Trojan Source Filenames!!??

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

airchie

Member
Nov 9, 2020
14
13
Evening all,

I'm in the middle of working night-shift in the SOC of my employer.
Whilst analysing a phishing ticket, I came across something I'd never seen before.
There was a file attached to the phishing email that appeared to have a .paid filename extension.
It seemed curious that it was associated with Firefox since I'd never seen that type of file.

Turns out, it appears to be using bidi characters in the filename so the .htm filename extension appears as mth in the middle of the filename like shown below.
Where the space is there appears to be bidi characters reversing the direction of the next part.
Users.name5703 ‮‮‮diap.htm

Very sneaky, and I'm not sure how to see the bidi characters?

I'll attach the file (I stripped the contents so there's nothing but text inside now).
Previously it was a very convincing self-contained and heavily obfuscated phishing page emulating an SSO login prompt.
I've also renamed it to txt instead of htm to allow upload.

Has anyone else ever seen this?

<edit> I just had a play and managed to create a nice example of how this could be used to trick people who weren't paying attention.
Makes an exe file look like a text file.

Steve, if you want to bring this to the attention of SN listeners, I'd love a shout-out.
Craig Stewart from Scotland. ;)
 

Attachments

  • Users.name5703 ‮‮‮diap.txt
    25 bytes · Views: 687
  • HidingAnExeInPlainSight.png
    HidingAnExeInPlainSight.png
    3.1 KB · Views: 205
Last edited:
Steve covered it last November: https://www.grc.com/sn/sn-843-notes.pdf
Skip to the last section labeled “Trojan Source”
I'm aware of that, that's why I titled this thread with "Trojan Source" in the name.
However, Steve discussed the use of BiDi tags in terms of sourcecode and the ability to hide malicious code in plain sight by using them.
I don't think it was mentioned that it was possible to use these tags in filenames?

Perhaps he did, or maybe he's aware its possible, but I was very surprised when I saw it first hand!

@Steve , were you aware of this?
 
  • Like
Reactions: Barry Wallis
Maybe enter a bug in Bugzilla?
Hi, Scott.

This isn't a bug.
Much like the trojan source issue @Steve discussed in the podcast, this appears to be a feature that caters for right-to-left languages like Arabic and Hebrew.
Much like source code can use BiDi characters, filenames in Windows Explorer can too.

If you look at the example from my original post, I made an exe file look like a txt file (though windows still knows it's an application, users may be fooled).