18

Disclaimer: I opened the following torrent file just because someone reported it as a movie containing a virus, which seemed very strange. I do not support piracy.

So, upon opening a .torrent file downloaded from internet, I get the following dialogue in uTorrent 3.4.7: enter image description here

Although it seems to have an .AVI extension, the icon reveals that it is in fact an executable (other, legit .avi files show the VLC icon)

When uploading this file to torrenteditor.com, I get the following result: enter image description here

As you can see, when I try to copy using mouse cursor from left to right, it skips the .exe part, and I have to move the mouse RIGHT to LEFT in order to copy the remaining part.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • 1,36GB ? Wow that's a lot of malware. (ironic - I do know they just pad the file to make it less suspicious) – André Borie May 09 '17 at 17:19
  • 1
    @AndréBorie you don't even have to pad it. You can embed payloads into non-malicious executables with msfvenom. When the user runs the normal looking executable their application runs as expected... well and roots their system :-D – DotNetRussell May 10 '17 at 20:11

1 Answers1

21

Unicode allows for right to left languages as well as left to right, so what you have here is a cleverly arranged title including a right to left part with .exe being the suffix.

From https://www.explainxkcd.com/wiki/index.php/1137:_RTL

  • U+200e LEFT-TO-RIGHT MARK This is used to insert left to right script into a right to left sentence.
  • U+200f RIGHT-TO-LEFT MARK This is used to insert right to left script into a left to right sentence.
  • U+202a LEFT-TO-RIGHT EMBEDDING The following text will be left-to-right. This will not change directionality of characters, so for example Arabic letters will stay right-to-left. This character alone does nothing in an English text, since the text direction is left-to-right by default.
  • U+202b RIGHT-TO-LEFT EMBEDDING The following text will be right-to-left. This will not change directionality of characters, so Latin letters will stay left-to-right. Full stops, which don't have a directionality on their own, will be left of the sentence. Use this character for some little misplacings that cause big confusion.

  • U+202c POP DIRECTIONAL FORMATTING The following text is formatted like the text before the last U+202a, U+202b, U+202d or U+202e character.

  • U+202d LEFT-TO-RIGHT OVERRIDE The following text will be left-to-right. Additionally, the directionality of characters is changed to left-to-right. Used alone in an English text, this will only affect characters that are right-to-left by default, like Arabic letters.

  • U+202e RIGHT-TO-LEFT OVERRIDE The following text will be right-to-left. Additionally, the directionality of characters is changed to right-to-left. Use this character to completely screw up an English text.

So, as you have spotted, the .exe comes last and indicates to Windows that this is an executable, despite visually looking like an .avi file.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320