making them dangerous, too:

.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh

This list isn’t exhaustive. For example, if you have Oracle’s Java installed, the .jar file extension can also be dangerous, as it will launch Java programs.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 10/22/12
More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!