Several days ago, one of our customers submitted a sample (SHA1: fbe71968d4c5399c2906b56d9feadf19a35beb97, detected as TrojanDropper:Win32/Vundo.L). This trojan hijacks the hosts “vk.com†and “vkontakte.ru†(both social networking sites in Russia)and redirects them to 92.38.209.252, but achieves this in an unusual way.
A common method used to hijack a website and redirect it to a site of the attacker’s choice is to add an entry in the Windows hosts file located in the %SystemRoot%\system32\drivers\etc directory. However, when we open this file on an affected computer, it doesn’t contain any entries related to “vk.com†and “vkontakte.ruâ€, as you can see in the following example:
 
But when we show hidden files, we can see another “hosts†file. It is hidden, as in the following example:
Â
There are two files with exactly the same name, “hostsâ€, in the etc directory! How can this happen?
As we know, it is not possible for a directory to contain two files with the same name. When we copy the file names to notepad, save them as a Unicode text file and open them with a hex editor we see the following (the upper is for the first “hosts†file, the lower is for the second “hosts†file):
For Unicode (UTF-16), the 0x006F is the same as 0x6F in ASCII, which is the character “oâ€. But what’s the 0x043E in Unicode? We can find it in Unicode chart table (Range: 0400-04FF). The following is part of this table.
Â
We can see that Unicode 0x043E is a Cyrillic character, and it looks very much like the English character “oâ€.
So the hidden “hosts†file is the real hosts file in fact. When we open this file, we can see that two entries have been added to the end of the file:
Â
Mystery solved!
This is not the first time we’ve seen a hacker using Unicode characters to mislead people. In Aug 2010, a Chinese hacker disclosed a trick with a Unicode control character used to mislead people into running an executable file. Hackers use Unicode control characters 0x202E (RLO) to reverse parts of a special file name, which changes the look of the file name in Windows Explorer.
For example, there is a file named as “picgpj.exeâ€, as the following:
The “gpj.exe†part of this name is specially crafted. When inserting an RLO character before “gpj.exe†in this name, the whole name appears as the following:
Hackers also usually use a picture as the file icon. Unwary people treat this file as a picture, and blindly double-click to open it, thus running the executable. Obviously, this type of trick is useless for Unicode aware programs, but it is not easy for the eyes of people to identify the problem.
Can we believe our eyes? The answer is... not always.
Zhitao Zhou
