This Insane Virus Trick Would Have Fooled Me - Watch Out!
Рет қаралды 689,704
Күн бұрынI can't believe I didn't know about this until now 🤔
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: kzfaq.infojoin
▼ Time Stamps: ▼
0:00 - Intro
0:54 - The RTLO Character
3:19 - Explaining the First Example
4:44 - Explaining the File Icon
5:18 - Ways to Spot It
This video explains how a special invisible Unicode character called a right-to-left override (RTLO) can be used to trick users into running malicious files, and how to protect yourself from it. The RTLO reverses any text that comes after it, which can be used to make a file appear to be a spoof or hide the true filetype, even if viewing file extensions is enabled. For example, I show a file which appears to be a Word document, but it is actually an executable file.
The Unicode code for the RTLO character is 202E and is normally used for languages that are read from right to left, however there are other similar Unicode characters besides that one. Even though the text appears reversed, it is still interpreted by the computer from left to right, meaning a malicious file could display any characters at the end of a filename and pretending that is the file extension, but the computer sees the true extension as if the text is not reversed.
This trick is not limited to .exe files and has been used in several real malware campaigns with other file types, such as .scr files and VBS scripts. Also importantly, the file icon can be changed to match the spoofed file type. As always, the best way to protect against this type of trick is to know about it. Never open or run any suspicious files, no matter how benign they may appear. And also verify the actual filetype before opening anything.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
@ThioJoe Жыл бұрын
Big bruh moment >>> I'll also emphasize the point I make at 3:49 in case people comment before watching that long - There doesn't have to be 2 periods in the filename, so "Test.exe.docx" could very well just be "Testexe.docx" - I put the other period there to make it easier to show the real file extension. So it might not be very obvious at all that this trick is used, depending on the real file extension and how they name it. For example, "arcs.docx" could really be a .scr file and the filename might not be suspicious, especially depending on the context, like naming it "character_arcs.docx" or something. There are tons of potentially malicious / exploitable filetypes out there that could be used.
@ItzWolfy247 Жыл бұрын
Bruh.exe
@oceanhavenblue Жыл бұрын
Bruhgpj.exe
@talkalexis Жыл бұрын
Why?
@gallium-gonzollium Жыл бұрын
not a bruh.not a exe
@axer552 Жыл бұрын
Bruh
@stage6fan475 Жыл бұрын
I worked professionally on computers since Win 3.1, read everything religiously and never heard of anything close to this. Stunning.
@kinsley7777 Жыл бұрын
if you wanted some real fun , you should’ve tried the latest and greatest version of DOS and Dbase v. anything to create some major havoc … lol
@CXLVII Жыл бұрын
Try reading it secularly then
@johanponken Жыл бұрын
@@CXLVII Like the lived reads the elbib.
@BestSuper Жыл бұрын
couldn't use question marks in filenames in older windows based shit-in-street pajeetsoft fucking everything up
@urooj09 Жыл бұрын
@@CXLVII apt reply
@DoctorNemmo Жыл бұрын
I still don't understand why Microsoft had ever chosen to hide file extensions as a default. It's the first thing I fix when I install Windows. In this case it's not the same cause, but having file extensions enabled helps.
@ZipplyZane Жыл бұрын
To prevent novices from unintentionally changing the filetype and thus making the file seem corrupted.
@andreewert6576 Жыл бұрын
@@ZipplyZane while that's true, since at least 7 maybe even vista, when you rename a file it only selects/highlights the name, not the extension. So unless you go out of your way to delete the extension, it won't be touched. Plus (again, idk when this started) windows *warns* you everytime you change an extension. It should really be on by default again. In general, we desperately need an "i am an adult" button in Windows' settings.
@traveller23e Жыл бұрын
@@andreewert6576 In a sense we already have an "I am an adult" setting. It's accessed through the Edge browser, just type in the bar "best linux distros 2023". Seriously though, MS has been actively hiding basic computer knowledge to make things seem "simpler" or "cleaner", but I suspect if they did more to just teach users what a file extension was (maybe through a help icon that did something other than inserting some vaguely relevant words into Bing) by now the general populous would be much more tech savvy on average.
@thewhitefalcon8539 Жыл бұрын
Because it's noise?
@LilacMonarch Жыл бұрын
What they should really do is change "show file extensions" to "allow editing file extensions"
@KangJangkrik Жыл бұрын
Fun fact: At the old days of youtube, you can put RTLO in your username. So when somebody attempting to mention you, they probably confused and accuse you of being a witch
@degreeskelvin3025 Жыл бұрын
Hilarious 😂
@lassipulkkinen273 Жыл бұрын
Fun fact: youtube's mobile app is _still_ confused by RTL text in usernames. K Klein just made a video about this.
@buggsy5 Жыл бұрын
@@lassipulkkinen273 Does Google Chat also suffer from this RTL problem?
@November 4 ай бұрын
youtube history :3
@placeholdervryt 4 ай бұрын
I have a RTLO In my username
@theaninova Жыл бұрын
Here's the crazy part: you can nest the overrides. You can move the extension to the beginning and mask it as a file that has a . to appear at the top... [RTL]txt.sevituc[LTR].exe will appear as .executives.txt
@salil5476 5 ай бұрын
you're a sorcerer.
@raviedavieu 4 ай бұрын
damnnn
@Norman_Fleming Жыл бұрын
AV software COULD scan for these "control" type characters within file names. Seems like an obvious thing to scan for.
@nyshone Жыл бұрын
They do actually, as long as the file has mark of the web (Zone Identifier).
@davidbangsdemocracy5455 Жыл бұрын
There are legitimate foreign language scenarios, which is why this feature exists
@lance_374 Жыл бұрын
@@davidbangsdemocracy5455 They should just make it so if your language is not set to one that uses these these characters, that it would just show the text normally without reversing it.
@GYTCommnts Жыл бұрын
@@davidbangsdemocracy5455 Extensions in filenames should have been always out of this consideration. This should be an operating system thing and not a language direction reading thing (only in the case of extensions I mean). Or even if the filename reads backwards (for the ones we don't use right to left languages), even then extensions should be "the last after the last dot". No matter what. IMHO.
@DogsRNice Жыл бұрын
@@davidbangsdemocracy5455 why would a filename need one though? And I'm pretty sure most text renders do what the control character does anyway so it's pretty redundant now
@Lupinicus1664 Жыл бұрын
As a security professional and having been in IT over 40 years I am also surprised that I hadn't come across this before too. Very informative, thank you.
@BostYT Жыл бұрын
@@ts757arse Sounds fun. I would do that
@robertjenkins6132 Жыл бұрын
Unicode support - and in particular support for these text-direction-reversing characters in Unicode - hasn't been around for 40 years. It's not a thing in DOS and probably also not thing in the earlier versions of Windows (though I haven't actually checked, nor researched the exact dates when MS implemented Unicode support). My guess is that this MS Windows vulnerability started in the 2000s or maybe even 2010s (but I'm too lazy to research it.).
@JAN0L Жыл бұрын
I've seen this character used online before but I never thought Windows would allow it in filenames.
@HarryWho102 Жыл бұрын
Maks you think what we don't know.
@mrdan2898 Жыл бұрын
I fully agree with you.
@DaProfessional Жыл бұрын
1:20 There's a faster way if you already know the character's Unicode number. Type in 202E into notepad (or anywhere else) and press Alt + X. This will convert it to the unicode character. If you hit Alt + X again it will revert it back. Although the "reverting to number" part doesn't work for letters from A to F because they can already be considered to be hexdecimal numbers.
@ThioJoe Жыл бұрын
Very cool tip, I had no idea that was possible
@Elementening Жыл бұрын
doesnt work for me.
@QuantumScratcher Жыл бұрын
@@Elementening probably a Windows 11-only feature
@DaProfessional Жыл бұрын
@@QuantumScratcher As far as I know this feature has been around for a long time, maybe since Win XP. But I also know that Notepad can be a bit buggy when it comes to "Alt magic". Try it in Word, hopefully it will work there.
@detocquevi11e Жыл бұрын
@@QuantumScratcher good call - works on my Win11, but not Win10 computer.
@Amonimus Жыл бұрын
I think the simplest trick is to just rightclick and check properties, as it tells it's an executable. Or hovering over it.
@justsomeguywithoutamustang6436 Жыл бұрын
hmm.. well if it's a zero day exploit, just merely right-clicking on it would still have you doomed.
@Nickwilde7755 Жыл бұрын
Or use the details view and see it label it as an executable
@theguyfromsaturn Жыл бұрын
A better trick would be for the OS NOT to use the extension to identify executables. Seriously, it's not the 1980s anymore.
@erwinmatys Жыл бұрын
@@justsomeguywithoutamustang6436 if you are targeted with 0-days you have bigger problems to worry about
@rany0 Жыл бұрын
@@theguyfromsaturn That doesn't fix anything. It is still going to execute. Anyway opening a file to read the magic number and then figure out the file type is crazy inefficient so that's why file exts are the norm; just imagine this happening on a folder with many files...
@Exachad Жыл бұрын
Just make sure your download folder's view style is set to Details mode. That way, you can see what type of file it is from the Type section. People should do this by default for a couple of reasons, anyway. First, some file names are too long to see the extension by default, so this is actually even easier. Second, the download folders is usually way too disorganised to to have large chunky icons like a Desktop. Third, the "Details" view has way more useful information like the Date Modified time stamp and size for easy location of files and deleting large files. I'm pretty sure Windows already sets the Downloads folder this way by default, anyway.
@bwcbiz Жыл бұрын
A useful suggestion, but details view shouldn't be "just" your only checkpoint before opening a file.
@wizrom3046 Жыл бұрын
And have files ORDERED by type (extension). All the .exe files will be grouped together.
@legionofanon Жыл бұрын
Fair point about the downloads folder, however I never use it. I always use save as and either save to desktop or save it directly to where it will live the rest of the time I own the computer. I only dislike using the downloads folder cause it turns into an out of sight out of mind sorting system, and I cant deal with that
@AlDunbar 11 ай бұрын
@@legionofanonI often redirect downloaded files as you suggest. But sometimes a duplicate copy exists also in the downloaded folder...
@DeepThinker193 Жыл бұрын
10/10 The IT department footage is the most accurate depiction of what we do that I've ever seen in my entire life.
@teemumiettinen7250 Жыл бұрын
Exatcly, I was like "Has this guy been spying on me at work?"
@pchris6662 Жыл бұрын
I’ve been working with pcs since the stone ages of DOS and I suspected something like this was behind some of the weird attachments I’ve seen, but didn’t get it until your vid. Thx. I’ve been raging at Microsoft for years for hiding file extensions and not just forcing users to understand what they are and how they work. It’s a simple concept and there’s no reason any pc user couldn’t learn it, but when you try to make things idiot proof, all you do is turn your users into idiots because they never learn the basics. Today I see so many users that don’t know the difference between a shortcut, and a folder, and a zip archive because they have all been confusingly glossed over and never taught to users. Good vid! I recommend!
@mick-berry5331 Жыл бұрын
Couldn't have said it better! That's why I hated Windows when it first came out. Because it hid everything going on behind a colorful GUI. I think it still lacks a 'programming mode' to this day.
@Bayonet1809 Жыл бұрын
Mac OS is no better in this regard. Finder is so information sparse by default.
@DatBoi_TheGudBIAS Жыл бұрын
Idk the difference betwen them 💀 All I know is Dat zip is compacted and shortcuts are, well, shortcuts
@November 4 ай бұрын
"when you try to make things idiot proof, all you do is turn your users into idiots" is a quote to be remembered
@pchris6662 4 ай бұрын
@@November The way I heard it. If you make something idiot proof, they will just invent a better idiot next year.
@Terraphice Жыл бұрын
I will say, Windows Defender/Security does detect this if you try and spoof another extension. That can be gotten around with spaces in the file name, Cyrillic characters/other look-alike characters, etc; but... it does at least try to stop this from harming you most of the time.
@SamsterBirdies Жыл бұрын
yea i just tried making one to test and couldnt run the file i just created.
@Terraphice Жыл бұрын
@@SamsterBirdies You can get around it by naming the file using Cyrillic or other lookalike characters for the fake extension, just to re-affirm that.
@cjcoleman8525 Жыл бұрын
@@Terraphice how do you get around it
@Terraphice Жыл бұрын
@@cjcoleman8525 Look up lookalike Unicode alphabet characters and replace one of the letters in an extension with a lookalike.
@xdesertx Жыл бұрын
@@SamsterBirdies I also couldnt run the program. I think windows prevents to run all .exe files where this right to left unicode is used
@LonelyAncient Жыл бұрын
another simple way to spot it is to use detail view. it shows the extension correctly there.
@I.____.....__...__ Жыл бұрын
What version of Windows are you talking about? Maybe Windows 11 File Explorer has broken Unicode filenames. 🤔 (Also, it doesn't show it if extensions are hidden.)
@honeypeadigital Жыл бұрын
@@I.____.....__...__ it works for Win 11 as well. What he means is instead of “small icons/ large icons” etc under the view setting, change it to “Detail”. The default columns are “Name, Date Modified, Type” etc. “Type” would show what the file is. So it would show “Windows Batch File” for example, irrespective of file extension being hidden.
@ADeeSHUPA Жыл бұрын
@@honeypeadigital あっぷ
@Bayonet1809 Жыл бұрын
I already use detail view because I like to be able to quickly sort files by date/type/size, so knowing that the file extension may be lying, but the "Type" field is not will make me rely on that column even more.
@AltonV Жыл бұрын
@@Bayonet1809 the only time where I would use another view other than detail is when browsing folders with pictures
@HazexDimond Жыл бұрын
insane this is allowed to happen man keeping folder view on detail & showing "file type" off to the right as a column might help, i usually glance at that to be sure of what im clicking on
@nullptr. Жыл бұрын
Yeah my file explorer defaults to details view, but you might have a usb drive full with pictures and documents, in which case the large icons view is more convenient for image previews, so the trick could work. Realistically anyone who might be affected by this should have all Windows Defender features on, so SmartScreen will alert them about executing an unknown file, even if not detected as a virus you'd immediately know it's an executable.
@I.____.....__...__ Жыл бұрын
What's insane about it? These are the sorts of problems that come up when trying to accommodate things like other languages, which of course, can't be just ignored. What's insane is that it took as long as it did for the Unicode Consortium to be established (1991) to standardize this sort of stuff, causing all the other countries in the world to have to hack bespoke and incompatible systems back in the day. That's why things are a hodgepodge mess now.
@HazexDimond Жыл бұрын
youd imagine that its possible for windows to just print "&rlm" by default if youre using a system locale that doesn't use these types of characters or formats hasnt been a problem in web browsers for a while right?
@theAcum Жыл бұрын
Windows should really really implement a special icon that indicate a file is a executable. Like how shortcut have a arrow pointing at it on the bottom right.
@sexygeek8996 Жыл бұрын
The "EXE" extension should be sufficient if they stop allowing "hide extensions" and disable things like the override described in this video.
@theAcum Жыл бұрын
@@sexygeek8996 I'm taking about people who aren't computer literate enough to recognize it. Most of my friends don't know how to enable extensions and those that do would click on the exe anyway because they saw a Word icon.
@sexygeek8996 Жыл бұрын
@@theAcum Hide extensions should be disabled by default and there shouldn't even be an option to enable it. Those oddball features to manipulate the display of filenames should be disabled by default unless the computer is configured for a language that requires the feature. If the extension is EXE then there shouldn't be any way to display a different icon.
@Korbus_Corax Жыл бұрын
@@sexygeek8996 That is just not inclusive enough.
@sexygeek8996 Жыл бұрын
@@Korbus_Corax Why is that? I said the feature should only be enabled if the system is configured for a language that needs it. There are way too many features nowadays and they cause a lot of security problems.
@-DeeKay- Жыл бұрын
Wow, that's rad. I work in the IT industry and actually have a good knowledge. But this was completely new to me that there are Unicode characters with this effect. Thanks for the education! So many won't know that, let alone non-IT people out there.
@aliramezani103 Жыл бұрын
as an IT Admin, I always use the windows sandbox to open files that I don't trust or generally download from the internet from an untrusted source! : )
@BandenIndarys Жыл бұрын
This is one of the reasons why you should always disable the "Hide extentions for known file types" in Folder Options.
@clickrick Жыл бұрын
An option which is phrased in the negative, itself a very poor design choice.
@BandenIndarys Жыл бұрын
@@clickrick This obsolete feature goes back all the way to Windows 95. It's hard to imagine that it has remained in Windows for over 2 decades.
@networkedperson Жыл бұрын
You could also just use a real operating system instead of using Windows.
@chrisdawson1776 Жыл бұрын
@@networkedpersonYou could also get some maidens and stop being a geek
@networkedperson Жыл бұрын
@@chrisdawson1776 lol, hating on new technology with your 1776 moniker and your Ben Garrison picture. Let me guess, you also hate desegregation and anti-monopoly anti-wealth-hoarding laws...
@davidpayne9172 Жыл бұрын
Yeah this is a very old trick. Most people are not aware is this. I have used this trick for saving certain things and then renaming it when I needed it. Yes virus can hide in there but a there are ways that you can find them too. Or even prevent this from happening. Great video.
@sherif191 Жыл бұрын
You can create a hidden character rtl:rctrl+rshift and ltr:lctrl+lshift it’s commonly used with bilingual users who type rtl languages. This isnt override character tho, the normal rtl switch flips the orientation of the text box you’re typing into, usually causes issues when adding ltr numbers(or brackets)into an rtl text.
@BakrAli10 Жыл бұрын
bookmark comment later
@Dimensions899 10 ай бұрын
what is the rtl i know rctrl is right ctrl but i havw no ide what the rtl key is my oly guess could be tab lock but i dont think that key would ever have a major purpose so no sense in makeing it
@gFamWeb Жыл бұрын
I knew of that Unicode character but I didn't realize it could be used in this manner! Feels like an oversight for Windows Explorer to support that behavior in these cases, but I know it's difficult to determine if it's being used legitimately or not. To note: legitimate use cases would be files that includes both Latin characters (A-Z) and characters from a language that is written right to left. Whether there'd ever be an executable like that, I'm not sure.
@guiorgy Жыл бұрын
Still, the file extension should be special, ignore that character and stay at the end NO MATTER WHAT
@gFamWeb Жыл бұрын
@@guiorgy I would definitely agree with that. Unfortunately, Windows is based on very old technology and a filesystem that doesn't consider extensions "special" and just considers them part of the filename (I'm assuming, based on how it handles this). A fix might be to take whatever code Windows uses to determine what to hide via "hide file extensions" and just always display that set of characters at the end. Not sure if that would break other things though.
@jort93z Жыл бұрын
@@gFamWeb yup, you are correct. In ntfs, file extensions are just considered part of the file name, and file type is derived from the filename. Most modern file systems work differently.
@GYTCommnts Жыл бұрын
@@guiorgy EXACTLY!!!!!!!!! Finally someone!!!!!!!!!!
@GYTCommnts Жыл бұрын
@@gFamWeb Well, if there is a way to update this without breaking compatibility, extensions should be an operating system thing. So should be the last after the last dot, as said: NO MATTER WHAT!!!!!!!!! 😅
@georgehelyar Жыл бұрын
Fun fact: the maddening invisible character in the view certificate window (until it was finally fixed a couple of years ago) that is bound to have caught out anyone who ever tried to copy a certificate thumbprint was a LTR character.
@fss1704 Жыл бұрын
explain
@georgehelyar Жыл бұрын
@@fss1704 if you ever needed to copy some details of a cryptographic certificate, you could view the certificate from Windows, then look at properties like its thumbprint, but the text box that showed those details had a unicode left to right character at the start of it, so when you try to e.g. copy that thumbprint to a configuration file, you would accidentally copy the LTR character and whatever software you were configuring would not accept it, but because it's a zero width character it's hard to track down the problem, because it's invisible.
@Y2B123 11 ай бұрын
What? That’s insane, lol. My trust in Windows’ ability to manage my certificates has decreased.
@ae_us_1334 Жыл бұрын
Thank you for explaining things as simple as possible. I always learn something new from your YT videos. Simple, short, and informative 👌
@ae_us_1334 Жыл бұрын
And it's actually one of a few channels I have notifications turned on.
@davinp Жыл бұрын
Wow, I didn't know about this. I don't know why Microsoft chose to make file extensions turned off by default. I agree that it should be turned on, but people who are not very computer savvy wouldn't know to turn it on. This setting has been like this for a very long time
@clickrick Жыл бұрын
Indeed, probably the single worst decision in terms of making users more vulnerable to attack.
@MeongMeongMeow Жыл бұрын
I think file extensions should have a neutralizing unicode character when displayed in Windows Explorer / force to be put at the back / front depending on Windows localization settings. Not sure why it wasn't implemented.
@wyterabitt2149 Жыл бұрын
It's because normal users don't know about them at all and ignore it. It both wouldn't help those users anyway, and also lead to them renaming files and screwing up the file extension when they do it.
@THE-X-Force Жыл бұрын
I have been building and using computers since my C-64 and this is absolutely astonishing. No matter how much you think you know, you can never know it all. Thaks very much Thio for this valuable information!
@krisr3868 Жыл бұрын
I knew that one (because I work in IT security, and we've specifically dealt with malware campaigns using that trick). Good to see you're bringing attention to it.
@bobblum5973 Жыл бұрын
This brings back memories of using ASCII control codes on character-based ANSI terminals like the Digital Equipment Corp. (DEC) VT-100, VT-220 and later models. You could embed backspace or cursor movement characters within text so regular characters would be sent, but then the cursor could be repositioned, and new characters would overwrite the old so you wouldn't see them. Or special escape codes to control terminal functions, like putting the terminal into its self-test loop that required power cycling to get out of it. 🙂
@ThatsNotMyRealName-jx7bs Жыл бұрын
Dude! Never heard of that one until now, and that seems like a serious security issue to me. Thanks for keeping us informed!
@TheTimebreaker Жыл бұрын
I tested this on a file on my pc and i think i may have found something that could help here: If youre not sure whether or not a file is legit or not, try renaming the file and go through the characters with the arrow keys. Not only will the cursor start at funky locations, but it will also jump through the name, as it works through the chars. Also, in my case the blue marker for selected text didnt select the extension, which in this case was right in the middle of the displayed text. Also, you can copy the filename and paste it into notepad, limit the charset to ansii and then see some broken mess if a unicode symbol was used. Although this only tells you THAT a unicode char was in there, not which one. But i think there are online sites that do that for you, usually for detecting email adresses that look legit but are using characters that look similar to normal characters, but arent.
@Formalec Жыл бұрын
Not a very good fix. Still wastes time having to use rename and slowly step through the name and prone to being forgotten.
@2ahmad_ 5 ай бұрын
Well I'm a trilingual person (I speak Arabic, English, Turkish) Arabic script and Old Turkish script is RTL while the New Turkish script and English is obviously LTL Blocking RTL would limit my uses of the laptop as I use all the languages on my laptop. We need a way for Microsoft to to warn users I think a good way is showing a prompt to the user the first time he opens an executable even if it does not have admin rights
@Halolalol Жыл бұрын
Yes, I have already heard of this a few years ago, but back then I didn't thought about how that could also be applied to filetypes other than .exe, and this Video probably helped me to be even more careful with suspicious looking files in the future.
@GeneSavage Жыл бұрын
You got me; I'd NEVER heard about this. Amazing!! I'm sharing this far and wide as a warning. Thank you!
@ItzWolfy247 Жыл бұрын
( 0:58 ) to my knowledge this character can be use to put your KZfaq verification tick (Thing) in to middle of the username Pretty cool stuff
@ThioJoe Жыл бұрын
Very interesting
@ItzWolfy247 Жыл бұрын
@@ThioJoe you have a verification mark you cloud try it
@kush5723653 Жыл бұрын
I do one more thing, I use list view/details view and categories/display file types, this helps to push suspicious files in categories like application or vb script etc thus preventing accidentally mistaking it for a harmless document or any other file.
@solamente Жыл бұрын
Clever trick. You did a great job explaining this. Glad I use the Details view.
@_SebJ1000 Жыл бұрын
Really interesting to learn, thanks ThioJoe!
@NightW3VL Жыл бұрын
I didn’t even know that there is a character that can reverse text like that on a file name. I’ll definitely be more careful when viewing files on my computer. Thanks for the info!
@JakHart Жыл бұрын
Wow. This brings up some memories. Using this trick, I made three batch files. Any of the three would open, execute its program, which was to open the other two upon close. Obviously, when you closed it, it would open the two other files, close one of them, another two. A fun little Hydra, makes you restart your computer, pretty harmless. At this point though, we had been tricking each other (I was in a class of folks learning all sorts of network related things) with .bat files for a bit, and I had discovered this to hide my files in plain sight. It was perfect for my little Hydra. Thanks for bringing up some memories, and making me feel old, this was back in '04. (I'm 36).
@garrettjones7837 Жыл бұрын
It's good to see your channel still doing well, I haven't seen anything since the days of charging phones in the microwave and reading hate comments, I didn't even think your channel existed anymore, but I'm glad it does
@OhSoUnicornly Жыл бұрын
I love how you show what you searched to get the stock footage, that's really interesting to me!
@bernie2237 Жыл бұрын
Even as an engineer, I wasn't knowing this. Thanks a lot for the knowledge you share
@anon_y_mousse Жыл бұрын
This is why we should sanitize our filenames. I don't know if rename can handle invisible Unicode characters, but if not then this might be a place where someone could fill a gap with a nifty utility.
@trueriver1950 11 ай бұрын
What a great app to use as a Trojan to achieve two things: allow your own hacks through but deny any others, to gain an advantage over other state actors....
@atquoc2721 11 ай бұрын
I think the "File type" column should help a lot in this case. You will see something wrong right away if the extension doesn't match the filetype.
@snarkfinder2621 Жыл бұрын
I think that this may have been the most important video I have watched for a while. Thanks for the heads up.
@IsfarTausif Жыл бұрын
When it could even fool the Guru himself, you know it's real shiz
@smiles-channel Жыл бұрын
Honestly, Windows should add something similar to the Linux/Unix executable file permission thing, so like by default files you download from the internet can't be executed unless you edit their permissions, this would prevent this and all the other filename tricks. Or, they could add a thing to the file explorer that prompts you if you want to execute the file when double clicking on it if it is an executable, similar to what KDE's file manager does
@lumer2b Жыл бұрын
It already does that for files downloaded from the Internet
@Bayonet1809 Жыл бұрын
The second option is better, as I would hate having to take the extra step of editing permissions for an executable.
@littlered6340 Жыл бұрын
@@lumer2b yeah the problem moreso there is that people tend to automatically click through those prompts. While the first suggestion prevents that, it's a hassle to users in the cases where it's unnecessary. It's difficult to balance the two.
@margen2452 Жыл бұрын
It already does
@shinichixx 5 ай бұрын
i learnt about cyber security from you more than my IT department ever did. and that is coming from the company with big emphasise on cyber security, with weekly elearning/module/compulsory assessment on cyber security
@AC-98 Жыл бұрын
Good Video as always. I have few custom file icon (for txt and video files) so at least i would see a difference immediately.
@muffies Жыл бұрын
Idk Windows still have that disabled by default lol, by experience they already shoulve lmao. The weird RTLO character should'nt be shown and the file extension should ALWAYS be placed at the end of the file, disregarding any text thingy which pushes it forward
@Enygmate Жыл бұрын
I've used this character so much that when you revealed file extensions i knew exactly what it was, never thought of using it this way though unless you directly share it from a usb stick or something, most CDNs will just change the name formatting or just completely deny uploading (i believe Discord denies the upload)
@kaiduwu Жыл бұрын
Discord renames it
@emmanuelmgbemena Жыл бұрын
If it is not zipped. If it is zipped which it is mostly zipped. Then it will be dangerous.
@kaiduwu Жыл бұрын
@@emmanuelmgbemena yes, I already know this. But if someone opens the folder with a program like winrar or 7zip (more common than you think), the zip is rendered completely useless, as rtlo is not rendered "properly" there
@crocodiledondii Жыл бұрын
Thank you ThioJoe. Very interesting, informative, and educational
@AldoEliacim Жыл бұрын
I can see how this would've fooled me too, so useful thank you! You truly brought your channel the other way around since free wifi upgrades haha
@Mikeuyz Жыл бұрын
Very dangerous. Microsoft should patch this straight away. But that will never happen. Cheers for sharing!
@austinpowell1883 4 ай бұрын
As of jan2024 it wont work for me so seems fixed
@EnderKill98 Жыл бұрын
I saw a german video about this exact thing by SemperVideo like 10 years ago. How could microsoft not have fixes this in that long time? Seems like a pretty serious issue to me.
@Articulate99 Жыл бұрын
Always informative, thanks.
@Joao-uj9km Жыл бұрын
Great vid, learned something today :D ty so much!!
@jetseverschuren Жыл бұрын
This is why files shouldn't be automatically executable based on file extension. On Linux you first need to explicitly mark a file as executable
@wyterabitt2149 Жыл бұрын
It doesn't just run on Windows, it brings up the do you want to run the executable dialogue.
@jordanwardle11 Жыл бұрын
That's would break one thing that windows has over Linux, ease of use
@jetseverschuren Жыл бұрын
@@jordanwardle11 so, how often do you need to execute randomly downloaded executable files that aren't installers? On linux we don't execute installers, but instead feed them to the central system installer, where it can be centrally tracked (and also uninstalled). So the amount of cases where this would add two more clicks, is almost none. (I'd even argue that for installers Linux's approach is more user friendly). I think that's a fair price to pay for anyone to prevent a huge swath of dumb viruses
@trueriver1950 Жыл бұрын
@@jordanwardle11 true. But almost all the Microsoft created security holes in our computers were put there to make things easier to use. It's easier to not bother locking the door when you leave the house, and makes it easier when you come home as well. But anyone spot the drawback?
@brianwest2775 Жыл бұрын
This is NUTS! Windows should be updated to always show the extension last! I assume that Windows uses simple concatenation to display the filename but it should always resolve the filename first and then add the file extension. Like brackets in math. (I assume that for right to left user, they display the extension first but the same point applies.)
@JohnSmith-xq1pz Жыл бұрын
Everybody is gangster until ThioJoe logs in
@realhumanist71 Жыл бұрын
Fascinating. While I mainly just use Windows for playing games, I can see this tricking a lot of users, even the more sophisticated ones.
@mafriese5 Жыл бұрын
This is really interesting to see because I remember that I saw videos in 2015 of malware exploiting this. I thought that Microsoft would have worked on the issue since then but seems to not be the case! It would be interesting to see if you could bypass certain file checks using this method
@HuskyNET Жыл бұрын
I read about it on a German computer news site (heise online, article „Täuschende Dateinamen unter Vista“) in 2007 (!) a couple months after Windows Vista was released. Because Vista was the first Windows version vulnerable to this trick; XP doesn’t interpret the RTL characters.
@mafriese5 Жыл бұрын
@@HuskyNET I remember the video from Sempervideo - In the video they had the example "sexy-hexe.pdf" :D - seems like they took it down but you can find a mirror if you search for "Demo-RTLO-Angriff-auf-Windows-fuehrt-auch-aufmerksame-Nutzer-hinters-Licht" - the winfuture site actually has the removed youtube video :D
@charleshines7282 Жыл бұрын
It would be interesting to see which antivirus software looks for that in the names of files or their extenstions. Also Windows should treat that like a special character and not allow it to be used in file names. It could also automatically change that to something that renders the exe extension harmless if that character is anywhere in the file name. Also in the future Windows could alert us to suspicious file names. One more thing they can do is force extensions to be revealed for a file that has any of those characters in the name whether you wanted to see extensions or not and refuse to run it, warning you about the file every time.
@rfdiego777 Жыл бұрын
funky stuff, I would never had any idea, thanks!
@jmsether Жыл бұрын
I was actually familiar with this trick as I've used it a few times for some fun and pranks. Great way to code a jump scare and hide it as an image.
@kaiduwu Жыл бұрын
Same! I used it once to get access to a scammers computer!
@jmsether Жыл бұрын
@@kaiduwu that's what I'm talking about. Some Gigachad stuff over here.
@kaiduwu Жыл бұрын
@@jmsether may I have your discord? I'd love to show you a similar trick that's a lot easier to share the files of over the web, though it is a bit easier to tell the file extension is faked if you know what to look for
@RickyTickyTshirt Жыл бұрын
Well thanks…. looks in part on how Paul Hibbard may have got hit. I can remember the days when .scr files were rampant with malware before AV became the must have
@miguelguthridge Жыл бұрын
Another good strategy to avoid this is to open downloaded documents in the right program directly (eg open up Word and find the file from its file picker). That way it doesn't show any incompatible files. Obviously beware of things like macros regardless.
@syriuszb8611 Жыл бұрын
OS should show all executable types with additional sign on icon just like with the shortcut. That way, no matter the icon or name, it would be obvious from the start.
@futuza Жыл бұрын
This is a pretty neat trick, I knew this existed, but never thought about using it to try to obfuscate a file extension this way.
@OzoneGrif Жыл бұрын
Wow, thanks for sharing this information; this is a major security flaw! I hope Antivirus companies will do something to protect users against files with UTF characters.
@robhulluk Жыл бұрын
A simple way to avoid this when opening an unknown file to always right click and choose "open with" and the relevant program. So if it is a fake DOCX file and you choose "Open with Microsoft Word" , it would try to open the EXE file in Word, which might fail, but it doesn't matter, it just won't launch the file.
@ZipplyZane Жыл бұрын
Or just open the file from the Open command in the program itself, not by running it on the Desktop.
@sexygeek8996 Жыл бұрын
The whole concept of "opening" a file by double-clicking it was a bad idea from the start. Some naive users might have liked it but it was never worth all the problems it caused.
@Formalec Жыл бұрын
@@ZipplyZaneYeah but that and all other workarounds that is not "explorer view" costs some time. Safety has a price. Not much but still. Some programs might have bad file selectors.
@Formalec Жыл бұрын
I think Tiles view is a workaround that doesn't sacrifices too much. Guess one needs to use that or simply toggle between views.
@samuelthecamel Жыл бұрын
On Windows, if you use the "tiles" view in file explorer, it will tell you what type of file it really is off to the right
@rany0 Жыл бұрын
Your new channel is pretty good! I remember viewing your channel back when it was mostly pranks and parody, but I like this more informative channel a lot more, nice change!
@ttkftykyfts Жыл бұрын
new? lol. Yes I too remember the pranks and stuff he did way back. But this type of content he's doing now isn't exactly new either. :D
@rany0 Жыл бұрын
@@ttkftykyfts well, I didn't expect him to be that knowledgeable. His parodies I think cheapened his more serious content, it's good that he got rid of them.
@Zark-Muckerberg Жыл бұрын
This is still the same channel. He just switched to actual helpful IT tips rather than joke videos.
@TheMasterOfSafari Жыл бұрын
I've known about the character, but never knew it could be used like this! Thanks for saving us 😅
@nkronert Жыл бұрын
Could this same trick be used on URLs in the browser? If it is possible to swap characters in the domain name, you can be redirected to a malignant site even after checking the URL for easy to miss variations such as "m" being replaced by "rn".
@knghtbrd Жыл бұрын
I could've guessed there were RTL shenanigans the moment you showed extensions and .exe appeared in the middle of the filename. But I'm somewhat used to unicode shenanigans because I spend time thinking about how to render the text "as intended". That's nasty and gonna bite a lot of people! Might've bitten me if I hadn't just dealt with RTL stuff just a few weeks ago! 😬
@mind.journey Жыл бұрын
What if it was written as ReadmeXE.docx?
@syedirfanahmad9626 Жыл бұрын
A complicated topic explained very nicely and effectively. 👍👍 for this
@Eyoldaith Жыл бұрын
Set the Downloads folder (or whatever folder you normally download files to) to show details instead of icons and enable the Type column if it isn't already. You will now see a description of the file type on the right.
@finnchillah3974 Жыл бұрын
as soon as he said "i guarantee you're wrong" at the start, i was like "that's gotta be the unicode reverse thing, right?" and as soon as he said it was using an invisible character i was like " C A L L E D I T "
@HuskyNET Жыл бұрын
I feel like I just want to show off, but I paused the video before he gave the answer and thought about it and that was the only thing that I could come up with on how to do it, because Windows shows this file as an executable. However, I would have assumed that Microsoft had prevented this security flaw long ago, because this was already in the news during Windows Vista times.
@inx1819 Жыл бұрын
i thought its too obvious that it's just a hidden file extension so I put my bet on weird unicode magic and I was right lol
@JojOatXGME Жыл бұрын
There was also a time back in the days when a lot of people here (without technical background) used special Unicode characters on Facebook to cause all kinds of strange effects. I think I have also seen something similar on Twitter once. Not sure if this is still a thing.^^
@TheJoshShephard Жыл бұрын
The Twitter thing was recently covered by David Bombal and TheXSSRat I think? He used a script in a tweet and I forget what it caused. But it made it retweet itself through people who saw it it think? Or something silly. But stuff like that is always interesting to see!
@Joooooooooooosh Жыл бұрын
@@TheJoshShephard That was in 2014, but it was more due to a bug in Tweetdeck that for some inexplicable reason, they used the heart emoji to indicate preceding text was to be rendered as HTML.
@TheJoshShephard Жыл бұрын
@@Joooooooooooosh noted! My memory is a little fuzzy. So I forgot some specifics. So thanks for the clarification!
@vladislavkaras491 8 ай бұрын
Darn... Never heard of such things! Thanks for the video!
@compiling Жыл бұрын
Wow. I knew about the unicode RTL character, but didn't know windows supports it in filenames. Thanks for the heads up. The type field in the details view is a bit harder to fool, so I'm going to start using that more, in addition to checking the extension.
@tonymouannes Жыл бұрын
File names can include right to left script from other languages, but I don't know if that needs the rtl character. The biggest issue is that operating systems like to hide extension information and love to make it easy for software to auto-run. Every time I get a new computer I need to spend time fixing those issues to improve safety.
@erutuon Жыл бұрын
Right-to-left text doesn't need the right-to-left override character in a proper text rendering engine, but right-to-left text in the middle of left-to-right text might need the right-to-left embed character before it and the pop directional formatting character after it if there are directionally ambiguous characters (like ASCII numbers and punctuation) around the right-to-left text that need to display right-to-left. For instance if there is English text, Arabic text beginning with a quotation mark and followed by a period and quotation mark, and more English text, it is probably a quotation containing a period and you would want a RLE character after the opening quotation mark and a PDF character before the closing quotation mark. That makes the period behave like a right-to-left character and display to the left of the Arabic text rather than to the right. In HTML, it's best to omit the invisible characters and use CSS (unicode-bidi: embed; direction: rtl;) equivalent to the RLE and PDF characters.
@dancoulson6579 Жыл бұрын
I'm going to guess the culprit is that the administrators failed to disable the GPO which hides known file extensions. It's a very dangerous setting and should be disabled by default in my opinion. EDIT: Wow, I was completely wrong. I would never have guessed that in a million years. And I hate to admit it, but I would have opened that word document without hesitation. From now on, I'll certainly be more cautious. I wonder if there's some way I can implement a GPO setting from the domain controller to prohibit these characters being used as file names. Or perhaps I can create some software that would scan for files containing this character in their name, make a record of the original file name, and move the file to a different directory. A placeholder file could the be put in its place. When you run the placeholder file, the software runs and warns you about the file, and still gives you the option to restore it. Though it's only a passive process... If the file was opened before the scanner had a chance to find it, it would have no effect.
@GanciEnglishIdioms Жыл бұрын
This was absolutely fascinating!
@HeleneLogan Жыл бұрын
Loved ‘extremely realistic depiction of an IT department’-🤘🏻🤘🏻🤘🏻🤣🤣🤣 Great info, thanks as always!
@anothermartz Жыл бұрын
Usually when you hit F2 to rename a file, it doesn't include the extension. Could this be a quick and easy way to check a new file before opening it?
@plashplash-fg6hd Жыл бұрын
There is also a now patched exploit in Microsoft Office where a document can launch any executable and I thought this video was going to be about that.
@CHETAN_I_007 Жыл бұрын
Ya but in this the exe is running. Which can me made to make a docx open in word and keep doing its work in background.
@bazoo513 Жыл бұрын
This is an advanced version of a prank I played on nocives in the old days of ASCII terminals on Unix, DEC RSX orVMS, or HP-RTE systems. Neat.
@Lampe2020 Жыл бұрын
2:04 In Linux (Ubuntu Unity 22.04) the text cursor is where you type after the RTL character, in Windows 11 the cursor is on the right so you can't even reliably see where the next typed character will show up... Only after a space character does it jump to the right, but after a printed character it is where the next letter will show up. How ty type in reverse in Linux: Ctrl+Shift+u, let go then type 202e followed by Enter. That's how easy it is. And to type the right way around again, just use the U+200E character.
@CHETAN_I_007 Жыл бұрын
I remember learning this when I was learning ethical hacking. And mark my words most of the KZfaqres who got hacked was due to this.
@krishcshah Жыл бұрын
That is really really smart. I can see myself falling for this too.
@PeaceOfThePuzzleGaming Жыл бұрын
Actually learnt something new - I could have fallen for this too. Thanks for making the awareness vid.
@leandrotami Жыл бұрын
quite ingenious! unicode did open the door for many security concerns, such as character that look like standard roman characters in URLs and stuff like that.
@RobBulmahn Жыл бұрын
I wasn't aware of this trick, but at the same time I don't think I would have fallen for it, because I always make sure "Show File Extensions" is enabled (no idea why MS disables that by default), and seeing "Test.exe.docx" would still set off alarm bells in my head, even if the "exe" wasn't at the very end.
@moncefbkb9353 Жыл бұрын
True but what if the name of the file was "annexe.docx", then you wouldn't find the "exe" part weird as an experienced user, and for standard users, they would still click on "ann.docx" out of curiosity. Edit : I realized it'd say "anndocx" if we disable showing extensions, so the attack would only work if they know you have showing extensions enabled.
@RobBulmahn Жыл бұрын
@@moncefbkb9353 I still think that sort of thing would be weird, but I suppose it also depends on what type of files you expect to encounter. Regardless, I could easily see this tricking a lot of people. I just tend to be very suspicious of any attached files unless it's from someone I know and I'm explicitly expecting them to send something.
@JojOatXGME Жыл бұрын
What about “n1c DOT executivesummary DOT doc”? This is an example from a German news outlet which published an article about that in 2011. I used “ DOT ” instead of an actual dot to avoid KZfaq deleting the comment. The actual text would be “[RTLO]cod DOT yrammusevituc[LTRO]n1c[LTRO] DOT exe”.
@rd3l Жыл бұрын
why windows even displays filenames like that is beyond me
@araghon007 Жыл бұрын
Languages, man
@GYTCommnts Жыл бұрын
@@araghon007 File extensions should be left out of that... Or be the last thing after the last dot, no matter what and whatever direction.
@therandomdude2392 Жыл бұрын
I knew about the unicode character but I didn't know it can be used for something like file extensions, that is just wicked. This was taught to us, as well as some other unicode characters, as a side note by our professor in university and he just said that it was something cool but doesn't really have any real-life use.
@TheOnlyName Жыл бұрын
Super interesting! It's always fun playing around with obscure Unicode characters.
@TheOnlyName Жыл бұрын
Specifically, there's this zalgo-like Arabic character I found that breaks everything!
@klopferator Жыл бұрын
Very interesting, I knew about the unicode character, but didn't think it would be allowed in filenames. Wtf? Windows prevents you from having : or / in the filename, but allows non-printable characters?
@simontay4851 5 ай бұрын
You can't have \ or / in a file name because they are used for path names. C:\windows\system32 for example.
@knowwhey7559 Жыл бұрын
Yes, this is somewhat dangerous, but the file would mostly come to you as an email attachment. Your antivirus would warn you in the same way that it does for any other EXE.
@TheJoshShephard Жыл бұрын
Unfortunately not always the case. If something is configured correctly, it's possible to bypass virus detection software in various ways. If it's not an email attachment, it's via a link. And may bypass detection because of file size or something else. Paul Hibbert had this happen via a fake sponsor and a fake pdf file. Then with most KZfaqrs. The malware is being packed in zip folder and auto downloading after being directed to a pdf with a script. The browser and virus detectors miss it. And if the person finds it and unpacks it, they usually run Redline Stealer and get their accounts and many other things hacked. Usually it's in the form of a WMG, UMG, Copyright claim or Strike. But unfortunately for Paul, it came in the form of a fake sponsor campaign
@DM8Mydog Жыл бұрын
it'd be in a .zip, .rar, .ace, .tgz ... most AVs *should* handle them fine, but I can imagine other scenarios that would be trickier. Like passworded zips - the con would be in convincing the victim that there was a legitimate need for the file to be password protected. and I can see my folks falling for this. Can't you?
@NonuGamezRobloxE Жыл бұрын
@@TheJoshShephard can i get some videos of this?
@thewelder3538 Жыл бұрын
With an executable, it's easy to change the icon as you can just embed it as a resource and Windows Explorer will use that icon to display the file, but with stuff like VBS scripts or images, you can't embed icons in them, so they should be easy to spot via their icon.
@langeludo Жыл бұрын
Filename still ends by the « .exe » or whatever extension to prevent opening those files you can: • Make a Mailflow policy / or server rule to block those messages (eg. Message whose attachment ends with…); • Or prevent their attachment to open via some kind of Microsoft Defender ASR rule (Attack Surface Reduction); Virus builders often also add enough spaces right after the right-to-left mark (RLM) in order for the extension not to be viewable even if file extension are set to be displayed… Try something like « hello.jpg[RLM][20 spaces].exe »…
The Linux Experiment
Рет қаралды 294 М.
Immersed
Рет қаралды 34 МЛН
notebook-31
Рет қаралды 87 М.
Раскосов - продвижение
Рет қаралды 2,4 МЛН