What are ways to prevent files with the Right-to-Left Override (RLO) Unicode character in their filenames (malware spoofing method) from being run?

Question

How the RLO unicode character is used by malware:

[...] This virus's file name is crafted in a way that PC users take it for a benign file from its appearance (mainly the file extension) and open it.

This virus falsifies its file name extension by using a Unicode control character, so that such a malignant file looks like benign one. Unicode refers to a standard for consistent encoding, representation and handling of text expressed in languages in the world. Control characters are characters that are defined in character code but are not displayed on the screen, and used to control devices such as printers and communication devices.

The control character used by this virus is RLO (Right-to-Left Override). This control character is designed to reverse a character sequence from "left-to-right" to "right-to-left". This function is used by the people who want to read a language like Arabic that is read from right to left in reverse sequence (i.e., left-to-right), as they would in the case of Japanese and English.

^{- Summary of computer virus/unauthorized computer access incident report for October 2011. Information Technology Promotion Agency, Japan (IPA)}

More info on bidirectional text at its Wikipedia article: Bidirectional text.

You can try this RLO character test webpage to see how the RLO character works. The RLO character is also already entered in the 'Input Test' field in that webpage. Try typing there and notice that the characters you're typing are coming out in their reverse orders (right-to-left, instead of left-to-right).

The RLO character can be specifically positioned in the filename to spoof or masquerade a file as having a filename or file extension that is different than what it actually has. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)

As a security measure, what are ways to prevent files with the RLO Unicode character in their filenames from being written, read, or run?

My OS is Windows 7, but feel free to suggest solutions for other OSes too.

Answer 1

The Information Technology Promotion Agency, Japan (IPA) has advised configuring Local Security Policy settings to block files with the RLO character in their filenames from being run:

• Open Local Security Policy (Start Menu → Run → secpol.msc).
  • If you are using one of the Windows editions that don’t have access to “secpol.msc”, such as the “Home” edition, please see this relevant SU post: “Accessing secpol.msc on Windows 7 Home Premium?”.
• Right-click "Software Restriction Policies" in the left pane of the window, and select "New Software Restriction Policy".
• Right-click "Additional Rules" (under "Software Restriction Policies") and select "New Path Rule...".
• In the "Path" box, enter two asterisks **, and put your cursor in between them.
• Right-click there, and select "Insert Unicode control character".
• Select "RLO Start of right-to-left override".
• Make sure that under "Security Level" → "Disallowed" is selected.
• Enter a description in the "Description" box so you will be able to tell later what this rule was about.
• Click "Apply" or "OK".

You can also use the same method to create similar rules for other potentially dangerous Unicode bidirectional characters.

Answer 2

You could use Everything in combination with AutoHotkey to create an alert whenever a bidirectional text control character forms part of a filename.

The Script

AlertText = A bidirectional text control character was detected in a filename.
AlertText = %AlertText%`n`nClick OK to re-hide the window.

SetTitleMatchMode RegEx
DetectHiddenWindows, On
EnvGet, ProgramFiles32, ProgramFiles

Start:
Run, %ProgramFiles32%\Everything\Everything.exe
WinWaitActive, Everything, , 5
if Errorlevel
    Goto Start
WinGet, Id, ID, A
StatusBarWait, objects, , 1, ahk_id %Id%
StatusBarGetText, Status, 1, ahk_id %Id%
Backup := ClipboardAll
Transform, Clipboard, Unicode, ‎|â€|‪|‫|‬|‭|‮
Send, ^v
WinHide, ahk_id %Id%
Sleep, 100
Clipboard := Backup
Backup =
StatusBarWait, ^(?!^\Q%Status%\E$)
Loop
{
    StatusBarWait, [1-9], , 1, ahk_id %Id%
    IfWinNotExist, ahk_id %Id%
        Goto Start
    WinShow, ahk_id %Id%
    WinRestore, ahk_id %Id%
    MsgBox, %AlertText%
    WinHide, ahk_id %Id%
}

What it does

The script launches Everything and searches for ‎|â€|‪|‫|‬|‭|‮ (UTF8), i.e., all seven bidirectional text control characters (source), separated by |.

Then, the script hides the Everything window and monitors its status bar. When it contains any digit different from 0, a match has been found, the Everything window gets displayed and the following message box pops up:

A bidirectional text control character was detected in a filename.

Click OK to re-hide the window.

The script also relaunches Everything in case it gets closed.

How to use

1. Download, install and launch Everything.

2. Press Ctrl + P and switch to the Volumes tab.

   For all volumes that should be checked, enable Monitor changes.

3. Download and install AutoHotkey.

4. Save to above script as find-bidirectional-text-control-characters.ahk.

5. Double-click the script to launch it.

6. Create a shortcut to the script in your Startup folder.

Answer 3

There are probably other ways, but the easiest - and yet not trivial - way is to implement a file system filter (or file system mini-filter) that filters these requests. In case of reading from such a file you could return STATUS_ACCESS_DENIED and when writing you shouldn't do anything but instead prevent such files from being created (likely also with the above error code) in the first place. Creation is another request type.

One can imagine other methods of achieving a similar result, such as SSDT hooking. But the only reliable way would be the above.

In order to do that you will have to get someone to write this kind of filter for you (relatively trivial for mini-filters for a kernel developer) and then sign it to get it through the kernel mode signing policy since Vista. If you don't want to do the latter you can still test-sign the driver binary and modify your boot options to allow test-signed content - thus compromising security of the respective system, though.

In the light of this information I would strongly advise you to make use of the solution that galacticninja and Tom Wijsman pointed out.

Answer 4

I don't think such a thing is available on the desktop, but you shuuld be able to prevent such things being written to your fileserver(s):

Implementing File Screening in Windows Server 2003 R2