In this article we will learn about Spoof using right to left override (RTLO) technique.
What is Spoof using right to left override (RTLO) technique?
In this article, we’ll learn about one of the most overlooked spoofing mechanisms known as right-to-left override (RTLO).
What is RTLO?
RIGHT TO PLAY LEFT is Unicode used mainly for writing and reading Arabic or Hebrew text. Unicode has a special character U+202e that tells computers to display the text that follows it in right-to-left order. This vulnerability is used to mask filenames and can be attached to a carrier like an email. For example, the file name with ThisIsRTLOfileexe.doc is actually ThisIsRTLOfiledoc.exe, which is an executable file with U+202e placed just before “doc”.
Related article:BANK LOGS CARDING METHOD
Although some e-mail applications and services that block the inclusion of executable files in messages also block .exe programs that are obfuscated by this technique, unfortunately many e-mail applications do not or cannot reliably scan archived and zipped documents, and malicious files are manipulated in this way they are actually spammed in zip archives.
For example, let’s create a file with Name TestingRTLO[U+202E]xcod.txt. “U+202E” can be copied and pasted from the above character map present in Windows. To make sure something is present in the character, do the following steps:
- Create a new text document and see its properties and note down its name:
- Now rename the file with the copied U+202E characters and see the change in file name:
- Now rename the File TestingRTLO[U+202E]xcod.txt with characters inserted and see the below results.
File extension types that can be dangerous
The below section lists the common file types that can be used to execute unwanted code in the system:
Remediation against RTLO
Although most endpoint security solutions such as antivirus detect this type of spoofing, and some IRC clients even change malicious links created back to their original form, many mail applications cannot or cannot reliably scan archived and zipped documents and malicious file manipulation. this way they are actually spammed in zip archives. The biggest example is the use of the “Etumbot” backdoor. Some features of Windows also help to perform this type of attack, for example, Windows hides file extensions by default. Malicious individuals can set any icon they want, for example for an .exe file. A file called pic.jpg.exe with a standard picture icon will look like a harmless picture with Windows default settings.
Uncheck this selection and Windows will stop hiding extensions for known file types.
Another good approach is to make sure that the folder where all the downloads take place should have its view set to ‘content’.
This will make sure that the files will appear in their original form despite all the changes.