What are ways to prevent files with the Right-to-Left Override Unicode character in their name (a malware spoofing method) from being written or read?

What are ways to avoid or prevent files with the RLO (Right-to-Left Override) Unicode character in their name (a malware method to spoof filenames) from being written or read in a Windows PC?

More info on the RLO unicode character here:

Info on the RLO unicode character, as it is used by malware:

Summary of computer virus/unauthorized computer access incident report for October 2011, compiled by Information-technology Promotion Agency, Japan (IPA) [Mirror (Google Cache)]

You can try this RLO character test webpage to see how the RLO character works.

The RLO character is also already pasted in the 'Input Test' field in that webpage. Try typing there and notice that the characters you're typing are coming out in their reverse orders (right-to-left, instead of left-to-right).

In filenames, the RLO character can be specifically positioned in the filename to spoof or masquerade as having a filename or file extension that is different than what it actually has. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)

The only info I can find that has info on how to prevent files with the RLO character from being run is from the Information Technology Promotion Agency, Japan website.

Can anyone recommend any other good solutions to prevent files with the RLO character in their names from being written or being read in the computer, or a way to alert the user if a file with the RLO character is detected?

My OS is Windows 7, but I'll be looking for solutions for Windows XP, Vista and 7, or a solution that will work for all those OSes, to help people using those OSes too.

galacticninja

Posted 2012-04-05T07:46:16.263

Reputation: 5 348

1Very good question! I would like to know this too. Your link doesn't seem to work. – Cerberus – 2012-04-05T11:10:58.987

@Cerberus Just found out that the link doesn't work. I hope it's just temporarily down. I'll update the answer if I find a mirror. – galacticninja – 2012-04-05T13:11:42.360

http://webcache.googleusercontent.com/search?q=cache:KasmfOvbVJ8J:www.ipa.jp/security/english/virus/press/201110/E_PR201110.html+&cd=1&hl=en&ct=clnk – Cerberus – 2012-04-05T14:13:51.723

@Cerberus Thanks. I have added the mirror link to the question. – galacticninja – 2012-04-06T03:34:40.730

4They adviced to use the Local Security Policy settings manager to block files with the RLO character in its name from being run. Can you please tell us why this is not a solution? – Tamara Wijsman – 2012-04-21T09:33:52.033

@TomWijsman I'm looking for other solutions that will prevent the RLO character from being written and read, or a solution that will notify or alert the user if the RLO character is detected. Also, maybe another user can provide a better solution. – galacticninja – 2012-04-21T12:57:01.587

@galacticninja: Detecting the RLO on your system is an easy script (just enumerate all file names and look if the character is there), even subscribing to I/O updates is still an easy task in a programming language. I still don't see how that would increase security over the ability of running the files... – Tamara Wijsman – 2012-04-21T13:01:35.047

@TomWijsman I'm looking for a more automated solution, one that will automatically detect it, in real-time, if the file containing the RLO character is encountered, rather than manually searching for the character. IMO, it's better to detect a potential malware as it is written, that when it is run. – galacticninja – 2012-04-21T13:07:37.813

This could be also by default from the site maker if it is created from the old marquee language option than it could be a problem of the typed code in the webpage option. – Naved – 2012-05-07T13:25:28.010

Answers

You could use Everything in combination with AutoHotkey to create an alert whenever a bidirectional text control character forms part of a filename.

The Script

AlertText = A bidirectional text control character was detected in a filename.
AlertText = %AlertText%`n`nClick OK to re-hide the window.

SetTitleMatchMode RegEx
DetectHiddenWindows, On
EnvGet, ProgramFiles32, ProgramFiles

Start:
Run, %ProgramFiles32%\Everything\Everything.exe
WinWaitActive, Everything, , 5
if Errorlevel
    Goto Start
WinGet, Id, ID, A
StatusBarWait, objects, , 1, ahk_id %Id%
StatusBarGetText, Status, 1, ahk_id %Id%
Backup := ClipboardAll
Transform, Clipboard, Unicode, â€Ž|â€|â€ª|â€«|â€¬|â€|â€®
Send, ^v
WinHide, ahk_id %Id%
Sleep, 100
Clipboard := Backup
Backup =
StatusBarWait, ^(?!^\Q%Status%\E$)
Loop
{
    StatusBarWait, [1-9], , 1, ahk_id %Id%
    IfWinNotExist, ahk_id %Id%
        Goto Start
    WinShow, ahk_id %Id%
    WinRestore, ahk_id %Id%
    MsgBox, %AlertText%
    WinHide, ahk_id %Id%
}

What it does

The script launches Everything and searches for â€Ž|â€|â€ª|â€«|â€¬|â€|â€® (UTF8), i.e., all seven bidirectional text control characters (source), separated by |.

Then, the script hides the Everything window and monitors its status bar. When it contains any digit different from 0, a match has been found, the Everything window gets displayed and the following message box pops up:

A bidirectional text control character was detected in a filename.

Click OK to re-hide the window.

The script also relaunches Everything in case it gets closed.

How to use

Download, install and launch Everything.
Press Ctrl + P and switch to the Volumes tab.

For all volumes that should be checked, enable Monitor changes.
Download and install AutoHotkey.
Save to above script as find-bidirectional-text-control-characters.ahk.
Double-click the script to launch it.
Create a shortcut to the script in your Startup folder.

Dennis

Posted 2012-04-05T07:46:16.263

Reputation: 42 934

The Information Technology Promotion Agency, Japan website (mirror link), has advised using the Local Security Policy settings manager to block files with the RLO character in its name from being run.

^{(I am not copypasting the full instructions as I am unsure of what that website's copyright license on their content is.)}

galacticninja

Posted 2012-04-05T07:46:16.263

Reputation: 5 348

There are probably other ways, but the easiest - and yet not trivial - way is to implement a file system filter (or file system mini-filter) that filters these requests. In case of reading from such a file you could return STATUS_ACCESS_DENIED and when writing you shouldn't do anything but instead prevent such files from being created (likely also with the above error code) in the first place. Creation is another request type.

One can imagine other methods of achieving a similar result, such as SSDT hooking. But the only reliable way would be the above.

In order to do that you will have to get someone to write this kind of filter for you (relatively trivial for mini-filters for a kernel developer) and then sign it to get it through the kernel mode signing policy since Vista. If you don't want to do the latter you can still test-sign the driver binary and modify your boot options to allow test-signed content - thus compromising security of the respective system, though.

In the light of this information I would strongly advise you to make use of the solution that galacticninja and Tom Wijsman pointed out.

0xC0000022L

Posted 2012-04-05T07:46:16.263

Reputation: 5 091

2"I would strongly advise you to make use of the solution that Tom Wijsman pointed out." Actually, that was a solution that I pointed out. I already set Windows to do that. Like what I replied to Tom Wijsman, I'm looking for other solutions that will prevent the RLO character from being written and read, or a solution that will automatically notify or alert the user if the RLO character is detected. I'm afraid I don't have the technical know-how to write the filter you described. – galacticninja – 2012-05-10T15:37:30.407

@galacticninja: I'm sorry, I'll correct that in my answer. – 0xC0000022L – 2012-05-11T22:47:11.297

I don't think such a thing is available on the desktop, but you shuuld be able to prevent such things being written to your fileserver(s):

Implementing File Screening in Windows Server 2003 R2

Adam Thompson

Posted 2012-04-05T07:46:16.263

Reputation: 1 954