
There is no progress here
On the contrary: Feels like we're going backwards.
Spammers are writing emails backwards in an attempt to sneak past spam filters, security researcher Brian Bebeau has found. The pests were using left-to-right override code intended to facilitate the use of bi-direction text, such as a document that included English and Hebrew. The Trustwave researcher said the tactic had a …
For the love of God, don't give the shitheads that do this any ideas. I say this because your headline text is not only backwards, it is also upside down. That or I'm finally losing my mind.
Anyway, my point is if server side anti-phishing filters can't reliably figure out backwards writing, they'll never cope with backward AND upside down text.
Not just the b, all the letters are normal (left to right) it's just the spelling that is reversed. In any event any spam that comes through with any quantity of abnormal text of whatever type is getting binned. How hard can it be to throw a spell checker into the filter bin? There must be something that catches misspellings like v1agra, etc. as I haven't seen one of those in quite a while. I don't remember what client I was using way back in the day but one of the filters was font color1 so a reasonable dictionary filter should catch a good deal of this and most 419 scams as well.
1. Which worked nearly perfectly until certain family members who shall go unnamed decided that all the new html/rich text effects were too cool to not use and I had to do tricks to filter based on the amount of colorful text. Eventually known family email address had to be whitelisted but they got an autoreply of alternating #ffe080 and #c0e080 text on a #8fff00 background. Most stopped shortly after that but one thought it was fun. </facepalm>
No, no, no.
What you don't do on your CV is draw attention to the fact that you'll be able to read potentially confidential material that the boss may sometimes have on his desk.
Well, not unless you're using psychic paper for the CV and can update it on the fly...
"One of my abilities is to read mirrored, upside down or rotated text. Which is how I know that text message you've just glanced at before leaving your phone on your desk is from your mistress, making interesting suggestions about your rendezvous tonight - but rest assured that your wife will never find out if you give me the job..."
" I say this because your headline text is not only backwards, it is also upside down."
It was indeed a combination of the two. Which could also be simply referred to as "rotated".
Except the B, as James 51 pointed out. I can usually read mirrored/rotated text without problem (provided my slowly deteriorating eyesight can make it out on someone's desk to start with, which it used to be able to, but not so well these days) - but, while I could read the word "Backwards" with no real difficulty, that B threw me. It didn't look right at all, and I just couldn't see why, until I read James' comment.
It was indeed a combination of the two. Which could also be simply referred to as "rotated".
More on this in Rotations, Quaternions, and Double Groups by Simon L. Altmann (1986)
Phishers had also applied the tactic to sections of filenames in order to obfuscate the extension and slip malware past scanners. This meant 'PAYLOADexe.doc' would become PAYLOADcod.exe.
I call bullshit on that one, most mail servers I have used block .exe attachments as a matter of course, so a spammer is hardly likely to rename a .doc to a .exe.
However any mail scanner worth anything is going to actually scan the file to find out what the content is rather than relying on the extension.
Probably, but I remember an attempt to send a file called "example.com", which contained a textual dump of a DNS zone and was sent with a MIME type in the header of application/text, being bounced by Outlook as it was an executable (because of the .com extension).
Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension.
What is this reporting ?
The virus scanners learned it the hard way when viri-writers were sending scr files around the intertubes back in the late 90's.
Yes, on Windows screensavers are executables, I know it is completely ff'd up, but no, we cannot say anything coz this forum is full of window cleaners. Rename the extension of any 32-bit/64-bit executable on windows to .com, .scr, or .exe and it will still run ...
"Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension."
Which is why many malware payloads are .zips - and because zips are now widely scanned they've recently resorted to ARJ archives (presumably they'll move to other ancient compression formats later)
I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message such that computers aren't likely to make it out correctly. Furthermore, encrypted ZIPs can't be blocked out of hand since they may actually be legitimate correspondence from a coworker (which makes a spear-fishing encrypted ZIP even more plausible).
I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message
Surely there comes a point at which the usual tech-illiterate victims of email malware become unable to actually open the payload?
People fall for 419 scams.
People believe that the person who has just rung them up about their machine being full of viruses is in fact a bona fida Microsoft employee.
People believe that that link which will get them a free copy of a game that normally sells for a couple of dollars will actually get them the game and the game only.
Never underestimate the human capacity to do something completely... stupid.
"Who in their right mind is going to click on a link in something that they can't read?"
Quite a few people if you preface the link with "Free Phone/tits/games/celebrity tits/money/sluts."
Now if someone were to come up with a game where you win money, women, new phones, or pictures of nude celebrities by navigating a pixellated bird between obstacles, we're all screwed...
Problem is, people stupid enough to fall for phishing mails are not likely to be deterred by an additional oddity here and there. They'll just assume "someone made a typo" and laugh at the stupid bank while providing their email, username, password, PIN, height, weight, eyecolor, ring size, what they ate that morning and when they last took a crap.
My point being: Stupid people will be stupid.
This post has been deleted by its author
The point is the text in the email is written backwards (so scanners don't see normal keywords), but the text is wrapped in a block that tails the browser/email client that the text should be rendered right-to-left, so when it is displayed it looks normal to you, so something like (tags made up, not part of any standard I am aware of):
In the message
<encoding:ltr>!yenom dneS</encoding>
But on your screen:
Send money!
I suspect it might work here:
Let's say I write a message reporp eht sniatnoc ti fo emos dna unicode control codes.
There. Now copy/paste the sentence in bold in a terminal or a dumb text editor, and you will have a surprise.
EDIT: Emacs displays the same text, but vi displays something else.
I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too.
I think the attachment/link example is made up.
"I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too."
The example in the article is erroneous, but the idea is that the filename is written backwards, too. Think "txt.setoN gniteeM evituc.exE". This is actually a program (which could contain a zero-day privilege escalation rootkit or such), but if it's displayed in a RTL mode, the displayed name gets reversed and now appears to be "Exe.cutive Meeting Notes.txt", making it look like an innocuous text file. See where this is going? Combine this with spear phishing, and the whole thing could be believable enough to click to open.
But wouldn't that still raise a red flag since that ALSO means the text becomes right-aligned? The standard approach is to align e-mail and common text to the same side as the start of the text, is it not? Thus English starts on the left while Hebrew, Arabic, etc. start on the right.
RC=0 stuartl@vk4msl-mb ~ $ hexdump \-e '8/1 "%02x ""|"" "' \
-e '8/1 "%_p" "\n"' \
/tmp/title.txt
73 70 c9 b9 c9 90 ca 8d| sp......
ca 9e c9 94 c9 90 42 20| ......B
77 72 69 74 69 6e 67 20| writing
69 73 20 73 70 61 6d 6d| is spamm
65 72 73 27 20 6e 65 77| ers' new
20 6d 61 69 6c 20 66 69| mail fi
6c 74 65 72 20 61 76 6f| lter avo
69 64 61 6e 63 65 20 74| idance t
72 69 63 6b 0a | rick.
Very cute.
"Plus, don't use an email program that renders HTML. That's probably the second most stupid thing you can do"
I use an email reader that renders HTML... but I do tell it to not do so. It nicely translates the bold to *bold*, the italics to /italics/ and the <span style="text-decoration:underline;"> underline </span>* to _underline_ for me and that's it. I do sometimes miss out on the "included the latest 10-page memo (relevant line in red)" type of message, and the tables directly pasted from MSExcel to MSExchange are often mangled, but it's well worth it.
*Hu? That was supposed to work... well, you get the idea
It's about time that ANY email program became infinitely configurable with spam filters based on specific whole or partial words, ASCII characters, file extensions, domains, IP addresses and ranges, country codes, language, font, Tld, etc.
They should have the ability to see, read, display and filter the complete email message including raw headers.
Email programs should have all forms of encryption/decryption built in and not require browsers, addons or plugins.
HTML emails should be able to be scanned for booby trap code, script, cookies or links by the native email program not just the AV.
Text emails should have some better display and formatting options especially when converting from HTML emails.
When someone can come up with that kind of capability, the Internet will flock to their door.
Hiding a file extension... when, ever, ever, EVER, ANYONE, would think it was a good idea??? For pete's sake, it is the most dumbfounded idea since Autorun. Autorun, at least, served a purpose, and could be disabled.
Not showing the file extension is infinitely stupid, inherently dangerous, and causes more confusion than it solves. I had more than a few dozen machines infected BY THAT METHOD.
I hereby ask that we SUE every OS distribution that even remotely tries to disable extension exhibition by default. 100 currencies per violation, per day, until properly patched version is available. The currency to be adopted is the one with the highest face value when compared to any other in which the OS can be sold or licensed. (I believe Bitcoin is the highest face value today?)
Hiding the file extension only helps to spread malware. There is no other practical reason to do that.
On the other side of the range, a file that reads "file.spreadsheet" is perfectly recognized and could be universally interpreted. "File.textdocument" and "File.presentation" are equally self-explanatory.
Would you run a file named mytext.virus? Mydocument.executable?
By the way, try to rename anything to "anything.pif" and try to rename it back. Hint: be sure you can delete the file before attempting.
I agree to that basic premise. I never saw the point of it in Windows, and always opt to show it. Sometimes you just need to know what kind of file you are looking at. But then it's only part of the same view of how users should work that puts files into virtual folders (my documents etc) and buries the real folders ( and so files) on the C: drive c:\documents and settings\username\etc. even if they have a perfectly good partition reserved for data
It's sort of trying to pretend that things are simpler than they really are by hiding any trace of complexity, but in a clumsy way.
Remember, Windows was designed for fucking morons.
Gates couldn't have a receptionist at a hairdressers panicking because they didn't know the difference between .doc and .exe.
It needs to be used by morons so we all have to suffer.
We I don't -- I have used Linux for years -- FUCK OFF Microsoft.
The solution is to stop checking your email. Only ever look at it for a specific email then search for that one. Like if you know that site is about to send you a code. Who cares what else is in there? I don't even delete the spam anymore, what a pointless chore. There's a search box in every mail client.
This post has been deleted by its author
This technique is not new and was used in the past for email attachments which had their extension obfuscated. This technique has been reported as far back as 2009 https://www.mozilla.org/security/announce/2009/mfsa2009-62.html. What happens is the email presents as the file name.doc, while in fact you are opening a malware anncod.exe file, because the attacker used the direction override after the second ”n”.
Most commercial business spam filters involve layers of substantial tests that this technique will not evade. For example with SpamTitan this trick will not fool the banned attachment filter for virus scanners. This backward text trick uses a feature in unicode which facilitates languages that are written from left to right. It is used to hide the true name of a file. However the banned attachment scanner pays little attention to the file name and uses other more vigorous methods to identify the file type. Similarly the virus scanners will decode the file and scan it for potential threats regardless of what the file name is.
Organisations using a spam filter of the calibre of SpamTitan will be unaffected by this by spamming or phishing attempts using this technique, it will really only affect people who do not use a spam filter or use a very basic spam filter with no banned attachment or virus scanning.