Hackers disguise .exe files with ‘Unitrix’ exploit

Hackers are using a new trick to cloak malicious files by disguising their Windows file extensions to make them appear safe to download, a Czech security company warned today.

The exploit, dubbed “Unitrix” by Avast Software, abuses Unicode for right-to-left languages — such as Arabic or Hebrew — to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc).

Unicode is the computer industry standard for representing text with alpha-numeric codes.

The Unitrix exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different. Using that ploy, hackers can disguise a malicious file that ends with gpj.exe as a supposedly-safer photo_D18727_Coll exe.jpg by reversing the last six characters of the former.

“The typical user just looks at the extension at the very end of the file name; for example, .jpg for a photo. And that is where the danger is,” said Jindrich Kubec, head of Avast’s lab, in an email today. “The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file.”

Microsoft’s Internet Explorer 9 (IE9) uses a technology called “Application Reputation” to warn users of potentially-dangerous files downloaded from the Web.

Avast said that malware using the Unitrix tactic — primarily a Trojan downloader that acts as door-opener and a rootkit that hides the malicious code — increased in volume last month, hitting a peak of 25,000 detections daily.

The pattern of detections — high on workdays, dropping by 75% or more on weekends — shows that the attackers are targeting business users, Kubec argued.

Additional analysis done by Avast said that Windows PCs infected with the disguised Trojan were part of a “pay-per-installation” network rented to other criminals, who plant their own malware on the machines.

“[They] provide outsourced infection and malware distribution services for other cyber gangs…apparently based in Russia and the Ukraine,” said Avast researcher Lyle Frink in a post to the Avast blog Wednesday.

Frink identified three command-and-control (C&C) servers that issue instructions to the infected PCs: The servers were located in China, Russia and the U.S.

Combating Unitrix is difficult, said Kubec; he suggested that users open any suspect files in a sandboxed environment. Office 2010, for example, opens downloaded .doc files in a sandbox to isolate any malware from Windows.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs