0

I'm trying to analyze a piece of malware from the internet. I found out, that nemo browser and ls command show the filename of the malware in different ways. ls displayes filenames IMG147pgj.exe, IMG148pgj.exe, IMG149pgj.exe, while nemo shows the same files as IMG147exe.jpg, IMG148exe.jpg, IMG149exe.jpg (those files are in fact WIN32 executibles):

Example

Why is that and how is that possible?

EDIT1: Results of ls | od -c and ls -q as requested.

Request

burtek
  • 623
  • 3
  • 7
  • 20
  • Is it possible that there are "unusual" characters at the end of the name? If you do, say `ls IMG147* | od -c` or something like that can you see extra characters? or try `ls -q` or `ls -Q` if your `ls` supports it see if there are control characters in the name or something like that – Eric Renouf May 06 '17 at 12:34
  • @EricRenouf I added screenshot of those commands' results to the question. I can see there are codes `342 200 256` - what do they mean? – burtek May 06 '17 at 14:36
  • I'm not up on unicode enough but I think the `342`, `200`, and `256` are probably the unicode code points that are being treated differently by `ls` and by nemo – Eric Renouf May 06 '17 at 14:41

1 Answers1

1

The bytes you see using is (342 200 256 or E280AE in hex) are decoded in utf8 as Unicode 0x202E, which is the right-to-left override. Nemo from there on reverses all characters leading gpj.exe to become exe.jpg, while your terminal doesn't.

Similarly Windows explorer would reverse it, but still read the extension without reversing it, leading what appears to be a jpg to be executed.

Searching for RLO will show you it's a known malware technique.

user2313067
  • 2,475
  • 1
  • 14
  • 14