Big bruh moment >>> I'll also emphasize the point I make at 3:49 in case people comment before watching that long - There doesn't have to be 2 periods in the filename, so "Test.exe.docx" could very well just be "Testexe.docx" - I put the other period there to make it easier to show the real file extension. So it might not be very obvious at all that this trick is used, depending on the real file extension and how they name it. For example, "arcs.docx" could really be a .scr file and the filename might not be suspicious, especially depending on the context, like naming it "character_arcs.docx" or something. There are tons of potentially malicious / exploitable filetypes out there that could be used.

I worked professionally on computers since Win 3.1, read everything religiously and never heard of anything close to this. Stunning.

I still don't understand why Microsoft had ever chosen to hide file extensions as a default. It's the first thing I fix when I install Windows. In this case it's not the same cause, but having file extensions enabled helps.

As a security professional and having been in IT over 40 years I am also surprised that I hadn't come across this before too. Very informative, thank you.

Fun fact: At the old days of youtube, you can put RTLO in your username. So when somebody attempting to mention you, they probably confused and accuse you of being a witch

AV software COULD scan for these "control" type characters within file names. Seems like an obvious thing to scan for.

1:20 There's a faster way if you already know the character's Unicode number. Type in 202E into notepad (or anywhere else) and press Alt + X. This will convert it to the unicode character. If you hit Alt + X again it will revert it back. Although the "reverting to number" part doesn't work for letters from A to F because they can already be considered to be hexdecimal numbers.

Here's the crazy part: you can nest the overrides. You can move the extension to the beginning and mask it as a file that has a . to appear at the top... [RTL]txt.sevituc[LTR].exe will appear as .executives.txt

I will say, Windows Defender/Security does detect this if you try and spoof another extension. That can be gotten around with spaces in the file name, Cyrillic characters/other look-alike characters, etc; but... it does at least try to stop this from harming you most of the time.

10/10 The IT department footage is the most accurate depiction of what we do that I've ever seen in my entire life.

I think the simplest trick is to just rightclick and check properties, as it tells it's an executable. Or hovering over it.

I’ve been working with pcs since the stone ages of DOS and I suspected something like this was behind some of the weird attachments I’ve seen, but didn’t get it until your vid. Thx. I’ve been raging at Microsoft for years for hiding file extensions and not just forcing users to understand what they are and how they work. It’s a simple concept and there’s no reason any pc user couldn’t learn it, but when you try to make things idiot proof, all you do is turn your users into idiots because they never learn the basics. Today I see so many users that don’t know the difference between a shortcut, and a folder, and a zip archive because they have all been confusingly glossed over and never taught to users. Good vid! I recommend!

Just make sure your download folder's view style is set to Details mode. That way, you can see what type of file it is from the Type section. People should do this by default for a couple of reasons, anyway. First, some file names are too long to see the extension by default, so this is actually even easier. Second, the download folders is usually way too disorganised to to have large chunky icons like a Desktop. Third, the "Details" view has way more useful information like the Date Modified time stamp and size for easy location of files and deleting large files. I'm pretty sure Windows already sets the Downloads folder this way by default, anyway.

insane this is allowed to happen man keeping folder view on detail & showing "file type" off to the right as a column might help, i usually glance at that to be sure of what im clicking on

Wow, that's rad. I work in the IT industry and actually have a good knowledge. But this was completely new to me that there are Unicode characters with this effect. Thanks for the education! So many won't know that, let alone non-IT people out there.

another simple way to spot it is to use detail view. it shows the extension correctly there.

Yeah this is a very old trick. Most people are not aware is this. I have used this trick for saving certain things and then renaming it when I needed it. Yes virus can hide in there but a there are ways that you can find them too. Or even prevent this from happening. Great video.

Windows should really really implement a special icon that indicate a file is a executable. Like how shortcut have a arrow pointing at it on the bottom right.

I knew of that Unicode character but I didn't realize it could be used in this manner! Feels like an oversight for Windows Explorer to support that behavior in these cases, but I know it's difficult to determine if it's being used legitimately or not. To note: legitimate use cases would be files that includes both Latin characters (A-Z) and characters from a language that is written right to left. Whether there'd ever be an executable like that, I'm not sure.

as an IT Admin, I always use the windows sandbox to open files that I don't trust or generally download from the internet from an untrusted source! : )

This is one of the reasons why you should always disable the "Hide extentions for known file types" in Folder Options.

You can create a hidden character rtl:rctrl+rshift and ltr:lctrl+lshift it’s commonly used with bilingual users who type rtl languages. This isnt override character tho, the normal rtl switch flips the orientation of the text box you’re typing into, usually causes issues when adding ltr numbers(or brackets)into an rtl text.

I tested this on a file on my pc and i think i may have found something that could help here: If youre not sure whether or not a file is legit or not, try renaming the file and go through the characters with the arrow keys. Not only will the cursor start at funky locations, but it will also jump through the name, as it works through the chars. Also, in my case the blue marker for selected text didnt select the extension, which in this case was right in the middle of the displayed text. Also, you can copy the filename and paste it into notepad, limit the charset to ansii and then see some broken mess if a unicode symbol was used. Although this only tells you THAT a unicode char was in there, not which one. But i think there are online sites that do that for you, usually for detecting email adresses that look legit but are using characters that look similar to normal characters, but arent.

Fun fact: the maddening invisible character in the view certificate window (until it was finally fixed a couple of years ago) that is bound to have caught out anyone who ever tried to copy a certificate thumbprint was a LTR character.

Thank you for explaining things as simple as possible. I always learn something new from your YT videos. Simple, short, and informative 👌

I knew that one (because I work in IT security, and we've specifically dealt with malware campaigns using that trick). Good to see you're bringing attention to it.

I have been building and using computers since my C-64 and this is absolutely astonishing. No matter how much you think you know, you can never know it all. Thaks very much Thio for this valuable information!

I do one more thing, I use list view/details view and categories/display file types, this helps to push suspicious files in categories like application or vb script etc thus preventing accidentally mistaking it for a harmless document or any other file.

Dude! Never heard of that one until now, and that seems like a serious security issue to me. Thanks for keeping us informed!

( 0:58 ) to my knowledge this character can be use to put your KZbin verification tick (Thing) in to middle of the username Pretty cool stuff

Wow, I didn't know about this. I don't know why Microsoft chose to make file extensions turned off by default. I agree that it should be turned on, but people who are not very computer savvy wouldn't know to turn it on. This setting has been like this for a very long time

Programmer: I finally fixed every bug in my frontend application U+202E: ‮Are you sure about that?

Even as an engineer, I wasn't knowing this. Thanks a lot for the knowledge you share

2:04 In Linux (Ubuntu Unity 22.04) the text cursor is where you type after the RTL character, in Windows 11 the cursor is on the right so you can't even reliably see where the next typed character will show up... Only after a space character does it jump to the right, but after a printed character it is where the next letter will show up. ‮ How ty type in reverse in Linux: Ctrl+Shift+u, let go then type 202e followed by Enter.‎‎ That's how easy it is. And to type the right way around again, just use the U+200E character.

This brings back memories of using ASCII control codes on character-based ANSI terminals like the Digital Equipment Corp. (DEC) VT-100, VT-220 and later models. You could embed backspace or cursor movement characters within text so regular characters would be sent, but then the cursor could be repositioned, and new characters would overwrite the old so you wouldn't see them. Or special escape codes to control terminal functions, like putting the terminal into its self-test loop that required power cycling to get out of it. 🙂

I actually knew about this before. This unicode is very weird, and a lot of people can get tricked, and run some malware. I always thought that you can only "inject" code into files to make them a trojan, but this method is a lot faster and easier. (I'm also shocked that almost noone knew about this because, i don't work professionally and i knew about it, but a lot of people that work professionaly didn't)

I didn’t even know that there is a character that can reverse text like that on a file name. I’ll definitely be more careful when viewing files on my computer. Thanks for the info!

It's good to see your channel still doing well, I haven't seen anything since the days of charging phones in the microwave and reading hate comments, I didn't even think your channel existed anymore, but I'm glad it does

Yes, I have already heard of this a few years ago, but back then I didn't thought about how that could also be applied to filetypes other than .exe, and this Video probably helped me to be even more careful with suspicious looking files in the future.

Honestly, Windows should add something similar to the Linux/Unix executable file permission thing, so like by default files you download from the internet can't be executed unless you edit their permissions, this would prevent this and all the other filename tricks. Or, they could add a thing to the file explorer that prompts you if you want to execute the file when double clicking on it if it is an executable, similar to what KDE's file manager does

Wow. This brings up some memories. Using this trick, I made three batch files. Any of the three would open, execute its program, which was to open the other two upon close. Obviously, when you closed it, it would open the two other files, close one of them, another two. A fun little Hydra, makes you restart your computer, pretty harmless. At this point though, we had been tricking each other (I was in a class of folks learning all sorts of network related things) with .bat files for a bit, and I had discovered this to hide my files in plain sight. It was perfect for my little Hydra. Thanks for bringing up some memories, and making me feel old, this was back in '04. (I'm 36).

As an amateur programmer that an "exe" file, in particular, can have any icon the programmer wants. Indeed, one or more icons are supposed to be specified when linking the file. Okay, I have checked my file viewer and it does hide extensions. It also has a table format with a column that lists the type of file.

This is why we should sanitize our filenames. I don't know if rename can handle invisible Unicode characters, but if not then this might be a place where someone could fill a gap with a nifty utility.

You got me; I'd NEVER heard about this. Amazing!! I'm sharing this far and wide as a warning. Thank you!

This is why files shouldn't be automatically executable based on file extension. On Linux you first need to explicitly mark a file as executable

Clever trick. You did a great job explaining this. Glad I use the Details view.

I've used this character so much that when you revealed file extensions i knew exactly what it was, never thought of using it this way though unless you directly share it from a usb stick or something, most CDNs will just change the name formatting or just completely deny uploading (i believe Discord denies the upload)

I think the "File type" column should help a lot in this case. You will see something wrong right away if the extension doesn't match the filetype.

Idk Windows still have that disabled by default lol, by experience they already shoulve lmao. The weird RTLO character should'nt be shown and the file extension should ALWAYS be placed at the end of the file, disregarding any text thingy which pushes it forward

An easy way Microsoft could help solve this problem is by showing a warning the first time any executable file is opened, like macOS does.

When it could even fool the Guru himself, you know it's real shiz

Filename still ends by the « .exe » or whatever extension to prevent opening those files you can: • Make a Mailflow policy / or server rule to block those messages (eg. Message whose attachment ends with…); • Or prevent their attachment to open via some kind of Microsoft Defender ASR rule (Attack Surface Reduction); Virus builders often also add enough spaces right after the right-to-left mark (RLM) in order for the extension not to be viewable even if file extension are set to be displayed… Try something like « hello.jpg[RLM][20 spaces].exe »…

I saw a german video about this exact thing by SemperVideo like 10 years ago. How could microsoft not have fixes this in that long time? Seems like a pretty serious issue to me.

@realtechfly made a video on this quite a while ago! Edit: it was called Right to Left override - Stealth Attack and uploaded 6 years ago!

I'm going to guess the culprit is that the administrators failed to disable the GPO which hides known file extensions. It's a very dangerous setting and should be disabled by default in my opinion. EDIT: Wow, I was completely wrong. I would never have guessed that in a million years. And I hate to admit it, but I would have opened that word document without hesitation. From now on, I'll certainly be more cautious. I wonder if there's some way I can implement a GPO setting from the domain controller to prohibit these characters being used as file names. Or perhaps I can create some software that would scan for files containing this character in their name, make a record of the original file name, and move the file to a different directory. A placeholder file could the be put in its place. When you run the placeholder file, the software runs and warns you about the file, and still gives you the option to restore it. Though it's only a passive process... If the file was opened before the scanner had a chance to find it, it would have no effect.

Everybody is gangster until ThioJoe logs in

On Windows, if you use the "tiles" view in file explorer, it will tell you what type of file it really is off to the right

I love how you show what you searched to get the stock footage, that's really interesting to me!

A simple way to avoid this when opening an unknown file to always right click and choose "open with" and the relevant program. So if it is a fake DOCX file and you choose "Open with Microsoft Word" , it would try to open the EXE file in Word, which might fail, but it doesn't matter, it just won't launch the file.

I just tried it out by myself and Windows Defender was thinking it was a trojan and blocked it...

Another good strategy to avoid this is to open downloaded documents in the right program directly (eg open up Word and find the file from its file picker). That way it doesn't show any incompatible files. Obviously beware of things like macros regardless.

I think that this may have been the most important video I have watched for a while. Thanks for the heads up.

File names can include right to left script from other languages, but I don't know if that needs the rtl character. The biggest issue is that operating systems like to hide extension information and love to make it easy for software to auto-run. Every time I get a new computer I need to spend time fixing those issues to improve safety.

I was actually familiar with this trick as I've used it a few times for some fun and pranks. Great way to code a jump scare and hide it as an image.

This is NUTS! Windows should be updated to always show the extension last! I assume that Windows uses simple concatenation to display the filename but it should always resolve the filename first and then add the file extension. Like brackets in math. (I assume that for right to left user, they display the extension first but the same point applies.)

I work in IT support, with around 30y experience. I didn't know this. Even if I had known, I doubt our users would have known. Some users have 'File extensions on', but not all. I will check if we can switch it on for all through a Group Policy. We are lucky that a) a Group Policy forbids running files from USB sticks (even for us admins!) and b) our users are never local admin, so running programs that require admin rights ios impossible. But still: this is scary...

This is really interesting to see because I remember that I saw videos in 2015 of malware exploiting this. I thought that Microsoft would have worked on the issue since then but seems to not be the case! It would be interesting to see if you could bypass certain file checks using this method

I remember people in the 00s using these characters to blow up web forums. Back then, including one in a forum post would often make all following posts display backwards. Nowadays posts are wrapped in more tags and browsers seem to have started ending any weird Unicode stuff at the end of a div or whatever. I don't know why I never thought to see what would happen if one was in a filename.

There was also a time back in the days when a lot of people here (without technical background) used special Unicode characters on Facebook to cause all kinds of strange effects. I think I have also seen something similar on Twitter once. Not sure if this is still a thing.^^

Every KZbin channel with the letters “exe” in the name: “ah crap here we go again”

Very dangerous. Microsoft should patch this straight away. But that will never happen. Cheers for sharing!

"i guarantee you will be wrong" But I wasn't I knew what was going on instantly

Thank you Thio Joe! I'm a programmer since 1975 and this is a new thing for me. If Microsoft doesn't fix Windows to prevent Unicode characters in filenames then this bug is on them. I'm sure the Linux geeks are working on it now (prolly thanks to you!). And props to the hackers for being so inventive, damn their eyes.

Ironically, people probably won't fall for this if they don't have file extensions enabled.

I remember learning this when I was learning ethical hacking. And mark my words most of the KZbinres who got hacked was due to this.

Set the Downloads folder (or whatever folder you normally download files to) to show details instead of icons and enable the Type column if it isn't already. You will now see a description of the file type on the right.

OS should show all executable types with additional sign on icon just like with the shortcut. That way, no matter the icon or name, it would be obvious from the start.

the UTTP uses this character to write bad stuff to bypass the youtube filters, and so youtube should ban this character

Could this same trick be used on URLs in the browser? If it is possible to swap characters in the domain name, you can be redirected to a malignant site even after checking the URL for easy to miss variations such as "m" being replaced by "rn".

Those unicode characters are pretty well known in the IT security industry, but a great reminder, I'll try and find a way to get these on our systems.

There is also a now patched exploit in Microsoft Office where a document can launch any executable and I thought this video was going to be about that.

Really terrifying... I checked what happens if you upload such a file to a ftp server and cloud services like google drive etc. and it turns out that the filename gets changed back in a way that .exe (in this example) is at the end of the filename again after the download. Tested w. Win 10 Firefox/Chrome. Filename before upload: "info-texe.txt" after download: "info-t_txt.exe". I tried it also via Email. Same result. As soon as you download the file to your pc its renamed again. At least some protection.

Usually when you hit F2 to rename a file, it doesn't include the extension. Could this be a quick and easy way to check a new file before opening it?

Loved ‘extremely realistic depiction of an IT department’-🤘🏻🤘🏻🤘🏻🤣🤣🤣 Great info, thanks as always!

Very interesting, I knew about the unicode character, but didn't think it would be allowed in filenames. Wtf? Windows prevents you from having : or / in the filename, but allows non-printable characters?

i learnt about cyber security from you more than my IT department ever did. and that is coming from the company with big emphasise on cyber security, with weekly elearning/module/compulsory assessment on cyber security

That is really really smart. I can see myself falling for this too.

I can see how this would've fooled me too, so useful thank you! You truly brought your channel the other way around since free wifi upgrades haha

I tested it on MacOS and it only reverses the characters in front of the file extension. The file extension (as well as the point) is always shown last and in left to right order. So no problem for MacOS 👍😊

Probably the easiest way to be save is to set the security level of the windows defender to maximum. This will require your manual confirmation for every action is taken on admin level. This prevents attacks from exe files because they need admin rights to change security critical files.

I wasn't aware of this trick, but at the same time I don't think I would have fallen for it, because I always make sure "Show File Extensions" is enabled (no idea why MS disables that by default), and seeing "Test.exe.docx" would still set off alarm bells in my head, even if the "exe" wasn't at the very end.

Right now at 0:39, my guess is a unicode character saying that when inserted, everything that comes after that will be reversed (maybe Right-to-Left override or smth)

why windows even displays filenames like that is beyond me

I knew about the unicode character but I didn't know it can be used for something like file extensions, that is just wicked. This was taught to us, as well as some other unicode characters, as a side note by our professor in university and he just said that it was something cool but doesn't really have any real-life use.

Yes, this is somewhat dangerous, but the file would mostly come to you as an email attachment. Your antivirus would warn you in the same way that it does for any other EXE.

I already knew that. RIGHT TO LEFT OVERRIDE!

as soon as he said "i guarantee you're wrong" at the start, i was like "that's gotta be the unicode reverse thing, right?" and as soon as he said it was using an invisible character i was like " C A L L E D I T "

Gotta love Linux, can't even run downloaded files unless you permit them, in most GUI file managers that means opening the file properties to edit the permissions which means seeing what the system recognizes what the file is.

I could've guessed there were RTL shenanigans the moment you showed extensions and .exe appeared in the middle of the filename. But I'm somewhat used to unicode shenanigans because I spend time thinking about how to render the text "as intended". That's nasty and gonna bite a lot of people! Might've bitten me if I hadn't just dealt with RTL stuff just a few weeks ago! 😬

Really interesting to learn, thanks ThioJoe!