How to Prevent Files with Right-to-Left Override Unicode Character from Running

malwareSecurityunicodeviruswindows

What are ways to avoid or prevent files with the RLO (Right-to-Left Override) Unicode character in their name (a malware method to spoof filenames) from being written or read in a Windows PC?

More info on the RLO unicode character here:

Info on the RLO unicode character, as it is used by malware:

Summary of computer virus/unauthorized computer access incident report for October 2011, compiled by Information-technology Promotion Agency, Japan (IPA) [Mirror (Google Cache)]

You can try this RLO character test webpage to see how the RLO character works.

The RLO character is also already pasted in the 'Input Test' field in that webpage. Try typing there and notice that the characters you're typing are coming out in their reverse orders (right-to-left, instead of left-to-right).

In filenames, the RLO character can be specifically positioned in the filename to spoof or masquerade as having a filename or file extension that is different than what it actually has. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)

The only info I can find that has info on how to prevent files with the RLO character from being run is from the Information Technology Promotion Agency, Japan website.

Can anyone recommend any other good solutions to prevent files with the RLO character in their names from being written or being read in the computer, or a way to alert the user if a file with the RLO character is detected?

My OS is Windows 7, but I'll be looking for solutions for Windows XP, Vista and 7, or a solution that will work for all those OSes, to help people using those OSes too.

Best Answer

You could use Everything in combination with AutoHotkey to create an alert whenever a bidirectional text control character forms part of a filename.

The Script

AlertText = A bidirectional text control character was detected in a filename.
AlertText = %AlertText%`n`nClick OK to re-hide the window.

SetTitleMatchMode RegEx
DetectHiddenWindows, On
EnvGet, ProgramFiles32, ProgramFiles

Start:
Run, %ProgramFiles32%\Everything\Everything.exe
WinWaitActive, Everything, , 5
if Errorlevel
    Goto Start
WinGet, Id, ID, A
StatusBarWait, objects, , 1, ahk_id %Id%
StatusBarGetText, Status, 1, ahk_id %Id%
Backup := ClipboardAll
Transform, Clipboard, Unicode, ‎|â€|‪|‫|‬|‭|‮
Send, ^v
WinHide, ahk_id %Id%
Sleep, 100
Clipboard := Backup
Backup =
StatusBarWait, ^(?!^\Q%Status%\E$)
Loop
{
    StatusBarWait, [1-9], , 1, ahk_id %Id%
    IfWinNotExist, ahk_id %Id%
        Goto Start
    WinShow, ahk_id %Id%
    WinRestore, ahk_id %Id%
    MsgBox, %AlertText%
    WinHide, ahk_id %Id%
}

What it does

The script launches Everything and searches for ‎|â€|‪|‫|‬|‭|‮ (UTF8), i.e., all seven bidirectional text control characters (source), separated by |.

Then, the script hides the Everything window and monitors its status bar. When it contains any digit different from 0, a match has been found, the Everything window gets displayed and the following message box pops up:

A bidirectional text control character was detected in a filename.

Click OK to re-hide the window.

The script also relaunches Everything in case it gets closed.

How to use

  1. Download, install and launch Everything.

  2. Press Ctrl + P and switch to the Volumes tab.

    For all volumes that should be checked, enable Monitor changes.

  3. Download and install AutoHotkey.

  4. Save to above script as find-bidirectional-text-control-characters.ahk.

  5. Double-click the script to launch it.

  6. Create a shortcut to the script in your Startup folder.

Related Question