Big bruh moment >>> I'll also emphasize the point I make at 3:49 in case people comment before watching that long - There doesn't have to be 2 periods in the filename, so "Test.exe.docx" could very well just be "Testexe.docx" - I put the other period there to make it easier to show the real file extension. So it might not be very obvious at all that this trick is used, depending on the real file extension and how they name it. For example, "arcs.docx" could really be a .scr file and the filename might not be suspicious, especially depending on the context, like naming it "character_arcs.docx" or something. There are tons of potentially malicious / exploitable filetypes out there that could be used.
I still don't understand why Microsoft had ever chosen to hide file extensions as a default. It's the first thing I fix when I install Windows. In this case it's not the same cause, but having file extensions enabled helps.
@@ZipplyZane while that's true, since at least 7 maybe even vista, when you rename a file it only selects/highlights the name, not the extension. So unless you go out of your way to delete the extension, it won't be touched. Plus (again, idk when this started) windows *warns* you everytime you change an extension. It should really be on by default again. In general, we desperately need an "i am an adult" button in Windows' settings.
@@andreewert6576 In a sense we already have an "I am an adult" setting. It's accessed through the Edge browser, just type in the bar "best linux distros 2023". Seriously though, MS has been actively hiding basic computer knowledge to make things seem "simpler" or "cleaner", but I suspect if they did more to just teach users what a file extension was (maybe through a help icon that did something other than inserting some vaguely relevant words into Bing) by now the general populous would be much more tech savvy on average.
@@davidbangsdemocracy5455 They should just make it so if your language is not set to one that uses these these characters, that it would just show the text normally without reversing it.
@@davidbangsdemocracy5455 Extensions in filenames should have been always out of this consideration. This should be an operating system thing and not a language direction reading thing (only in the case of extensions I mean). Or even if the filename reads backwards (for the ones we don't use right to left languages), even then extensions should be "the last after the last dot". No matter what. IMHO.
@@davidbangsdemocracy5455 why would a filename need one though? And I'm pretty sure most text renders do what the control character does anyway so it's pretty redundant now
As a security professional and having been in IT over 40 years I am also surprised that I hadn't come across this before too. Very informative, thank you.
Unicode support - and in particular support for these text-direction-reversing characters in Unicode - hasn't been around for 40 years. It's not a thing in DOS and probably also not thing in the earlier versions of Windows (though I haven't actually checked, nor researched the exact dates when MS implemented Unicode support). My guess is that this MS Windows vulnerability started in the 2000s or maybe even 2010s (but I'm too lazy to research it.).
Fun fact: At the old days of youtube, you can put RTLO in your username. So when somebody attempting to mention you, they probably confused and accuse you of being a witch
Here's the crazy part: you can nest the overrides. You can move the extension to the beginning and mask it as a file that has a . to appear at the top... [RTL]txt.sevituc[LTR].exe will appear as .executives.txt
1:20 There's a faster way if you already know the character's Unicode number. Type in 202E into notepad (or anywhere else) and press Alt + X. This will convert it to the unicode character. If you hit Alt + X again it will revert it back. Although the "reverting to number" part doesn't work for letters from A to F because they can already be considered to be hexdecimal numbers.
@@notthatntg As far as I know this feature has been around for a long time, maybe since Win XP. But I also know that Notepad can be a bit buggy when it comes to "Alt magic". Try it in Word, hopefully it will work there.
@@theguyfromsaturn That doesn't fix anything. It is still going to execute. Anyway opening a file to read the magic number and then figure out the file type is crazy inefficient so that's why file exts are the norm; just imagine this happening on a folder with many files...
Just make sure your download folder's view style is set to Details mode. That way, you can see what type of file it is from the Type section. People should do this by default for a couple of reasons, anyway. First, some file names are too long to see the extension by default, so this is actually even easier. Second, the download folders is usually way too disorganised to to have large chunky icons like a Desktop. Third, the "Details" view has way more useful information like the Date Modified time stamp and size for easy location of files and deleting large files. I'm pretty sure Windows already sets the Downloads folder this way by default, anyway.
Fair point about the downloads folder, however I never use it. I always use save as and either save to desktop or save it directly to where it will live the rest of the time I own the computer. I only dislike using the downloads folder cause it turns into an out of sight out of mind sorting system, and I cant deal with that
I will say, Windows Defender/Security does detect this if you try and spoof another extension. That can be gotten around with spaces in the file name, Cyrillic characters/other look-alike characters, etc; but... it does at least try to stop this from harming you most of the time.
Wow, that's rad. I work in the IT industry and actually have a good knowledge. But this was completely new to me that there are Unicode characters with this effect. Thanks for the education! So many won't know that, let alone non-IT people out there.
I’ve been working with pcs since the stone ages of DOS and I suspected something like this was behind some of the weird attachments I’ve seen, but didn’t get it until your vid. Thx. I’ve been raging at Microsoft for years for hiding file extensions and not just forcing users to understand what they are and how they work. It’s a simple concept and there’s no reason any pc user couldn’t learn it, but when you try to make things idiot proof, all you do is turn your users into idiots because they never learn the basics. Today I see so many users that don’t know the difference between a shortcut, and a folder, and a zip archive because they have all been confusingly glossed over and never taught to users. Good vid! I recommend!
Couldn't have said it better! That's why I hated Windows when it first came out. Because it hid everything going on behind a colorful GUI. I think it still lacks a 'programming mode' to this day.
What version of Windows are you talking about? Maybe Windows 11 File Explorer has broken Unicode filenames. 🤔 (Also, it doesn't show it if extensions are hidden.)
@@I.____.....__...__ it works for Win 11 as well. What he means is instead of “small icons/ large icons” etc under the view setting, change it to “Detail”. The default columns are “Name, Date Modified, Type” etc. “Type” would show what the file is. So it would show “Windows Batch File” for example, irrespective of file extension being hidden.
I already use detail view because I like to be able to quickly sort files by date/type/size, so knowing that the file extension may be lying, but the "Type" field is not will make me rely on that column even more.
insane this is allowed to happen man keeping folder view on detail & showing "file type" off to the right as a column might help, i usually glance at that to be sure of what im clicking on
Yeah my file explorer defaults to details view, but you might have a usb drive full with pictures and documents, in which case the large icons view is more convenient for image previews, so the trick could work. Realistically anyone who might be affected by this should have all Windows Defender features on, so SmartScreen will alert them about executing an unknown file, even if not detected as a virus you'd immediately know it's an executable.
What's insane about it? These are the sorts of problems that come up when trying to accommodate things like other languages, which of course, can't be just ignored. What's insane is that it took as long as it did for the Unicode Consortium to be established (1991) to standardize this sort of stuff, causing all the other countries in the world to have to hack bespoke and incompatible systems back in the day. That's why things are a hodgepodge mess now.
youd imagine that its possible for windows to just print "&rlm" by default if youre using a system locale that doesn't use these types of characters or formats hasnt been a problem in web browsers for a while right?
Yeah this is a very old trick. Most people are not aware is this. I have used this trick for saving certain things and then renaming it when I needed it. Yes virus can hide in there but a there are ways that you can find them too. Or even prevent this from happening. Great video.
as an IT Admin, I always use the windows sandbox to open files that I don't trust or generally download from the internet from an untrusted source! : )
Windows should really really implement a special icon that indicate a file is a executable. Like how shortcut have a arrow pointing at it on the bottom right.
@@sexygeek8996 I'm taking about people who aren't computer literate enough to recognize it. Most of my friends don't know how to enable extensions and those that do would click on the exe anyway because they saw a Word icon.
@@thacium Hide extensions should be disabled by default and there shouldn't even be an option to enable it. Those oddball features to manipulate the display of filenames should be disabled by default unless the computer is configured for a language that requires the feature. If the extension is EXE then there shouldn't be any way to display a different icon.
@@Korbus_Corax Why is that? I said the feature should only be enabled if the system is configured for a language that needs it. There are way too many features nowadays and they cause a lot of security problems.
You can create a hidden character rtl:rctrl+rshift and ltr:lctrl+lshift it’s commonly used with bilingual users who type rtl languages. This isnt override character tho, the normal rtl switch flips the orientation of the text box you’re typing into, usually causes issues when adding ltr numbers(or brackets)into an rtl text.
what is the rtl i know rctrl is right ctrl but i havw no ide what the rtl key is my oly guess could be tab lock but i dont think that key would ever have a major purpose so no sense in makeing it
I knew that one (because I work in IT security, and we've specifically dealt with malware campaigns using that trick). Good to see you're bringing attention to it.
I knew of that Unicode character but I didn't realize it could be used in this manner! Feels like an oversight for Windows Explorer to support that behavior in these cases, but I know it's difficult to determine if it's being used legitimately or not. To note: legitimate use cases would be files that includes both Latin characters (A-Z) and characters from a language that is written right to left. Whether there'd ever be an executable like that, I'm not sure.
@@guiorgy I would definitely agree with that. Unfortunately, Windows is based on very old technology and a filesystem that doesn't consider extensions "special" and just considers them part of the filename (I'm assuming, based on how it handles this). A fix might be to take whatever code Windows uses to determine what to hide via "hide file extensions" and just always display that set of characters at the end. Not sure if that would break other things though.
@@gFamWeb yup, you are correct. In ntfs, file extensions are just considered part of the file name, and file type is derived from the filename. Most modern file systems work differently.
@@gFamWeb Well, if there is a way to update this without breaking compatibility, extensions should be an operating system thing. So should be the last after the last dot, as said: NO MATTER WHAT!!!!!!!!! 😅
I have been building and using computers since my C-64 and this is absolutely astonishing. No matter how much you think you know, you can never know it all. Thaks very much Thio for this valuable information!
@@chrisdawson1776 lol, hating on new technology with your 1776 moniker and your Ben Garrison picture. Let me guess, you also hate desegregation and anti-monopoly anti-wealth-hoarding laws...
This brings back memories of using ASCII control codes on character-based ANSI terminals like the Digital Equipment Corp. (DEC) VT-100, VT-220 and later models. You could embed backspace or cursor movement characters within text so regular characters would be sent, but then the cursor could be repositioned, and new characters would overwrite the old so you wouldn't see them. Or special escape codes to control terminal functions, like putting the terminal into its self-test loop that required power cycling to get out of it. 🙂
Fun fact: the maddening invisible character in the view certificate window (until it was finally fixed a couple of years ago) that is bound to have caught out anyone who ever tried to copy a certificate thumbprint was a LTR character.
@@fss1704 if you ever needed to copy some details of a cryptographic certificate, you could view the certificate from Windows, then look at properties like its thumbprint, but the text box that showed those details had a unicode left to right character at the start of it, so when you try to e.g. copy that thumbprint to a configuration file, you would accidentally copy the LTR character and whatever software you were configuring would not accept it, but because it's a zero width character it's hard to track down the problem, because it's invisible.
Wow, I didn't know about this. I don't know why Microsoft chose to make file extensions turned off by default. I agree that it should be turned on, but people who are not very computer savvy wouldn't know to turn it on. This setting has been like this for a very long time
I think file extensions should have a neutralizing unicode character when displayed in Windows Explorer / force to be put at the back / front depending on Windows localization settings. Not sure why it wasn't implemented.
It's because normal users don't know about them at all and ignore it. It both wouldn't help those users anyway, and also lead to them renaming files and screwing up the file extension when they do it.
I do one more thing, I use list view/details view and categories/display file types, this helps to push suspicious files in categories like application or vb script etc thus preventing accidentally mistaking it for a harmless document or any other file.
I tested this on a file on my pc and i think i may have found something that could help here: If youre not sure whether or not a file is legit or not, try renaming the file and go through the characters with the arrow keys. Not only will the cursor start at funky locations, but it will also jump through the name, as it works through the chars. Also, in my case the blue marker for selected text didnt select the extension, which in this case was right in the middle of the displayed text. Also, you can copy the filename and paste it into notepad, limit the charset to ansii and then see some broken mess if a unicode symbol was used. Although this only tells you THAT a unicode char was in there, not which one. But i think there are online sites that do that for you, usually for detecting email adresses that look legit but are using characters that look similar to normal characters, but arent.
Well I'm a trilingual person (I speak Arabic, English, Turkish) Arabic script and Old Turkish script is RTL while the New Turkish script and English is obviously LTL Blocking RTL would limit my uses of the laptop as I use all the languages on my laptop. We need a way for Microsoft to to warn users I think a good way is showing a prompt to the user the first time he opens an executable even if it does not have admin rights
I didn’t even know that there is a character that can reverse text like that on a file name. I’ll definitely be more careful when viewing files on my computer. Thanks for the info!
Yes, I have already heard of this a few years ago, but back then I didn't thought about how that could also be applied to filetypes other than .exe, and this Video probably helped me to be even more careful with suspicious looking files in the future.
It's good to see your channel still doing well, I haven't seen anything since the days of charging phones in the microwave and reading hate comments, I didn't even think your channel existed anymore, but I'm glad it does
This is why we should sanitize our filenames. I don't know if rename can handle invisible Unicode characters, but if not then this might be a place where someone could fill a gap with a nifty utility.
What a great app to use as a Trojan to achieve two things: allow your own hacks through but deny any others, to gain an advantage over other state actors....
Idk Windows still have that disabled by default lol, by experience they already shoulve lmao. The weird RTLO character should'nt be shown and the file extension should ALWAYS be placed at the end of the file, disregarding any text thingy which pushes it forward
Wow. This brings up some memories. Using this trick, I made three batch files. Any of the three would open, execute its program, which was to open the other two upon close. Obviously, when you closed it, it would open the two other files, close one of them, another two. A fun little Hydra, makes you restart your computer, pretty harmless. At this point though, we had been tricking each other (I was in a class of folks learning all sorts of network related things) with .bat files for a bit, and I had discovered this to hide my files in plain sight. It was perfect for my little Hydra. Thanks for bringing up some memories, and making me feel old, this was back in '04. (I'm 36).
@@jordanwardle11 so, how often do you need to execute randomly downloaded executable files that aren't installers? On linux we don't execute installers, but instead feed them to the central system installer, where it can be centrally tracked (and also uninstalled). So the amount of cases where this would add two more clicks, is almost none. (I'd even argue that for installers Linux's approach is more user friendly). I think that's a fair price to pay for anyone to prevent a huge swath of dumb viruses
@@jordanwardle11 true. But almost all the Microsoft created security holes in our computers were put there to make things easier to use. It's easier to not bother locking the door when you leave the house, and makes it easier when you come home as well. But anyone spot the drawback?
I'm going to guess the culprit is that the administrators failed to disable the GPO which hides known file extensions. It's a very dangerous setting and should be disabled by default in my opinion. EDIT: Wow, I was completely wrong. I would never have guessed that in a million years. And I hate to admit it, but I would have opened that word document without hesitation. From now on, I'll certainly be more cautious. I wonder if there's some way I can implement a GPO setting from the domain controller to prohibit these characters being used as file names. Or perhaps I can create some software that would scan for files containing this character in their name, make a record of the original file name, and move the file to a different directory. A placeholder file could the be put in its place. When you run the placeholder file, the software runs and warns you about the file, and still gives you the option to restore it. Though it's only a passive process... If the file was opened before the scanner had a chance to find it, it would have no effect.
Another good strategy to avoid this is to open downloaded documents in the right program directly (eg open up Word and find the file from its file picker). That way it doesn't show any incompatible files. Obviously beware of things like macros regardless.
I actually knew about this before. This unicode is very weird, and a lot of people can get tricked, and run some malware. I always thought that you can only "inject" code into files to make them a trojan, but this method is a lot faster and easier. (I'm also shocked that almost noone knew about this because, i don't work professionally and i knew about it, but a lot of people that work professionaly didn't)
Honestly, Windows should add something similar to the Linux/Unix executable file permission thing, so like by default files you download from the internet can't be executed unless you edit their permissions, this would prevent this and all the other filename tricks. Or, they could add a thing to the file explorer that prompts you if you want to execute the file when double clicking on it if it is an executable, similar to what KDE's file manager does
@@lumer2b yeah the problem moreso there is that people tend to automatically click through those prompts. While the first suggestion prevents that, it's a hassle to users in the cases where it's unnecessary. It's difficult to balance the two.
This is NUTS! Windows should be updated to always show the extension last! I assume that Windows uses simple concatenation to display the filename but it should always resolve the filename first and then add the file extension. Like brackets in math. (I assume that for right to left user, they display the extension first but the same point applies.)
I've used this character so much that when you revealed file extensions i knew exactly what it was, never thought of using it this way though unless you directly share it from a usb stick or something, most CDNs will just change the name formatting or just completely deny uploading (i believe Discord denies the upload)
@@emmanuelmgbemena yes, I already know this. But if someone opens the folder with a program like winrar or 7zip (more common than you think), the zip is rendered completely useless, as rtlo is not rendered "properly" there
This is really interesting to see because I remember that I saw videos in 2015 of malware exploiting this. I thought that Microsoft would have worked on the issue since then but seems to not be the case! It would be interesting to see if you could bypass certain file checks using this method
I read about it on a German computer news site (heise online, article „Täuschende Dateinamen unter Vista“) in 2007 (!) a couple months after Windows Vista was released. Because Vista was the first Windows version vulnerable to this trick; XP doesn’t interpret the RTL characters.
@@HuskyNET I remember the video from Sempervideo - In the video they had the example "sexy-hexe.pdf" :D - seems like they took it down but you can find a mirror if you search for "Demo-RTLO-Angriff-auf-Windows-fuehrt-auch-aufmerksame-Nutzer-hinters-Licht" - the winfuture site actually has the removed youtube video :D
I saw a german video about this exact thing by SemperVideo like 10 years ago. How could microsoft not have fixes this in that long time? Seems like a pretty serious issue to me.
As an amateur programmer that an "exe" file, in particular, can have any icon the programmer wants. Indeed, one or more icons are supposed to be specified when linking the file. Okay, I have checked my file viewer and it does hide extensions. It also has a table format with a column that lists the type of file.
i learnt about cyber security from you more than my IT department ever did. and that is coming from the company with big emphasise on cyber security, with weekly elearning/module/compulsory assessment on cyber security
A simple way to avoid this when opening an unknown file to always right click and choose "open with" and the relevant program. So if it is a fake DOCX file and you choose "Open with Microsoft Word" , it would try to open the EXE file in Word, which might fail, but it doesn't matter, it just won't launch the file.
The whole concept of "opening" a file by double-clicking it was a bad idea from the start. Some naive users might have liked it but it was never worth all the problems it caused.
@@ZipplyZaneYeah but that and all other workarounds that is not "explorer view" costs some time. Safety has a price. Not much but still. Some programs might have bad file selectors.
I work in IT support, with around 30y experience. I didn't know this. Even if I had known, I doubt our users would have known. Some users have 'File extensions on', but not all. I will check if we can switch it on for all through a Group Policy. We are lucky that a) a Group Policy forbids running files from USB sticks (even for us admins!) and b) our users are never local admin, so running programs that require admin rights ios impossible. But still: this is scary...
Wow, thanks for sharing this information; this is a major security flaw! I hope Antivirus companies will do something to protect users against files with UTF characters.
I could've guessed there were RTL shenanigans the moment you showed extensions and .exe appeared in the middle of the filename. But I'm somewhat used to unicode shenanigans because I spend time thinking about how to render the text "as intended". That's nasty and gonna bite a lot of people! Might've bitten me if I hadn't just dealt with RTL stuff just a few weeks ago! 😬
Filename still ends by the « .exe » or whatever extension to prevent opening those files you can: • Make a Mailflow policy / or server rule to block those messages (eg. Message whose attachment ends with…); • Or prevent their attachment to open via some kind of Microsoft Defender ASR rule (Attack Surface Reduction); Virus builders often also add enough spaces right after the right-to-left mark (RLM) in order for the extension not to be viewable even if file extension are set to be displayed… Try something like « hello.jpg[RLM][20 spaces].exe »…
Thank you Thio Joe! I'm a programmer since 1975 and this is a new thing for me. If Microsoft doesn't fix Windows to prevent Unicode characters in filenames then this bug is on them. I'm sure the Linux geeks are working on it now (prolly thanks to you!). And props to the hackers for being so inventive, damn their eyes.
Wdym "prevent Unicode characters in filenames"? All letters would be blocked if they did that Plus, the character is used in loads of languages -- not every language is left-to-right
@@aMySour hence the LTRO. Yeah I know even English wasn't originally left to right only but alternated from one line to the next. MSDos doesn't have the LTRO but Windows does - but it's not an option. I'm sure you know that I mean non-ASCII characters when I mentioned blocking Unicode. It made for a shorter comment that was already too long.
File names can include right to left script from other languages, but I don't know if that needs the rtl character. The biggest issue is that operating systems like to hide extension information and love to make it easy for software to auto-run. Every time I get a new computer I need to spend time fixing those issues to improve safety.
Right-to-left text doesn't need the right-to-left override character in a proper text rendering engine, but right-to-left text in the middle of left-to-right text might need the right-to-left embed character before it and the pop directional formatting character after it if there are directionally ambiguous characters (like ASCII numbers and punctuation) around the right-to-left text that need to display right-to-left. For instance if there is English text, Arabic text beginning with a quotation mark and followed by a period and quotation mark, and more English text, it is probably a quotation containing a period and you would want a RLE character after the opening quotation mark and a PDF character before the closing quotation mark. That makes the period behave like a right-to-left character and display to the left of the Arabic text rather than to the right. In HTML, it's best to omit the invisible characters and use CSS (unicode-bidi: embed; direction: rtl;) equivalent to the RLE and PDF characters.
Wow! Well this was very interesting! I remember the web site where you go and type something and it will appear as upside down - and it just work anywhere. I didn`t know that Unicode characters have ability to type upside-down... Who knows what is possible...
OS should show all executable types with additional sign on icon just like with the shortcut. That way, no matter the icon or name, it would be obvious from the start.
There was also a time back in the days when a lot of people here (without technical background) used special Unicode characters on Facebook to cause all kinds of strange effects. I think I have also seen something similar on Twitter once. Not sure if this is still a thing.^^
The Twitter thing was recently covered by David Bombal and TheXSSRat I think? He used a script in a tweet and I forget what it caused. But it made it retweet itself through people who saw it it think? Or something silly. But stuff like that is always interesting to see!
@@TheJoshShephard That was in 2014, but it was more due to a bug in Tweetdeck that for some inexplicable reason, they used the heart emoji to indicate preceding text was to be rendered as HTML.
Very interesting, I knew about the unicode character, but didn't think it would be allowed in filenames. Wtf? Windows prevents you from having : or / in the filename, but allows non-printable characters?
Gotta love Linux, can't even run downloaded files unless you permit them, in most GUI file managers that means opening the file properties to edit the permissions which means seeing what the system recognizes what the file is.
I knew about the unicode character but I didn't know it can be used for something like file extensions, that is just wicked. This was taught to us, as well as some other unicode characters, as a side note by our professor in university and he just said that it was something cool but doesn't really have any real-life use.
There is also a now patched exploit in Microsoft Office where a document can launch any executable and I thought this video was going to be about that.
2:04 In Linux (Ubuntu Unity 22.04) the text cursor is where you type after the RTL character, in Windows 11 the cursor is on the right so you can't even reliably see where the next typed character will show up... Only after a space character does it jump to the right, but after a printed character it is where the next letter will show up. How ty type in reverse in Linux: Ctrl+Shift+u, let go then type 202e followed by Enter. That's how easy it is. And to type the right way around again, just use the U+200E character.
Yes, this is somewhat dangerous, but the file would mostly come to you as an email attachment. Your antivirus would warn you in the same way that it does for any other EXE.
Unfortunately not always the case. If something is configured correctly, it's possible to bypass virus detection software in various ways. If it's not an email attachment, it's via a link. And may bypass detection because of file size or something else. Paul Hibbert had this happen via a fake sponsor and a fake pdf file. Then with most TH-camrs. The malware is being packed in zip folder and auto downloading after being directed to a pdf with a script. The browser and virus detectors miss it. And if the person finds it and unpacks it, they usually run Redline Stealer and get their accounts and many other things hacked. Usually it's in the form of a WMG, UMG, Copyright claim or Strike. But unfortunately for Paul, it came in the form of a fake sponsor campaign
it'd be in a .zip, .rar, .ace, .tgz ... most AVs *should* handle them fine, but I can imagine other scenarios that would be trickier. Like passworded zips - the con would be in convincing the victim that there was a legitimate need for the file to be password protected. and I can see my folks falling for this. Can't you?
I tested it on MacOS and it only reverses the characters in front of the file extension. The file extension (as well as the point) is always shown last and in left to right order. So no problem for MacOS 👍😊
ปีที่แล้ว
Not that MacOS uses the extension to identify executable files anyway…
I remember people in the 00s using these characters to blow up web forums. Back then, including one in a forum post would often make all following posts display backwards. Nowadays posts are wrapped in more tags and browsers seem to have started ending any weird Unicode stuff at the end of a div or whatever. I don't know why I never thought to see what would happen if one was in a filename.
Could this same trick be used on URLs in the browser? If it is possible to swap characters in the domain name, you can be redirected to a malignant site even after checking the URL for easy to miss variations such as "m" being replaced by "rn".
as soon as he said "i guarantee you're wrong" at the start, i was like "that's gotta be the unicode reverse thing, right?" and as soon as he said it was using an invisible character i was like " C A L L E D I T "
I feel like I just want to show off, but I paused the video before he gave the answer and thought about it and that was the only thing that I could come up with on how to do it, because Windows shows this file as an executable. However, I would have assumed that Microsoft had prevented this security flaw long ago, because this was already in the news during Windows Vista times.
Great video!! Possibilities are endless!!!🤣 It's not the first evil trick that people do with Unicode characters. There exists also some messing with what sites show in google search results by looking like official websites but actually exchanging characters for very simular other Unicode characters. Learning new things everyday!!!🙃🙃
Your new channel is pretty good! I remember viewing your channel back when it was mostly pranks and parody, but I like this more informative channel a lot more, nice change!
@@ttkftykyfts well, I didn't expect him to be that knowledgeable. His parodies I think cheapened his more serious content, it's good that he got rid of them.
Big bruh moment
>>> I'll also emphasize the point I make at 3:49 in case people comment before watching that long - There doesn't have to be 2 periods in the filename, so "Test.exe.docx" could very well just be "Testexe.docx" - I put the other period there to make it easier to show the real file extension. So it might not be very obvious at all that this trick is used, depending on the real file extension and how they name it. For example, "arcs.docx" could really be a .scr file and the filename might not be suspicious, especially depending on the context, like naming it "character_arcs.docx" or something. There are tons of potentially malicious / exploitable filetypes out there that could be used.
Bruh.exe
Bruhgpj.exe
Why?
not a bruh.not a exe
Bruh
I worked professionally on computers since Win 3.1, read everything religiously and never heard of anything close to this. Stunning.
if you wanted some real fun , you should’ve tried the latest and greatest version of DOS and Dbase v. anything to create some major havoc … lol
Try reading it secularly then
@@CXLVII Like the lived reads the elbib.
couldn't use question marks in filenames in older windows
based shit-in-street pajeetsoft fucking everything up
@@CXLVII apt reply
I still don't understand why Microsoft had ever chosen to hide file extensions as a default. It's the first thing I fix when I install Windows. In this case it's not the same cause, but having file extensions enabled helps.
To prevent novices from unintentionally changing the filetype and thus making the file seem corrupted.
@@ZipplyZane while that's true, since at least 7 maybe even vista, when you rename a file it only selects/highlights the name, not the extension. So unless you go out of your way to delete the extension, it won't be touched. Plus (again, idk when this started) windows *warns* you everytime you change an extension.
It should really be on by default again.
In general, we desperately need an "i am an adult" button in Windows' settings.
@@andreewert6576 In a sense we already have an "I am an adult" setting. It's accessed through the Edge browser, just type in the bar "best linux distros 2023". Seriously though, MS has been actively hiding basic computer knowledge to make things seem "simpler" or "cleaner", but I suspect if they did more to just teach users what a file extension was (maybe through a help icon that did something other than inserting some vaguely relevant words into Bing) by now the general populous would be much more tech savvy on average.
Because it's noise?
What they should really do is change "show file extensions" to "allow editing file extensions"
AV software COULD scan for these "control" type characters within file names. Seems like an obvious thing to scan for.
They do actually, as long as the file has mark of the web (Zone Identifier).
There are legitimate foreign language scenarios, which is why this feature exists
@@davidbangsdemocracy5455 They should just make it so if your language is not set to one that uses these these characters, that it would just show the text normally without reversing it.
@@davidbangsdemocracy5455 Extensions in filenames should have been always out of this consideration. This should be an operating system thing and not a language direction reading thing (only in the case of extensions I mean). Or even if the filename reads backwards (for the ones we don't use right to left languages), even then extensions should be "the last after the last dot". No matter what. IMHO.
@@davidbangsdemocracy5455 why would a filename need one though? And I'm pretty sure most text renders do what the control character does anyway so it's pretty redundant now
As a security professional and having been in IT over 40 years I am also surprised that I hadn't come across this before too. Very informative, thank you.
@@ts757arse Sounds fun. I would do that
Unicode support - and in particular support for these text-direction-reversing characters in Unicode - hasn't been around for 40 years. It's not a thing in DOS and probably also not thing in the earlier versions of Windows (though I haven't actually checked, nor researched the exact dates when MS implemented Unicode support). My guess is that this MS Windows vulnerability started in the 2000s or maybe even 2010s (but I'm too lazy to research it.).
I've seen this character used online before but I never thought Windows would allow it in filenames.
Maks you think what we don't know.
I fully agree with you.
Fun fact: At the old days of youtube, you can put RTLO in your username. So when somebody attempting to mention you, they probably confused and accuse you of being a witch
Hilarious 😂
Fun fact: youtube's mobile app is _still_ confused by RTL text in usernames. K Klein just made a video about this.
@@lassipulkkinen273 Does Google Chat also suffer from this RTL problem?
youtube history :3
I have a RTLO In my username
Here's the crazy part: you can nest the overrides. You can move the extension to the beginning and mask it as a file that has a . to appear at the top... [RTL]txt.sevituc[LTR].exe will appear as .executives.txt
you're a sorcerer.
damnnn
Nah thats wild. The average user doesn't even stand a chance.
we're all screwed
I guess the only way to be completely safe is to go into properties and check the file extension every time.
1:20
There's a faster way if you already know the character's Unicode number.
Type in 202E into notepad (or anywhere else) and press Alt + X. This will convert it to the unicode character. If you hit Alt + X again it will revert it back.
Although the "reverting to number" part doesn't work for letters from A to F because they can already be considered to be hexdecimal numbers.
Very cool tip, I had no idea that was possible
doesnt work for me.
@@Elementening probably a Windows 11-only feature
@@notthatntg As far as I know this feature has been around for a long time, maybe since Win XP. But I also know that Notepad can be a bit buggy when it comes to "Alt magic". Try it in Word, hopefully it will work there.
@@notthatntg good call - works on my Win11, but not Win10 computer.
I think the simplest trick is to just rightclick and check properties, as it tells it's an executable. Or hovering over it.
hmm.. well if it's a zero day exploit, just merely right-clicking on it would still have you doomed.
Or use the details view and see it label it as an executable
A better trick would be for the OS NOT to use the extension to identify executables. Seriously, it's not the 1980s anymore.
@@justsomeguywithoutamustang6436 if you are targeted with 0-days you have bigger problems to worry about
@@theguyfromsaturn That doesn't fix anything. It is still going to execute. Anyway opening a file to read the magic number and then figure out the file type is crazy inefficient so that's why file exts are the norm; just imagine this happening on a folder with many files...
Just make sure your download folder's view style is set to Details mode. That way, you can see what type of file it is from the Type section. People should do this by default for a couple of reasons, anyway. First, some file names are too long to see the extension by default, so this is actually even easier. Second, the download folders is usually way too disorganised to to have large chunky icons like a Desktop. Third, the "Details" view has way more useful information like the Date Modified time stamp and size for easy location of files and deleting large files. I'm pretty sure Windows already sets the Downloads folder this way by default, anyway.
A useful suggestion, but details view shouldn't be "just" your only checkpoint before opening a file.
And have files ORDERED by type (extension). All the .exe files will be grouped together.
Fair point about the downloads folder, however I never use it. I always use save as and either save to desktop or save it directly to where it will live the rest of the time I own the computer. I only dislike using the downloads folder cause it turns into an out of sight out of mind sorting system, and I cant deal with that
@@legionofanonI often redirect downloaded files as you suggest. But sometimes a duplicate copy exists also in the downloaded folder...
10/10 The IT department footage is the most accurate depiction of what we do that I've ever seen in my entire life.
Exatcly, I was like "Has this guy been spying on me at work?"
I will say, Windows Defender/Security does detect this if you try and spoof another extension. That can be gotten around with spaces in the file name, Cyrillic characters/other look-alike characters, etc; but... it does at least try to stop this from harming you most of the time.
yea i just tried making one to test and couldnt run the file i just created.
@@SamsterBirdies You can get around it by naming the file using Cyrillic or other lookalike characters for the fake extension, just to re-affirm that.
@@Terraphice how do you get around it
@@cjcoleman8525 Look up lookalike Unicode alphabet characters and replace one of the letters in an extension with a lookalike.
@@SamsterBirdies I also couldnt run the program. I think windows prevents to run all .exe files where this right to left unicode is used
Wow, that's rad. I work in the IT industry and actually have a good knowledge. But this was completely new to me that there are Unicode characters with this effect. Thanks for the education! So many won't know that, let alone non-IT people out there.
I’ve been working with pcs since the stone ages of DOS and I suspected something like this was behind some of the weird attachments I’ve seen, but didn’t get it until your vid. Thx.
I’ve been raging at Microsoft for years for hiding file extensions and not just forcing users to understand what they are and how they work. It’s a simple concept and there’s no reason any pc user couldn’t learn it, but when you try to make things idiot proof, all you do is turn your users into idiots because they never learn the basics. Today I see so many users that don’t know the difference between a shortcut, and a folder, and a zip archive because they have all been confusingly glossed over and never taught to users.
Good vid! I recommend!
Couldn't have said it better! That's why I hated Windows when it first came out. Because it hid everything going on behind a colorful GUI. I think it still lacks a 'programming mode' to this day.
Mac OS is no better in this regard. Finder is so information sparse by default.
Idk the difference betwen them 💀
All I know is Dat zip is compacted and shortcuts are, well, shortcuts
"when you try to make things idiot proof, all you do is turn your users into idiots" is a quote to be remembered
@@November The way I heard it. If you make something idiot proof, they will just invent a better idiot next year.
another simple way to spot it is to use detail view. it shows the extension correctly there.
What version of Windows are you talking about? Maybe Windows 11 File Explorer has broken Unicode filenames. 🤔 (Also, it doesn't show it if extensions are hidden.)
@@I.____.....__...__ it works for Win 11 as well. What he means is instead of “small icons/ large icons” etc under the view setting, change it to “Detail”. The default columns are “Name, Date Modified, Type” etc. “Type” would show what the file is. So it would show “Windows Batch File” for example, irrespective of file extension being hidden.
@@honeypeadigital あっぷ
I already use detail view because I like to be able to quickly sort files by date/type/size, so knowing that the file extension may be lying, but the "Type" field is not will make me rely on that column even more.
@@Bayonet1809 the only time where I would use another view other than detail is when browsing folders with pictures
insane this is allowed to happen man
keeping folder view on detail & showing "file type" off to the right as a column might help, i usually glance at that to be sure of what im clicking on
Yeah my file explorer defaults to details view, but you might have a usb drive full with pictures and documents, in which case the large icons view is more convenient for image previews, so the trick could work. Realistically anyone who might be affected by this should have all Windows Defender features on, so SmartScreen will alert them about executing an unknown file, even if not detected as a virus you'd immediately know it's an executable.
What's insane about it? These are the sorts of problems that come up when trying to accommodate things like other languages, which of course, can't be just ignored. What's insane is that it took as long as it did for the Unicode Consortium to be established (1991) to standardize this sort of stuff, causing all the other countries in the world to have to hack bespoke and incompatible systems back in the day. That's why things are a hodgepodge mess now.
youd imagine that its possible for windows to just print "&rlm" by default if youre using a system locale that doesn't use these types of characters or formats
hasnt been a problem in web browsers for a while right?
Yeah this is a very old trick. Most people are not aware is this. I have used this trick for saving certain things and then renaming it when I needed it. Yes virus can hide in there but a there are ways that you can find them too. Or even prevent this from happening. Great video.
as an IT Admin, I always use the windows sandbox to open files that I don't trust or generally download from the internet from an untrusted source! : )
Windows should really really implement a special icon that indicate a file is a executable. Like how shortcut have a arrow pointing at it on the bottom right.
The "EXE" extension should be sufficient if they stop allowing "hide extensions" and disable things like the override described in this video.
@@sexygeek8996 I'm taking about people who aren't computer literate enough to recognize it. Most of my friends don't know how to enable extensions and those that do would click on the exe anyway because they saw a Word icon.
@@thacium Hide extensions should be disabled by default and there shouldn't even be an option to enable it. Those oddball features to manipulate the display of filenames should be disabled by default unless the computer is configured for a language that requires the feature. If the extension is EXE then there shouldn't be any way to display a different icon.
@@sexygeek8996 That is just not inclusive enough.
@@Korbus_Corax Why is that? I said the feature should only be enabled if the system is configured for a language that needs it.
There are way too many features nowadays and they cause a lot of security problems.
You can create a hidden character rtl:rctrl+rshift and ltr:lctrl+lshift it’s commonly used with bilingual users who type rtl languages. This isnt override character tho, the normal rtl switch flips the orientation of the text box you’re typing into, usually causes issues when adding ltr numbers(or brackets)into an rtl text.
bookmark comment later
what is the rtl i know rctrl is right ctrl but i havw no ide what the rtl key is my oly guess could be tab lock but i dont think that key would ever have a major purpose so no sense in makeing it
Thank you for explaining things as simple as possible. I always learn something new from your YT videos. Simple, short, and informative 👌
And it's actually one of a few channels I have notifications turned on.
I knew that one (because I work in IT security, and we've specifically dealt with malware campaigns using that trick). Good to see you're bringing attention to it.
I knew of that Unicode character but I didn't realize it could be used in this manner! Feels like an oversight for Windows Explorer to support that behavior in these cases, but I know it's difficult to determine if it's being used legitimately or not.
To note: legitimate use cases would be files that includes both Latin characters (A-Z) and characters from a language that is written right to left. Whether there'd ever be an executable like that, I'm not sure.
Still, the file extension should be special, ignore that character and stay at the end NO MATTER WHAT
@@guiorgy I would definitely agree with that. Unfortunately, Windows is based on very old technology and a filesystem that doesn't consider extensions "special" and just considers them part of the filename (I'm assuming, based on how it handles this).
A fix might be to take whatever code Windows uses to determine what to hide via "hide file extensions" and just always display that set of characters at the end. Not sure if that would break other things though.
@@gFamWeb yup, you are correct. In ntfs, file extensions are just considered part of the file name, and file type is derived from the filename. Most modern file systems work differently.
@@guiorgy EXACTLY!!!!!!!!! Finally someone!!!!!!!!!!
@@gFamWeb Well, if there is a way to update this without breaking compatibility, extensions should be an operating system thing. So should be the last after the last dot, as said: NO MATTER WHAT!!!!!!!!! 😅
I have been building and using computers since my C-64 and this is absolutely astonishing. No matter how much you think you know, you can never know it all. Thaks very much Thio for this valuable information!
Dude! Never heard of that one until now, and that seems like a serious security issue to me. Thanks for keeping us informed!
This is one of the reasons why you should always disable the "Hide extentions for known file types" in Folder Options.
An option which is phrased in the negative, itself a very poor design choice.
@@clickrick This obsolete feature goes back all the way to Windows 95. It's hard to imagine that it has remained in Windows for over 2 decades.
You could also just use a real operating system instead of using Windows.
@@networkedpersonYou could also get some maidens and stop being a geek
@@chrisdawson1776 lol, hating on new technology with your 1776 moniker and your Ben Garrison picture. Let me guess, you also hate desegregation and anti-monopoly anti-wealth-hoarding laws...
This brings back memories of using ASCII control codes on character-based ANSI terminals like the Digital Equipment Corp. (DEC) VT-100, VT-220 and later models. You could embed backspace or cursor movement characters within text so regular characters would be sent, but then the cursor could be repositioned, and new characters would overwrite the old so you wouldn't see them. Or special escape codes to control terminal functions, like putting the terminal into its self-test loop that required power cycling to get out of it. 🙂
Fun fact: the maddening invisible character in the view certificate window (until it was finally fixed a couple of years ago) that is bound to have caught out anyone who ever tried to copy a certificate thumbprint was a LTR character.
explain
@@fss1704 if you ever needed to copy some details of a cryptographic certificate, you could view the certificate from Windows, then look at properties like its thumbprint, but the text box that showed those details had a unicode left to right character at the start of it, so when you try to e.g. copy that thumbprint to a configuration file, you would accidentally copy the LTR character and whatever software you were configuring would not accept it, but because it's a zero width character it's hard to track down the problem, because it's invisible.
What? That’s insane, lol. My trust in Windows’ ability to manage my certificates has decreased.
Wow, I didn't know about this. I don't know why Microsoft chose to make file extensions turned off by default. I agree that it should be turned on, but people who are not very computer savvy wouldn't know to turn it on. This setting has been like this for a very long time
Indeed, probably the single worst decision in terms of making users more vulnerable to attack.
I think file extensions should have a neutralizing unicode character when displayed in Windows Explorer / force to be put at the back / front depending on Windows localization settings. Not sure why it wasn't implemented.
It's because normal users don't know about them at all and ignore it. It both wouldn't help those users anyway, and also lead to them renaming files and screwing up the file extension when they do it.
I do one more thing, I use list view/details view and categories/display file types, this helps to push suspicious files in categories like application or vb script etc thus preventing accidentally mistaking it for a harmless document or any other file.
I tested this on a file on my pc and i think i may have found something that could help here:
If youre not sure whether or not a file is legit or not, try renaming the file and go through the characters with the arrow keys. Not only will the cursor start at funky locations, but it will also jump through the name, as it works through the chars. Also, in my case the blue marker for selected text didnt select the extension, which in this case was right in the middle of the displayed text.
Also, you can copy the filename and paste it into notepad, limit the charset to ansii and then see some broken mess if a unicode symbol was used. Although this only tells you THAT a unicode char was in there, not which one. But i think there are online sites that do that for you, usually for detecting email adresses that look legit but are using characters that look similar to normal characters, but arent.
Not a very good fix. Still wastes time having to use rename and slowly step through the name and prone to being forgotten.
Well I'm a trilingual person (I speak Arabic, English, Turkish)
Arabic script and Old Turkish script is RTL
while the New Turkish script and English is obviously LTL
Blocking RTL would limit my uses of the laptop as I use all the languages on my laptop.
We need a way for Microsoft to to warn users
I think a good way is showing a prompt to the user the first time he opens an executable even if it does not have admin rights
I didn’t even know that there is a character that can reverse text like that on a file name. I’ll definitely be more careful when viewing files on my computer. Thanks for the info!
Even as an engineer, I wasn't knowing this. Thanks a lot for the knowledge you share
Clever trick. You did a great job explaining this. Glad I use the Details view.
Yes, I have already heard of this a few years ago, but back then I didn't thought about how that could also be applied to filetypes other than .exe, and this Video probably helped me to be even more careful with suspicious looking files in the future.
It's good to see your channel still doing well, I haven't seen anything since the days of charging phones in the microwave and reading hate comments, I didn't even think your channel existed anymore, but I'm glad it does
This is why we should sanitize our filenames. I don't know if rename can handle invisible Unicode characters, but if not then this might be a place where someone could fill a gap with a nifty utility.
What a great app to use as a Trojan to achieve two things: allow your own hacks through but deny any others, to gain an advantage over other state actors....
You got me; I'd NEVER heard about this. Amazing!! I'm sharing this far and wide as a warning. Thank you!
Idk Windows still have that disabled by default lol, by experience they already shoulve lmao. The weird RTLO character should'nt be shown and the file extension should ALWAYS be placed at the end of the file, disregarding any text thingy which pushes it forward
An easy way Microsoft could help solve this problem is by showing a warning the first time any executable file is opened, like macOS does.
Wow. This brings up some memories.
Using this trick, I made three batch files.
Any of the three would open, execute its program, which was to open the other two upon close.
Obviously, when you closed it, it would open the two other files, close one of them, another two.
A fun little Hydra, makes you restart your computer, pretty harmless.
At this point though, we had been tricking each other (I was in a class of folks learning all sorts of network related things) with .bat files for a bit, and I had discovered this to hide my files in plain sight.
It was perfect for my little Hydra.
Thanks for bringing up some memories, and making me feel old, this was back in '04. (I'm 36).
This is why files shouldn't be automatically executable based on file extension. On Linux you first need to explicitly mark a file as executable
It doesn't just run on Windows, it brings up the do you want to run the executable dialogue.
That's would break one thing that windows has over Linux, ease of use
@@jordanwardle11 so, how often do you need to execute randomly downloaded executable files that aren't installers? On linux we don't execute installers, but instead feed them to the central system installer, where it can be centrally tracked (and also uninstalled). So the amount of cases where this would add two more clicks, is almost none. (I'd even argue that for installers Linux's approach is more user friendly). I think that's a fair price to pay for anyone to prevent a huge swath of dumb viruses
@@jordanwardle11 true. But almost all the Microsoft created security holes in our computers were put there to make things easier to use.
It's easier to not bother locking the door when you leave the house, and makes it easier when you come home as well. But anyone spot the drawback?
I'm going to guess the culprit is that the administrators failed to disable the GPO which hides known file extensions.
It's a very dangerous setting and should be disabled by default in my opinion.
EDIT:
Wow, I was completely wrong. I would never have guessed that in a million years. And I hate to admit it, but I would have opened that word document without hesitation.
From now on, I'll certainly be more cautious.
I wonder if there's some way I can implement a GPO setting from the domain controller to prohibit these characters being used as file names. Or perhaps I can create some software that would scan for files containing this character in their name, make a record of the original file name, and move the file to a different directory. A placeholder file could the be put in its place. When you run the placeholder file, the software runs and warns you about the file, and still gives you the option to restore it. Though it's only a passive process... If the file was opened before the scanner had a chance to find it, it would have no effect.
I think the "File type" column should help a lot in this case. You will see something wrong right away if the extension doesn't match the filetype.
( 0:58 ) to my knowledge this character can be use to put your TH-cam verification tick (Thing) in to middle of the username
Pretty cool stuff
Very interesting
@@ThioJoe you have a verification mark you cloud try it
@realtechfly made a video on this quite a while ago!
Edit: it was called Right to Left override - Stealth Attack and uploaded 6 years ago!
Another good strategy to avoid this is to open downloaded documents in the right program directly (eg open up Word and find the file from its file picker). That way it doesn't show any incompatible files. Obviously beware of things like macros regardless.
I actually knew about this before. This unicode is very weird, and a lot of people can get tricked, and run some malware. I always thought that you can only "inject" code into files to make them a trojan, but this method is a lot faster and easier. (I'm also shocked that almost noone knew about this because, i don't work professionally and i knew about it, but a lot of people that work professionaly didn't)
Honestly, Windows should add something similar to the Linux/Unix executable file permission thing, so like by default files you download from the internet can't be executed unless you edit their permissions, this would prevent this and all the other filename tricks. Or, they could add a thing to the file explorer that prompts you if you want to execute the file when double clicking on it if it is an executable, similar to what KDE's file manager does
It already does that for files downloaded from the Internet
The second option is better, as I would hate having to take the extra step of editing permissions for an executable.
@@lumer2b yeah the problem moreso there is that people tend to automatically click through those prompts. While the first suggestion prevents that, it's a hassle to users in the cases where it's unnecessary. It's difficult to balance the two.
It already does
Programmer: I finally fixed every bug in my frontend application
U+202E: Are you sure about that?
This is NUTS! Windows should be updated to always show the extension last! I assume that Windows uses simple concatenation to display the filename but it should always resolve the filename first and then add the file extension. Like brackets in math. (I assume that for right to left user, they display the extension first but the same point applies.)
I love how you show what you searched to get the stock footage, that's really interesting to me!
I've used this character so much that when you revealed file extensions i knew exactly what it was, never thought of using it this way though unless you directly share it from a usb stick or something, most CDNs will just change the name formatting or just completely deny uploading (i believe Discord denies the upload)
Discord renames it
If it is not zipped. If it is zipped which it is mostly zipped. Then it will be dangerous.
@@emmanuelmgbemena yes, I already know this. But if someone opens the folder with a program like winrar or 7zip (more common than you think), the zip is rendered completely useless, as rtlo is not rendered "properly" there
Ironically, people probably won't fall for this if they don't have file extensions enabled.
Very dangerous. Microsoft should patch this straight away. But that will never happen. Cheers for sharing!
As of jan2024 it wont work for me so seems fixed
I just tried it out by myself and Windows Defender was thinking it was a trojan and blocked it...
This is really interesting to see because I remember that I saw videos in 2015 of malware exploiting this. I thought that Microsoft would have worked on the issue since then but seems to not be the case! It would be interesting to see if you could bypass certain file checks using this method
I read about it on a German computer news site (heise online, article „Täuschende Dateinamen unter Vista“) in 2007 (!) a couple months after Windows Vista was released. Because Vista was the first Windows version vulnerable to this trick; XP doesn’t interpret the RTL characters.
@@HuskyNET I remember the video from Sempervideo - In the video they had the example "sexy-hexe.pdf" :D - seems like they took it down but you can find a mirror if you search for "Demo-RTLO-Angriff-auf-Windows-fuehrt-auch-aufmerksame-Nutzer-hinters-Licht" - the winfuture site actually has the removed youtube video :D
I think that this may have been the most important video I have watched for a while. Thanks for the heads up.
I saw a german video about this exact thing by SemperVideo like 10 years ago. How could microsoft not have fixes this in that long time? Seems like a pretty serious issue to me.
As an amateur programmer that an "exe" file, in particular, can have any icon the programmer wants. Indeed, one or more icons are supposed to be specified when linking the file.
Okay, I have checked my file viewer and it does hide extensions. It also has a table format with a column that lists the type of file.
When it could even fool the Guru himself, you know it's real shiz
i learnt about cyber security from you more than my IT department ever did. and that is coming from the company with big emphasise on cyber security, with weekly elearning/module/compulsory assessment on cyber security
A simple way to avoid this when opening an unknown file to always right click and choose "open with" and the relevant program. So if it is a fake DOCX file and you choose "Open with Microsoft Word" , it would try to open the EXE file in Word, which might fail, but it doesn't matter, it just won't launch the file.
Or just open the file from the Open command in the program itself, not by running it on the Desktop.
The whole concept of "opening" a file by double-clicking it was a bad idea from the start. Some naive users might have liked it but it was never worth all the problems it caused.
@@ZipplyZaneYeah but that and all other workarounds that is not "explorer view" costs some time. Safety has a price. Not much but still. Some programs might have bad file selectors.
I think Tiles view is a workaround that doesn't sacrifices too much. Guess one needs to use that or simply toggle between views.
I work in IT support, with around 30y experience. I didn't know this. Even if I had known, I doubt our users would have known. Some users have 'File extensions on', but not all. I will check if we can switch it on for all through a Group Policy.
We are lucky that a) a Group Policy forbids running files from USB sticks (even for us admins!) and b) our users are never local admin, so running programs that require admin rights ios impossible. But still: this is scary...
On Windows, if you use the "tiles" view in file explorer, it will tell you what type of file it really is off to the right
Wow, thanks for sharing this information; this is a major security flaw! I hope Antivirus companies will do something to protect users against files with UTF characters.
I could've guessed there were RTL shenanigans the moment you showed extensions and .exe appeared in the middle of the filename. But I'm somewhat used to unicode shenanigans because I spend time thinking about how to render the text "as intended". That's nasty and gonna bite a lot of people! Might've bitten me if I hadn't just dealt with RTL stuff just a few weeks ago! 😬
What if it was written as
ReadmeXE.docx?
Fascinating. While I mainly just use Windows for playing games, I can see this tricking a lot of users, even the more sophisticated ones.
I remember learning this when I was learning ethical hacking.
And mark my words most of the TH-camres who got hacked was due to this.
Filename still ends by the « .exe » or whatever extension to prevent opening those files you can:
• Make a Mailflow policy / or server rule to block those messages (eg. Message whose attachment ends with…);
• Or prevent their attachment to open via some kind of Microsoft Defender ASR rule (Attack Surface Reduction);
Virus builders often also add enough spaces right after the right-to-left mark (RLM) in order for the extension not to be viewable even if file extension are set to be displayed…
Try something like « hello.jpg[RLM][20 spaces].exe »…
Thank you Thio Joe! I'm a programmer since 1975 and this is a new thing for me. If Microsoft doesn't fix Windows to prevent Unicode characters in filenames then this bug is on them. I'm sure the Linux geeks are working on it now (prolly thanks to you!).
And props to the hackers for being so inventive, damn their eyes.
Wdym "prevent Unicode characters in filenames"? All letters would be blocked if they did that
Plus, the character is used in loads of languages -- not every language is left-to-right
@@aMySour hence the LTRO. Yeah I know even English wasn't originally left to right only but alternated from one line to the next. MSDos doesn't have the LTRO but Windows does - but it's not an option. I'm sure you know that I mean non-ASCII characters when I mentioned blocking Unicode. It made for a shorter comment that was already too long.
I already knew that. RIGHT TO LEFT OVERRIDE!
That is really really smart. I can see myself falling for this too.
Those unicode characters are pretty well known in the IT security industry, but a great reminder, I'll try and find a way to get these on our systems.
File names can include right to left script from other languages, but I don't know if that needs the rtl character.
The biggest issue is that operating systems like to hide extension information and love to make it easy for software to auto-run. Every time I get a new computer I need to spend time fixing those issues to improve safety.
Right-to-left text doesn't need the right-to-left override character in a proper text rendering engine, but right-to-left text in the middle of left-to-right text might need the right-to-left embed character before it and the pop directional formatting character after it if there are directionally ambiguous characters (like ASCII numbers and punctuation) around the right-to-left text that need to display right-to-left. For instance if there is English text, Arabic text beginning with a quotation mark and followed by a period and quotation mark, and more English text, it is probably a quotation containing a period and you would want a RLE character after the opening quotation mark and a PDF character before the closing quotation mark. That makes the period behave like a right-to-left character and display to the left of the Arabic text rather than to the right. In HTML, it's best to omit the invisible characters and use CSS (unicode-bidi: embed; direction: rtl;) equivalent to the RLE and PDF characters.
Wow! Well this was very interesting! I remember the web site where you go and type something and it will appear as upside down - and it just work anywhere. I didn`t know that Unicode characters have ability to type upside-down... Who knows what is possible...
OS should show all executable types with additional sign on icon just like with the shortcut. That way, no matter the icon or name, it would be obvious from the start.
I can see how this would've fooled me too, so useful thank you!
You truly brought your channel the other way around since free wifi upgrades haha
There was also a time back in the days when a lot of people here (without technical background) used special Unicode characters on Facebook to cause all kinds of strange effects. I think I have also seen something similar on Twitter once. Not sure if this is still a thing.^^
The Twitter thing was recently covered by David Bombal and TheXSSRat I think?
He used a script in a tweet and I forget what it caused. But it made it retweet itself through people who saw it it think? Or something silly.
But stuff like that is always interesting to see!
@@TheJoshShephard That was in 2014, but it was more due to a bug in Tweetdeck that for some inexplicable reason, they used the heart emoji to indicate preceding text was to be rendered as HTML.
@@Joooooooooooosh noted! My memory is a little fuzzy. So I forgot some specifics. So thanks for the clarification!
This is an advanced version of a prank I played on nocives in the old days of ASCII terminals on Unix, DEC RSX orVMS, or HP-RTE systems. Neat.
Very interesting, I knew about the unicode character, but didn't think it would be allowed in filenames. Wtf? Windows prevents you from having : or / in the filename, but allows non-printable characters?
You can't have \ or / in a file name because they are used for path names. C:\windows\system32 for example.
Gotta love Linux, can't even run downloaded files unless you permit them, in most GUI file managers that means opening the file properties to edit the permissions which means seeing what the system recognizes what the file is.
why windows even displays filenames like that is beyond me
Languages, man
@@araghon007 File extensions should be left out of that... Or be the last thing after the last dot, no matter what and whatever direction.
I knew about the unicode character but I didn't know it can be used for something like file extensions, that is just wicked. This was taught to us, as well as some other unicode characters, as a side note by our professor in university and he just said that it was something cool but doesn't really have any real-life use.
Usually when you hit F2 to rename a file, it doesn't include the extension. Could this be a quick and easy way to check a new file before opening it?
Everybody is gangster until ThioJoe logs in
There is also a now patched exploit in Microsoft Office where a document can launch any executable and I thought this video was going to be about that.
Ya but in this the exe is running. Which can me made to make a docx open in word and keep doing its work in background.
2:04 In Linux (Ubuntu Unity 22.04) the text cursor is where you type after the RTL character, in Windows 11 the cursor is on the right so you can't even reliably see where the next typed character will show up... Only after a space character does it jump to the right, but after a printed character it is where the next letter will show up.
How ty type in reverse in Linux: Ctrl+Shift+u, let go then type 202e followed by Enter.
That's how easy it is. And to type the right way around again, just use the U+200E character.
Yes, this is somewhat dangerous, but the file would mostly come to you as an email attachment.
Your antivirus would warn you in the same way that it does for any other EXE.
Unfortunately not always the case. If something is configured correctly, it's possible to bypass virus detection software in various ways.
If it's not an email attachment, it's via a link. And may bypass detection because of file size or something else.
Paul Hibbert had this happen via a fake sponsor and a fake pdf file.
Then with most TH-camrs. The malware is being packed in zip folder and auto downloading after being directed to a pdf with a script.
The browser and virus detectors miss it. And if the person finds it and unpacks it, they usually run Redline Stealer and get their accounts and many other things hacked.
Usually it's in the form of a WMG, UMG, Copyright claim or Strike.
But unfortunately for Paul, it came in the form of a fake sponsor campaign
it'd be in a .zip, .rar, .ace, .tgz ... most AVs *should* handle them fine, but I can imagine other scenarios that would be trickier. Like passworded zips - the con would be in convincing the victim that there was a legitimate need for the file to be password protected. and I can see my folks falling for this. Can't you?
@@TheJoshShephard can i get some videos of this?
Loved ‘extremely realistic depiction of an IT department’-🤘🏻🤘🏻🤘🏻🤣🤣🤣
Great info, thanks as always!
I tested it on MacOS and it only reverses the characters in front of the file extension. The file extension (as well as the point) is always shown last and in left to right order. So no problem for MacOS 👍😊
Not that MacOS uses the extension to identify executable files anyway…
I remember people in the 00s using these characters to blow up web forums. Back then, including one in a forum post would often make all following posts display backwards. Nowadays posts are wrapped in more tags and browsers seem to have started ending any weird Unicode stuff at the end of a div or whatever.
I don't know why I never thought to see what would happen if one was in a filename.
Could this same trick be used on URLs in the browser? If it is possible to swap characters in the domain name, you can be redirected to a malignant site even after checking the URL for easy to miss variations such as "m" being replaced by "rn".
"i guarantee you will be wrong"
But I wasn't
I knew what was going on instantly
as soon as he said "i guarantee you're wrong" at the start, i was like "that's gotta be the unicode reverse thing, right?" and as soon as he said it was using an invisible character i was like " C A L L E D I T "
I feel like I just want to show off, but I paused the video before he gave the answer and thought about it and that was the only thing that I could come up with on how to do it, because Windows shows this file as an executable. However, I would have assumed that Microsoft had prevented this security flaw long ago, because this was already in the news during Windows Vista times.
i thought its too obvious that it's just a hidden file extension so I put my bet on weird unicode magic and I was right lol
I've known about the character, but never knew it could be used like this! Thanks for saving us 😅
Great video!! Possibilities are endless!!!🤣
It's not the first evil trick that people do with Unicode characters. There exists also some messing with what sites show in google search results by looking like official websites but actually exchanging characters for very simular other Unicode characters.
Learning new things everyday!!!🙃🙃
Your new channel is pretty good! I remember viewing your channel back when it was mostly pranks and parody, but I like this more informative channel a lot more, nice change!
new? lol. Yes I too remember the pranks and stuff he did way back. But this type of content he's doing now isn't exactly new either. :D
@@ttkftykyfts well, I didn't expect him to be that knowledgeable. His parodies I think cheapened his more serious content, it's good that he got rid of them.
This is still the same channel. He just switched to actual helpful IT tips rather than joke videos.
Always remember scr files should be treated as EXEs, as that's what they are. You can rename any file to scr and it will still run.
The simplest fix will be Microsoft to block this character from file names (replace it with null).