top of page
  • Writer's pictureTracy Camp

Click to run... it could never happen to ME!

We all think we are pretty good at spotting a scam. And most of the time we are! We people generally are pretty amazing at pattern recognition... but alas we are human and thus do make the occasional error. Maybe you need more coffee, maybe you have too much coffee. Either way, all it takes is one mistake and you could very well be faced with losing control over your accounts, get ransomware or at the least becoming part of somebody's bot-army of the undead!

Attackers are professionals and very likely have a few human psychology experts as part of the attack planning team. Let's examine a few ways that even a careful person can be scammed.

All magic is misdirection...

We all know to be careful with email attachments from unknown people. As in - don't! But what if the email came from a known person and you where sort of expecting it? This is the basic architecture of a classic phishing attack. Like any good card trick, the idea is to show you something that you expect to see... but is otherwise a forgery.

Well-crafted email phishing attacks require research and possibly multiple stages of compromise to get to the final target. For instance, an attacker might gain control over your gmail account by stealing a token (install UpSight!), then can send email to your contacts as you. Maybe they even go so far as to emulate your writing style using some of the fancy new language models like ChatGPT. This might seem like a fair amount of effort to go to in order to send some spam, but if they can deliver a payload to the right person, they might be able to gain control over an entire corporate network. The ensuing ransomware demand will more than pay for the effort.

But I don't even use email that much...

Replace email with Discord, Slack, Teams etc. You can read about numerous examples of how web3 is going great that involve Discord Phishing.

Or how about github?

You don't necessarily even have to be interacting with a person directly. I recently uncovered an interesting swath of public github projects that included source code, makefiles and visual studio solution (.sln) files.... except that the .sln file was not a solution file at all, but instead a 600kb windows executable file with a filename setup such that in explorer it looked like it ended in a .sln, but if viewed in a command shell you might notice that it actually ended in the executable .scr extension. The source code, makefiles etc. where all basically misdirection, the point of the project was to get the unsuspecting developer to download it and double click on what they thought was a ".sln" file.

No, this is not a first-hand confession... but only because I was in a frame of mind of doing malware research... it very well _could_ have been! What is more natural to a developer than opening the solution/project file up and checking out the code!? I of course reported the specific github repos to github, but I'd not expect they will take much action and indeed as of today the repository is still there harvesting new victims. And even if github took it down (unlikely) many, many more will pop up to replace it! Be careful! Or better yet - also Install UpSight!

We recently added some protection in UpSight Security to guard against future me or you trying to open solution files that are not and various other variations involving filename tricks in explorer that I detail just below.

Another note of caution about Visual Studio files from the internet: Legitimate Visual Studio project files can most certainly be used to execute commands locally when you run the build!

How the trick works - File type misdirection

Since I'm not a magician, I'll show you how the trick works. The Windows "Desktop" gives you a view of your files that has been somewhat "Edited" in the name of making the computer more "Friendly" (whatever that really means). One of the edits is to not show the file extension by default. A very old, but surprisingly effective psychological hack is to simply add two file extensions, one is the real file type (hidden by Windows from you) and the second is the one that you are expecting to see.

"Cool Code.sln.scr"

Windows happily displays a file with a Solution File icon and that is further confirmed for you by the visual display of the familiar "sln" extension. However, the actual file extension is ".scr" which is one of several windows executable file extensions. If you double click on this file, you are not opening a solution file in Visual Studio, you are running a program!

This example takes advantage of another of the "edits" that Windows is doing for you by displaying an icon that relates visually what kind of file a given file might be. Some file types are just "basic files" like a text file and Windows assigns an icon based on the extension, some are complex files and the file itself gets to pick what kind of extension should be displayed to the user. An executable file is certainly in the latter category, there is absolutely nothing that stops an attacker from using the exact same icon as a solution file as the program's icon.

But I'm careful and always show file extension in Windows!

Another more obscure, but just as effective means of misdirecting a file extension is by taking advantage of Windows support for Unicode. Unicode is an international standard for representing text and is capable of representing all known written languages, and even a few made up ones like Tolkien Elvish. Since we as a species don't universally agree about much of anything, some cultures read right to left and some left to right. Unicode handles this by allowing for a few embedded formatting characters that 'reverse' the direction of display. You can use these to craft file names that when displayed appear to be something other than what they are. This was the specific misdirection employed by the github repo I found above.

The actual filename: "Doc Pdf Exploit Builder\342\200\256nls..scr"

"\342\200\256" are octal values of a UTF8 character encoding of the Unicode 'Right to left override' char at codepoint 0x202E.

Since the cmd console isn't quite "unicode" the reverse chars are displayed as gibberish. But 674kb is a bit "much" even for something as heavy as Visual Studio.

This is how explorer sees the exact same file... but now it's a "sln" file! Note the usual solution file icon; this icon is loaded from the executable, it isn't due to a file association maintained by Windows. If you were to click on it, you would be running the executable, not loading a solution file in Visual Studio.

Finally for completeness, this is how the same file appears in a bash shell. Not the sln is the final file extension displayed. In a weird way, the ancient cmd.exe is better off not knowing Unicode.

And that is how the trick works.

Call to action!

It's important to state a conclusion here - as soon as Microsoft finishes modernizing cmd.exe to be part of the Unicode world - you will have _no_ easy way to identify files of this nature. (Hint: install UpSight Security!)

1) Of course: Install UpSight! Honestly, I've worked on a lot of security products in my 17 years in the security industry... this is one of the few that I actually feel safer running. So can you!

2) Be really suspicious of github projects. Actually, read the project files before running a build. The "custom actions" in particular give whoever crafted the project file a scripting opportunity on your machine. The vast majority of github projects are from good people doing good work... but supply chain attacks are very much "a thing". I believe the unicode misdirection trick above works in script files too.

3) I often dislike the usual advice about not opening attachments from strangers etc... because it feels so much like blaming the victim and in our strange and brave new post GPT3 world... aside from Installing UpSight Security, I guess it's the best we got. ; )

31 views0 comments

Recent Posts

See All

We had the opportunity to present UpSight Security at the WestSide Pitch here in Oregon last Thursday. It was a lot of fun and we walked away with a large novelty check - so even better! Many thanks

bottom of page