[LINK] Google engineer finds British spyware on PCs and smartphones

Fernando Cassia fcassia at gmail.com
Mon Sep 3 01:46:27 AEST 2012


On Sun, Sep 2, 2012 at 9:29 AM, Nicholas English <nik.english at gmail.com> wrote:
> said that their server had been broken into and that several
> demonstration copies of FinSpy had been stolen. However, analysts suspect
> that these were no demo copies.

https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/

These technical details are very interesting. I have to say, I had no
knowledge of a "right to left override" character and that thanks to
the windows shell´s good design (sarcasm) it´d allow a exe to
maskerade as something else like a .jpg) by flipping the characters in
a file name, so that someone.jpg.exe visually becomes someone.exe.jpg.

Scary!

FC
-----
The emails generally suggested that the attachments contained
political content of interest to pro-democracy activists and
dissidents. In order to disguise the nature of the attachments a
malicious usage of the “righttoleftoverride” (RLO) character was
employed. The RLO character (U+202e in unicode) controls the
positioning of characters in text containing characters flowing from
right to left, such as Arabic or Hebrew. The malware appears on a
victim’s desktop as “exe.Rajab1.jpg” (for example), along with the
default Windows icon for a picture file without thumbnail.  But, when
the UTF-8 based filename is displayed in ANSI, the name is displayed
as “gpj.1bajaR.exe”.  Believing that they are opening a harmless
“.jpg”, victims are instead tricked into running an executable “.exe”
file.4
-----

The pics are self-explanatory...

FC
-- 
During times of Universal Deceit, telling the truth becomes a revolutionary act
- George Orwell




More information about the Link mailing list