Big bruh moment >>> I'll also emphasize the point I make at 3:49 in case people comment before watching that long - There doesn't have to be 2 periods in the filename, so "Test.exe.docx" could very well just be "Testexe.docx" - I put the other period there to make it easier to show the real file extension. So it might not be very obvious at all that this trick is used, depending on the real file extension and how they name it. For example, "arcs.docx" could really be a .scr file and the filename might not be suspicious, especially depending on the context, like naming it "character_arcs.docx" or something. There are tons of potentially malicious / exploitable filetypes out there that could be used.
@ItzWolfy247 Жыл бұрын
Bruh.exe
@oceanhavenblue Жыл бұрын
Bruhgpj.exe
@talkalexis Жыл бұрын
Why?
@gallium-gonzollium Жыл бұрын
not a bruh.not a exe
@axer552 Жыл бұрын
Bruh
@stage6fan475 Жыл бұрын
I worked professionally on computers since Win 3.1, read everything religiously and never heard of anything close to this. Stunning.
@kinsley7777 Жыл бұрын
if you wanted some real fun , you should’ve tried the latest and greatest version of DOS and Dbase v. anything to create some major havoc … lol
@CXLVII Жыл бұрын
Try reading it secularly then
@johanponken Жыл бұрын
@@CXLVII Like the lived reads the elbib.
@BestSuper Жыл бұрын
couldn't use question marks in filenames in older windows based shit-in-street pajeetsoft fucking everything up
@urooj09 Жыл бұрын
@@CXLVII apt reply
@DoctorNemmo Жыл бұрын
I still don't understand why Microsoft had ever chosen to hide file extensions as a default. It's the first thing I fix when I install Windows. In this case it's not the same cause, but having file extensions enabled helps.
@ZipplyZane Жыл бұрын
To prevent novices from unintentionally changing the filetype and thus making the file seem corrupted.
@andreewert6576 Жыл бұрын
@@ZipplyZane while that's true, since at least 7 maybe even vista, when you rename a file it only selects/highlights the name, not the extension. So unless you go out of your way to delete the extension, it won't be touched. Plus (again, idk when this started) windows *warns* you everytime you change an extension. It should really be on by default again. In general, we desperately need an "i am an adult" button in Windows' settings.
@traveller23e Жыл бұрын
@@andreewert6576 In a sense we already have an "I am an adult" setting. It's accessed through the Edge browser, just type in the bar "best linux distros 2023". Seriously though, MS has been actively hiding basic computer knowledge to make things seem "simpler" or "cleaner", but I suspect if they did more to just teach users what a file extension was (maybe through a help icon that did something other than inserting some vaguely relevant words into Bing) by now the general populous would be much more tech savvy on average.
@thewhitefalcon8539 Жыл бұрын
Because it's noise?
@LilacMonarch Жыл бұрын
What they should really do is change "show file extensions" to "allow editing file extensions"
@Lupinicus1664 Жыл бұрын
As a security professional and having been in IT over 40 years I am also surprised that I hadn't come across this before too. Very informative, thank you.
@BostYT Жыл бұрын
@@ts757arse Sounds fun. I would do that
@robertjenkins6132 Жыл бұрын
Unicode support - and in particular support for these text-direction-reversing characters in Unicode - hasn't been around for 40 years. It's not a thing in DOS and probably also not thing in the earlier versions of Windows (though I haven't actually checked, nor researched the exact dates when MS implemented Unicode support). My guess is that this MS Windows vulnerability started in the 2000s or maybe even 2010s (but I'm too lazy to research it.).
@JAN0L Жыл бұрын
I've seen this character used online before but I never thought Windows would allow it in filenames.
@HarryWho102 Жыл бұрын
Maks you think what we don't know.
@mrdan2898 Жыл бұрын
I fully agree with you.
@Norman_Fleming Жыл бұрын
AV software COULD scan for these "control" type characters within file names. Seems like an obvious thing to scan for.
@nyshone Жыл бұрын
They do actually, as long as the file has mark of the web (Zone Identifier).
@davidbangsdemocracy5455 Жыл бұрын
There are legitimate foreign language scenarios, which is why this feature exists
@lance_374 Жыл бұрын
@@davidbangsdemocracy5455 They should just make it so if your language is not set to one that uses these these characters, that it would just show the text normally without reversing it.
@GYTCommnts Жыл бұрын
@@davidbangsdemocracy5455 Extensions in filenames should have been always out of this consideration. This should be an operating system thing and not a language direction reading thing (only in the case of extensions I mean). Or even if the filename reads backwards (for the ones we don't use right to left languages), even then extensions should be "the last after the last dot". No matter what. IMHO.
@DogsRNice Жыл бұрын
@@davidbangsdemocracy5455 why would a filename need one though? And I'm pretty sure most text renders do what the control character does anyway so it's pretty redundant now
@KangJangkrik Жыл бұрын
Fun fact: At the old days of youtube, you can put RTLO in your username. So when somebody attempting to mention you, they probably confused and accuse you of being a witch
@degreeskelvin3025 Жыл бұрын
Hilarious 😂
@lassipulkkinen273 Жыл бұрын
Fun fact: youtube's mobile app is _still_ confused by RTL text in usernames. K Klein just made a video about this.
@buggsy5 Жыл бұрын
@@lassipulkkinen273 Does Google Chat also suffer from this RTL problem?
@November10 ай бұрын
youtube history :3
@AisthebestletterAAA10 ай бұрын
I have a RTLO In my username
@DaProfessional Жыл бұрын
1:20 There's a faster way if you already know the character's Unicode number. Type in 202E into notepad (or anywhere else) and press Alt + X. This will convert it to the unicode character. If you hit Alt + X again it will revert it back. Although the "reverting to number" part doesn't work for letters from A to F because they can already be considered to be hexdecimal numbers.
@ThioJoe Жыл бұрын
Very cool tip, I had no idea that was possible
@Elementening Жыл бұрын
doesnt work for me.
@notthatntg Жыл бұрын
@@Elementening probably a Windows 11-only feature
@DaProfessional Жыл бұрын
@@notthatntg As far as I know this feature has been around for a long time, maybe since Win XP. But I also know that Notepad can be a bit buggy when it comes to "Alt magic". Try it in Word, hopefully it will work there.
@detocquevi11e Жыл бұрын
@@notthatntg good call - works on my Win11, but not Win10 computer.
@theaninova Жыл бұрын
Here's the crazy part: you can nest the overrides. You can move the extension to the beginning and mask it as a file that has a . to appear at the top... [RTL]txt.sevituc[LTR].exe will appear as .executives.txt
@Volatile_Viking11 ай бұрын
you're a sorcerer.
@raviedavieu10 ай бұрын
damnnn
@basicallyph0r4 ай бұрын
Nah thats wild. The average user doesn't even stand a chance.
@andrewqi66953 ай бұрын
we're all screwed
@Sidharth_V_Jain2 ай бұрын
I guess the only way to be completely safe is to go into properties and check the file extension every time.
@Amonimus Жыл бұрын
I think the simplest trick is to just rightclick and check properties, as it tells it's an executable. Or hovering over it.
@justsomeguywithoutamustang6436 Жыл бұрын
hmm.. well if it's a zero day exploit, just merely right-clicking on it would still have you doomed.
@Nickwilde7755 Жыл бұрын
Or use the details view and see it label it as an executable
@theguyfromsaturn Жыл бұрын
A better trick would be for the OS NOT to use the extension to identify executables. Seriously, it's not the 1980s anymore.
@erwinmatys Жыл бұрын
@@justsomeguywithoutamustang6436 if you are targeted with 0-days you have bigger problems to worry about
@rany0 Жыл бұрын
@@theguyfromsaturn That doesn't fix anything. It is still going to execute. Anyway opening a file to read the magic number and then figure out the file type is crazy inefficient so that's why file exts are the norm; just imagine this happening on a folder with many files...
@Exachad Жыл бұрын
Just make sure your download folder's view style is set to Details mode. That way, you can see what type of file it is from the Type section. People should do this by default for a couple of reasons, anyway. First, some file names are too long to see the extension by default, so this is actually even easier. Second, the download folders is usually way too disorganised to to have large chunky icons like a Desktop. Third, the "Details" view has way more useful information like the Date Modified time stamp and size for easy location of files and deleting large files. I'm pretty sure Windows already sets the Downloads folder this way by default, anyway.
@bwcbiz Жыл бұрын
A useful suggestion, but details view shouldn't be "just" your only checkpoint before opening a file.
@wizrom3046 Жыл бұрын
And have files ORDERED by type (extension). All the .exe files will be grouped together.
@legionofanon Жыл бұрын
Fair point about the downloads folder, however I never use it. I always use save as and either save to desktop or save it directly to where it will live the rest of the time I own the computer. I only dislike using the downloads folder cause it turns into an out of sight out of mind sorting system, and I cant deal with that
@AlDunbar Жыл бұрын
@@legionofanonI often redirect downloaded files as you suggest. But sometimes a duplicate copy exists also in the downloaded folder...
@Terraphice Жыл бұрын
I will say, Windows Defender/Security does detect this if you try and spoof another extension. That can be gotten around with spaces in the file name, Cyrillic characters/other look-alike characters, etc; but... it does at least try to stop this from harming you most of the time.
@SamsterBirdies Жыл бұрын
yea i just tried making one to test and couldnt run the file i just created.
@Terraphice Жыл бұрын
@@SamsterBirdies You can get around it by naming the file using Cyrillic or other lookalike characters for the fake extension, just to re-affirm that.
@cjcoleman8525 Жыл бұрын
@@Terraphice how do you get around it
@Terraphice Жыл бұрын
@@cjcoleman8525 Look up lookalike Unicode alphabet characters and replace one of the letters in an extension with a lookalike.
@xdesertx Жыл бұрын
@@SamsterBirdies I also couldnt run the program. I think windows prevents to run all .exe files where this right to left unicode is used
@LonelyAncient Жыл бұрын
another simple way to spot it is to use detail view. it shows the extension correctly there.
@I.____.....__...__ Жыл бұрын
What version of Windows are you talking about? Maybe Windows 11 File Explorer has broken Unicode filenames. 🤔 (Also, it doesn't show it if extensions are hidden.)
@honeypeadigital Жыл бұрын
@@I.____.....__...__ it works for Win 11 as well. What he means is instead of “small icons/ large icons” etc under the view setting, change it to “Detail”. The default columns are “Name, Date Modified, Type” etc. “Type” would show what the file is. So it would show “Windows Batch File” for example, irrespective of file extension being hidden.
@ADeeSHUPA Жыл бұрын
@@honeypeadigital あっぷ
@Bayonet1809 Жыл бұрын
I already use detail view because I like to be able to quickly sort files by date/type/size, so knowing that the file extension may be lying, but the "Type" field is not will make me rely on that column even more.
@AltonV Жыл бұрын
@@Bayonet1809 the only time where I would use another view other than detail is when browsing folders with pictures
@DeepThinker193 Жыл бұрын
10/10 The IT department footage is the most accurate depiction of what we do that I've ever seen in my entire life.
@teemumiettinen7250 Жыл бұрын
Exatcly, I was like "Has this guy been spying on me at work?"
@HazexDimond Жыл бұрын
insane this is allowed to happen man keeping folder view on detail & showing "file type" off to the right as a column might help, i usually glance at that to be sure of what im clicking on
@nullptr. Жыл бұрын
Yeah my file explorer defaults to details view, but you might have a usb drive full with pictures and documents, in which case the large icons view is more convenient for image previews, so the trick could work. Realistically anyone who might be affected by this should have all Windows Defender features on, so SmartScreen will alert them about executing an unknown file, even if not detected as a virus you'd immediately know it's an executable.
@I.____.....__...__ Жыл бұрын
What's insane about it? These are the sorts of problems that come up when trying to accommodate things like other languages, which of course, can't be just ignored. What's insane is that it took as long as it did for the Unicode Consortium to be established (1991) to standardize this sort of stuff, causing all the other countries in the world to have to hack bespoke and incompatible systems back in the day. That's why things are a hodgepodge mess now.
@HazexDimond Жыл бұрын
youd imagine that its possible for windows to just print "&rlm" by default if youre using a system locale that doesn't use these types of characters or formats hasnt been a problem in web browsers for a while right?
@pchris6662 Жыл бұрын
I’ve been working with pcs since the stone ages of DOS and I suspected something like this was behind some of the weird attachments I’ve seen, but didn’t get it until your vid. Thx. I’ve been raging at Microsoft for years for hiding file extensions and not just forcing users to understand what they are and how they work. It’s a simple concept and there’s no reason any pc user couldn’t learn it, but when you try to make things idiot proof, all you do is turn your users into idiots because they never learn the basics. Today I see so many users that don’t know the difference between a shortcut, and a folder, and a zip archive because they have all been confusingly glossed over and never taught to users. Good vid! I recommend!
@mick-berry5331 Жыл бұрын
Couldn't have said it better! That's why I hated Windows when it first came out. Because it hid everything going on behind a colorful GUI. I think it still lacks a 'programming mode' to this day.
@Bayonet1809 Жыл бұрын
Mac OS is no better in this regard. Finder is so information sparse by default.
@DatBoi_TheGudBIAS Жыл бұрын
Idk the difference betwen them 💀 All I know is Dat zip is compacted and shortcuts are, well, shortcuts
@November10 ай бұрын
"when you try to make things idiot proof, all you do is turn your users into idiots" is a quote to be remembered
@pchris666210 ай бұрын
@@November The way I heard it. If you make something idiot proof, they will just invent a better idiot next year.
@-DeeKay- Жыл бұрын
Wow, that's rad. I work in the IT industry and actually have a good knowledge. But this was completely new to me that there are Unicode characters with this effect. Thanks for the education! So many won't know that, let alone non-IT people out there.
@sherif191 Жыл бұрын
You can create a hidden character rtl:rctrl+rshift and ltr:lctrl+lshift it’s commonly used with bilingual users who type rtl languages. This isnt override character tho, the normal rtl switch flips the orientation of the text box you’re typing into, usually causes issues when adding ltr numbers(or brackets)into an rtl text.
@BakrAli10 Жыл бұрын
bookmark comment later
@Dimensions899 Жыл бұрын
what is the rtl i know rctrl is right ctrl but i havw no ide what the rtl key is my oly guess could be tab lock but i dont think that key would ever have a major purpose so no sense in makeing it
@davidpayne9172 Жыл бұрын
Yeah this is a very old trick. Most people are not aware is this. I have used this trick for saving certain things and then renaming it when I needed it. Yes virus can hide in there but a there are ways that you can find them too. Or even prevent this from happening. Great video.
@aliramezani103 Жыл бұрын
as an IT Admin, I always use the windows sandbox to open files that I don't trust or generally download from the internet from an untrusted source! : )
@thacium Жыл бұрын
Windows should really really implement a special icon that indicate a file is a executable. Like how shortcut have a arrow pointing at it on the bottom right.
@sexygeek8996 Жыл бұрын
The "EXE" extension should be sufficient if they stop allowing "hide extensions" and disable things like the override described in this video.
@thacium Жыл бұрын
@@sexygeek8996 I'm taking about people who aren't computer literate enough to recognize it. Most of my friends don't know how to enable extensions and those that do would click on the exe anyway because they saw a Word icon.
@sexygeek8996 Жыл бұрын
@@thacium Hide extensions should be disabled by default and there shouldn't even be an option to enable it. Those oddball features to manipulate the display of filenames should be disabled by default unless the computer is configured for a language that requires the feature. If the extension is EXE then there shouldn't be any way to display a different icon.
@Korbus_Corax Жыл бұрын
@@sexygeek8996 That is just not inclusive enough.
@sexygeek8996 Жыл бұрын
@@Korbus_Corax Why is that? I said the feature should only be enabled if the system is configured for a language that needs it. There are way too many features nowadays and they cause a lot of security problems.
@gFamWeb Жыл бұрын
I knew of that Unicode character but I didn't realize it could be used in this manner! Feels like an oversight for Windows Explorer to support that behavior in these cases, but I know it's difficult to determine if it's being used legitimately or not. To note: legitimate use cases would be files that includes both Latin characters (A-Z) and characters from a language that is written right to left. Whether there'd ever be an executable like that, I'm not sure.
@guiorgy Жыл бұрын
Still, the file extension should be special, ignore that character and stay at the end NO MATTER WHAT
@gFamWeb Жыл бұрын
@@guiorgy I would definitely agree with that. Unfortunately, Windows is based on very old technology and a filesystem that doesn't consider extensions "special" and just considers them part of the filename (I'm assuming, based on how it handles this). A fix might be to take whatever code Windows uses to determine what to hide via "hide file extensions" and just always display that set of characters at the end. Not sure if that would break other things though.
@jort93z Жыл бұрын
@@gFamWeb yup, you are correct. In ntfs, file extensions are just considered part of the file name, and file type is derived from the filename. Most modern file systems work differently.
@@gFamWeb Well, if there is a way to update this without breaking compatibility, extensions should be an operating system thing. So should be the last after the last dot, as said: NO MATTER WHAT!!!!!!!!! 😅
@krisr3868 Жыл бұрын
I knew that one (because I work in IT security, and we've specifically dealt with malware campaigns using that trick). Good to see you're bringing attention to it.
@TheTimebreaker Жыл бұрын
I tested this on a file on my pc and i think i may have found something that could help here: If youre not sure whether or not a file is legit or not, try renaming the file and go through the characters with the arrow keys. Not only will the cursor start at funky locations, but it will also jump through the name, as it works through the chars. Also, in my case the blue marker for selected text didnt select the extension, which in this case was right in the middle of the displayed text. Also, you can copy the filename and paste it into notepad, limit the charset to ansii and then see some broken mess if a unicode symbol was used. Although this only tells you THAT a unicode char was in there, not which one. But i think there are online sites that do that for you, usually for detecting email adresses that look legit but are using characters that look similar to normal characters, but arent.
@Formalec Жыл бұрын
Not a very good fix. Still wastes time having to use rename and slowly step through the name and prone to being forgotten.
@2ahmad_11 ай бұрын
Well I'm a trilingual person (I speak Arabic, English, Turkish) Arabic script and Old Turkish script is RTL while the New Turkish script and English is obviously LTL Blocking RTL would limit my uses of the laptop as I use all the languages on my laptop. We need a way for Microsoft to to warn users I think a good way is showing a prompt to the user the first time he opens an executable even if it does not have admin rights
@THE-X-Force Жыл бұрын
I have been building and using computers since my C-64 and this is absolutely astonishing. No matter how much you think you know, you can never know it all. Thaks very much Thio for this valuable information!
@BandenIndarys Жыл бұрын
This is one of the reasons why you should always disable the "Hide extentions for known file types" in Folder Options.
@clickrick Жыл бұрын
An option which is phrased in the negative, itself a very poor design choice.
@BandenIndarys Жыл бұрын
@@clickrick This obsolete feature goes back all the way to Windows 95. It's hard to imagine that it has remained in Windows for over 2 decades.
@networkedperson Жыл бұрын
You could also just use a real operating system instead of using Windows.
@chrisdawson1776 Жыл бұрын
@@networkedpersonYou could also get some maidens and stop being a geek
@networkedperson Жыл бұрын
@@chrisdawson1776 lol, hating on new technology with your 1776 moniker and your Ben Garrison picture. Let me guess, you also hate desegregation and anti-monopoly anti-wealth-hoarding laws...
@kush5723653 Жыл бұрын
I do one more thing, I use list view/details view and categories/display file types, this helps to push suspicious files in categories like application or vb script etc thus preventing accidentally mistaking it for a harmless document or any other file.
@ae_us_1334 Жыл бұрын
Thank you for explaining things as simple as possible. I always learn something new from your YT videos. Simple, short, and informative 👌
@ae_us_1334 Жыл бұрын
And it's actually one of a few channels I have notifications turned on.
@bobblum5973 Жыл бұрын
This brings back memories of using ASCII control codes on character-based ANSI terminals like the Digital Equipment Corp. (DEC) VT-100, VT-220 and later models. You could embed backspace or cursor movement characters within text so regular characters would be sent, but then the cursor could be repositioned, and new characters would overwrite the old so you wouldn't see them. Or special escape codes to control terminal functions, like putting the terminal into its self-test loop that required power cycling to get out of it. 🙂
@georgehelyar Жыл бұрын
Fun fact: the maddening invisible character in the view certificate window (until it was finally fixed a couple of years ago) that is bound to have caught out anyone who ever tried to copy a certificate thumbprint was a LTR character.
@fss1704 Жыл бұрын
explain
@georgehelyar Жыл бұрын
@@fss1704 if you ever needed to copy some details of a cryptographic certificate, you could view the certificate from Windows, then look at properties like its thumbprint, but the text box that showed those details had a unicode left to right character at the start of it, so when you try to e.g. copy that thumbprint to a configuration file, you would accidentally copy the LTR character and whatever software you were configuring would not accept it, but because it's a zero width character it's hard to track down the problem, because it's invisible.
@Y2B123 Жыл бұрын
What? That’s insane, lol. My trust in Windows’ ability to manage my certificates has decreased.
@davinp Жыл бұрын
Wow, I didn't know about this. I don't know why Microsoft chose to make file extensions turned off by default. I agree that it should be turned on, but people who are not very computer savvy wouldn't know to turn it on. This setting has been like this for a very long time
@clickrick Жыл бұрын
Indeed, probably the single worst decision in terms of making users more vulnerable to attack.
@MeongMeongMeow Жыл бұрын
I think file extensions should have a neutralizing unicode character when displayed in Windows Explorer / force to be put at the back / front depending on Windows localization settings. Not sure why it wasn't implemented.
@wyterabitt2149 Жыл бұрын
It's because normal users don't know about them at all and ignore it. It both wouldn't help those users anyway, and also lead to them renaming files and screwing up the file extension when they do it.
@ThatsNotMyRealName-jx7bs Жыл бұрын
Dude! Never heard of that one until now, and that seems like a serious security issue to me. Thanks for keeping us informed!
@dancoulson6579 Жыл бұрын
I'm going to guess the culprit is that the administrators failed to disable the GPO which hides known file extensions. It's a very dangerous setting and should be disabled by default in my opinion. EDIT: Wow, I was completely wrong. I would never have guessed that in a million years. And I hate to admit it, but I would have opened that word document without hesitation. From now on, I'll certainly be more cautious. I wonder if there's some way I can implement a GPO setting from the domain controller to prohibit these characters being used as file names. Or perhaps I can create some software that would scan for files containing this character in their name, make a record of the original file name, and move the file to a different directory. A placeholder file could the be put in its place. When you run the placeholder file, the software runs and warns you about the file, and still gives you the option to restore it. Though it's only a passive process... If the file was opened before the scanner had a chance to find it, it would have no effect.
@JakHart Жыл бұрын
Wow. This brings up some memories. Using this trick, I made three batch files. Any of the three would open, execute its program, which was to open the other two upon close. Obviously, when you closed it, it would open the two other files, close one of them, another two. A fun little Hydra, makes you restart your computer, pretty harmless. At this point though, we had been tricking each other (I was in a class of folks learning all sorts of network related things) with .bat files for a bit, and I had discovered this to hide my files in plain sight. It was perfect for my little Hydra. Thanks for bringing up some memories, and making me feel old, this was back in '04. (I'm 36).
@Halolalol Жыл бұрын
Yes, I have already heard of this a few years ago, but back then I didn't thought about how that could also be applied to filetypes other than .exe, and this Video probably helped me to be even more careful with suspicious looking files in the future.
@miguelguthridge Жыл бұрын
Another good strategy to avoid this is to open downloaded documents in the right program directly (eg open up Word and find the file from its file picker). That way it doesn't show any incompatible files. Obviously beware of things like macros regardless.
@NightW3VL Жыл бұрын
I didn’t even know that there is a character that can reverse text like that on a file name. I’ll definitely be more careful when viewing files on my computer. Thanks for the info!
@anon_y_mousse Жыл бұрын
This is why we should sanitize our filenames. I don't know if rename can handle invisible Unicode characters, but if not then this might be a place where someone could fill a gap with a nifty utility.
@trueriver1950 Жыл бұрын
What a great app to use as a Trojan to achieve two things: allow your own hacks through but deny any others, to gain an advantage over other state actors....
@solamente Жыл бұрын
Clever trick. You did a great job explaining this. Glad I use the Details view.
@bernie2237 Жыл бұрын
Even as an engineer, I wasn't knowing this. Thanks a lot for the knowledge you share
@atquoc2721 Жыл бұрын
I think the "File type" column should help a lot in this case. You will see something wrong right away if the extension doesn't match the filetype.
@smiles-channel Жыл бұрын
Honestly, Windows should add something similar to the Linux/Unix executable file permission thing, so like by default files you download from the internet can't be executed unless you edit their permissions, this would prevent this and all the other filename tricks. Or, they could add a thing to the file explorer that prompts you if you want to execute the file when double clicking on it if it is an executable, similar to what KDE's file manager does
@lumer2b Жыл бұрын
It already does that for files downloaded from the Internet
@Bayonet1809 Жыл бұрын
The second option is better, as I would hate having to take the extra step of editing permissions for an executable.
@littlered6340 Жыл бұрын
@@lumer2b yeah the problem moreso there is that people tend to automatically click through those prompts. While the first suggestion prevents that, it's a hassle to users in the cases where it's unnecessary. It's difficult to balance the two.
@margen2452 Жыл бұрын
It already does
@GeneSavage Жыл бұрын
You got me; I'd NEVER heard about this. Amazing!! I'm sharing this far and wide as a warning. Thank you!
@jetseverschuren Жыл бұрын
This is why files shouldn't be automatically executable based on file extension. On Linux you first need to explicitly mark a file as executable
@wyterabitt2149 Жыл бұрын
It doesn't just run on Windows, it brings up the do you want to run the executable dialogue.
@jordanwardle11 Жыл бұрын
That's would break one thing that windows has over Linux, ease of use
@jetseverschuren Жыл бұрын
@@jordanwardle11 so, how often do you need to execute randomly downloaded executable files that aren't installers? On linux we don't execute installers, but instead feed them to the central system installer, where it can be centrally tracked (and also uninstalled). So the amount of cases where this would add two more clicks, is almost none. (I'd even argue that for installers Linux's approach is more user friendly). I think that's a fair price to pay for anyone to prevent a huge swath of dumb viruses
@trueriver1950 Жыл бұрын
@@jordanwardle11 true. But almost all the Microsoft created security holes in our computers were put there to make things easier to use. It's easier to not bother locking the door when you leave the house, and makes it easier when you come home as well. But anyone spot the drawback?
@langeludo Жыл бұрын
Filename still ends by the « .exe » or whatever extension to prevent opening those files you can: • Make a Mailflow policy / or server rule to block those messages (eg. Message whose attachment ends with…); • Or prevent their attachment to open via some kind of Microsoft Defender ASR rule (Attack Surface Reduction); Virus builders often also add enough spaces right after the right-to-left mark (RLM) in order for the extension not to be viewable even if file extension are set to be displayed… Try something like « hello.jpg[RLM][20 spaces].exe »…
@ItzWolfy247 Жыл бұрын
( 0:58 ) to my knowledge this character can be use to put your KZbin verification tick (Thing) in to middle of the username Pretty cool stuff
@ThioJoe Жыл бұрын
Very interesting
@ItzWolfy247 Жыл бұрын
@@ThioJoe you have a verification mark you cloud try it
@garrettjones7837 Жыл бұрын
It's good to see your channel still doing well, I haven't seen anything since the days of charging phones in the microwave and reading hate comments, I didn't even think your channel existed anymore, but I'm glad it does
@samuelthecamel Жыл бұрын
On Windows, if you use the "tiles" view in file explorer, it will tell you what type of file it really is off to the right
@PvblivsAelivs Жыл бұрын
As an amateur programmer that an "exe" file, in particular, can have any icon the programmer wants. Indeed, one or more icons are supposed to be specified when linking the file. Okay, I have checked my file viewer and it does hide extensions. It also has a table format with a column that lists the type of file.
@muffies Жыл бұрын
Idk Windows still have that disabled by default lol, by experience they already shoulve lmao. The weird RTLO character should'nt be shown and the file extension should ALWAYS be placed at the end of the file, disregarding any text thingy which pushes it forward
@dpf12110 Жыл бұрын
Programmer: I finally fixed every bug in my frontend application U+202E: Are you sure about that?
@brianwest2775 Жыл бұрын
This is NUTS! Windows should be updated to always show the extension last! I assume that Windows uses simple concatenation to display the filename but it should always resolve the filename first and then add the file extension. Like brackets in math. (I assume that for right to left user, they display the extension first but the same point applies.)
@GRBtutorials Жыл бұрын
An easy way Microsoft could help solve this problem is by showing a warning the first time any executable file is opened, like macOS does.
@robhulluk Жыл бұрын
A simple way to avoid this when opening an unknown file to always right click and choose "open with" and the relevant program. So if it is a fake DOCX file and you choose "Open with Microsoft Word" , it would try to open the EXE file in Word, which might fail, but it doesn't matter, it just won't launch the file.
@ZipplyZane Жыл бұрын
Or just open the file from the Open command in the program itself, not by running it on the Desktop.
@sexygeek8996 Жыл бұрын
The whole concept of "opening" a file by double-clicking it was a bad idea from the start. Some naive users might have liked it but it was never worth all the problems it caused.
@Formalec Жыл бұрын
@@ZipplyZaneYeah but that and all other workarounds that is not "explorer view" costs some time. Safety has a price. Not much but still. Some programs might have bad file selectors.
@Formalec Жыл бұрын
I think Tiles view is a workaround that doesn't sacrifices too much. Guess one needs to use that or simply toggle between views.
@Lampe2020 Жыл бұрын
2:04 In Linux (Ubuntu Unity 22.04) the text cursor is where you type after the RTL character, in Windows 11 the cursor is on the right so you can't even reliably see where the next typed character will show up... Only after a space character does it jump to the right, but after a printed character it is where the next letter will show up. How ty type in reverse in Linux: Ctrl+Shift+u, let go then type 202e followed by Enter. That's how easy it is. And to type the right way around again, just use the U+200E character.
@EnderKill98 Жыл бұрын
I saw a german video about this exact thing by SemperVideo like 10 years ago. How could microsoft not have fixes this in that long time? Seems like a pretty serious issue to me.
@ArdjanVideo Жыл бұрын
I work in IT support, with around 30y experience. I didn't know this. Even if I had known, I doubt our users would have known. Some users have 'File extensions on', but not all. I will check if we can switch it on for all through a Group Policy. We are lucky that a) a Group Policy forbids running files from USB sticks (even for us admins!) and b) our users are never local admin, so running programs that require admin rights ios impossible. But still: this is scary...
@Mikeuyz Жыл бұрын
Very dangerous. Microsoft should patch this straight away. But that will never happen. Cheers for sharing!
@austinpowell188310 ай бұрын
As of jan2024 it wont work for me so seems fixed
@joemck85 Жыл бұрын
I remember people in the 00s using these characters to blow up web forums. Back then, including one in a forum post would often make all following posts display backwards. Nowadays posts are wrapped in more tags and browsers seem to have started ending any weird Unicode stuff at the end of a div or whatever. I don't know why I never thought to see what would happen if one was in a filename.
@Enygmate Жыл бұрын
I've used this character so much that when you revealed file extensions i knew exactly what it was, never thought of using it this way though unless you directly share it from a usb stick or something, most CDNs will just change the name formatting or just completely deny uploading (i believe Discord denies the upload)
@kaiduwu Жыл бұрын
Discord renames it
@emmanuelmgbemena Жыл бұрын
If it is not zipped. If it is zipped which it is mostly zipped. Then it will be dangerous.
@kaiduwu Жыл бұрын
@@emmanuelmgbemena yes, I already know this. But if someone opens the folder with a program like winrar or 7zip (more common than you think), the zip is rendered completely useless, as rtlo is not rendered "properly" there
@zitronenlolli1 Жыл бұрын
I just tried it out by myself and Windows Defender was thinking it was a trojan and blocked it...
@mafriese5 Жыл бұрын
This is really interesting to see because I remember that I saw videos in 2015 of malware exploiting this. I thought that Microsoft would have worked on the issue since then but seems to not be the case! It would be interesting to see if you could bypass certain file checks using this method
@HuskyNET Жыл бұрын
I read about it on a German computer news site (heise online, article „Täuschende Dateinamen unter Vista“) in 2007 (!) a couple months after Windows Vista was released. Because Vista was the first Windows version vulnerable to this trick; XP doesn’t interpret the RTL characters.
@mafriese5 Жыл бұрын
@@HuskyNET I remember the video from Sempervideo - In the video they had the example "sexy-hexe.pdf" :D - seems like they took it down but you can find a mirror if you search for "Demo-RTLO-Angriff-auf-Windows-fuehrt-auch-aufmerksame-Nutzer-hinters-Licht" - the winfuture site actually has the removed youtube video :D
@kacperjakowski4268 Жыл бұрын
I actually knew about this before. This unicode is very weird, and a lot of people can get tricked, and run some malware. I always thought that you can only "inject" code into files to make them a trojan, but this method is a lot faster and easier. (I'm also shocked that almost noone knew about this because, i don't work professionally and i knew about it, but a lot of people that work professionaly didn't)
@IsfarTausif Жыл бұрын
When it could even fool the Guru himself, you know it's real shiz
@shinichixx11 ай бұрын
i learnt about cyber security from you more than my IT department ever did. and that is coming from the company with big emphasise on cyber security, with weekly elearning/module/compulsory assessment on cyber security
@nkronert Жыл бұрын
Could this same trick be used on URLs in the browser? If it is possible to swap characters in the domain name, you can be redirected to a malignant site even after checking the URL for easy to miss variations such as "m" being replaced by "rn".
@OhSoUnicornly Жыл бұрын
I love how you show what you searched to get the stock footage, that's really interesting to me!
@anothermartz Жыл бұрын
Usually when you hit F2 to rename a file, it doesn't include the extension. Could this be a quick and easy way to check a new file before opening it?
@enby-jamie Жыл бұрын
@realtechfly made a video on this quite a while ago! Edit: it was called Right to Left override - Stealth Attack and uploaded 6 years ago!
@tonymouannes Жыл бұрын
File names can include right to left script from other languages, but I don't know if that needs the rtl character. The biggest issue is that operating systems like to hide extension information and love to make it easy for software to auto-run. Every time I get a new computer I need to spend time fixing those issues to improve safety.
@erutuon Жыл бұрын
Right-to-left text doesn't need the right-to-left override character in a proper text rendering engine, but right-to-left text in the middle of left-to-right text might need the right-to-left embed character before it and the pop directional formatting character after it if there are directionally ambiguous characters (like ASCII numbers and punctuation) around the right-to-left text that need to display right-to-left. For instance if there is English text, Arabic text beginning with a quotation mark and followed by a period and quotation mark, and more English text, it is probably a quotation containing a period and you would want a RLE character after the opening quotation mark and a PDF character before the closing quotation mark. That makes the period behave like a right-to-left character and display to the left of the Arabic text rather than to the right. In HTML, it's best to omit the invisible characters and use CSS (unicode-bidi: embed; direction: rtl;) equivalent to the RLE and PDF characters.
@jdrissel Жыл бұрын
There are also alternate data streams. These are not usually directly executable, but they can be used to hide executables and scripts, and at least back on the days of Windows 2000, you could call the visual basic interpreter and pass it an alternative data stream and it would execute it. The only thing that keeps it from being weaponized is that so far no email client or web browser understands alternative data streams. I did try putting the love bug in an alternative data stream (in an air-gapped lab setting), and if you called it with the visual basic interpreter it would run and spread, but since outlook does not understand alternative data streams the version that was spread in my experiment was not able to spread by people just opening the email attachment. The worrying thing was that none of the antivirus or anti-malware scanners detected it in an alternative data stream.
@JojOatXGME Жыл бұрын
There was also a time back in the days when a lot of people here (without technical background) used special Unicode characters on Facebook to cause all kinds of strange effects. I think I have also seen something similar on Twitter once. Not sure if this is still a thing.^^
@TheJoshShephard Жыл бұрын
The Twitter thing was recently covered by David Bombal and TheXSSRat I think? He used a script in a tweet and I forget what it caused. But it made it retweet itself through people who saw it it think? Or something silly. But stuff like that is always interesting to see!
@Joooooooooooosh Жыл бұрын
@@TheJoshShephard That was in 2014, but it was more due to a bug in Tweetdeck that for some inexplicable reason, they used the heart emoji to indicate preceding text was to be rendered as HTML.
@TheJoshShephard Жыл бұрын
@@Joooooooooooosh noted! My memory is a little fuzzy. So I forgot some specifics. So thanks for the clarification!
@Spartan322 Жыл бұрын
Gotta love Linux, can't even run downloaded files unless you permit them, in most GUI file managers that means opening the file properties to edit the permissions which means seeing what the system recognizes what the file is.
@plashplash-fg6hd Жыл бұрын
There is also a now patched exploit in Microsoft Office where a document can launch any executable and I thought this video was going to be about that.
@CHETAN_I_007 Жыл бұрын
Ya but in this the exe is running. Which can me made to make a docx open in word and keep doing its work in background.
@realhumanist71 Жыл бұрын
Fascinating. While I mainly just use Windows for playing games, I can see this tricking a lot of users, even the more sophisticated ones.
@rd3l Жыл бұрын
why windows even displays filenames like that is beyond me
@araghon007 Жыл бұрын
Languages, man
@GYTCommnts Жыл бұрын
@@araghon007 File extensions should be left out of that... Or be the last thing after the last dot, no matter what and whatever direction.
@therandomdude2392 Жыл бұрын
I knew about the unicode character but I didn't know it can be used for something like file extensions, that is just wicked. This was taught to us, as well as some other unicode characters, as a side note by our professor in university and he just said that it was something cool but doesn't really have any real-life use.
@CHETAN_I_007 Жыл бұрын
I remember learning this when I was learning ethical hacking. And mark my words most of the KZbinres who got hacked was due to this.
@Kristinapedia Жыл бұрын
Only thing I took from this lesson: You can copy the entire font and using ctrl-v are able to use it that way instead of selecting every single character then copying. THANK YOU THIOJOE! 😛
@likebot. Жыл бұрын
Thank you Thio Joe! I'm a programmer since 1975 and this is a new thing for me. If Microsoft doesn't fix Windows to prevent Unicode characters in filenames then this bug is on them. I'm sure the Linux geeks are working on it now (prolly thanks to you!). And props to the hackers for being so inventive, damn their eyes.
@aMySour Жыл бұрын
Wdym "prevent Unicode characters in filenames"? All letters would be blocked if they did that Plus, the character is used in loads of languages -- not every language is left-to-right
@likebot. Жыл бұрын
@@aMySour hence the LTRO. Yeah I know even English wasn't originally left to right only but alternated from one line to the next. MSDos doesn't have the LTRO but Windows does - but it's not an option. I'm sure you know that I mean non-ASCII characters when I mentioned blocking Unicode. It made for a shorter comment that was already too long.
@snarkfinder2621 Жыл бұрын
I think that this may have been the most important video I have watched for a while. Thanks for the heads up.
@knowwhey7559 Жыл бұрын
Yes, this is somewhat dangerous, but the file would mostly come to you as an email attachment. Your antivirus would warn you in the same way that it does for any other EXE.
@TheJoshShephard Жыл бұрын
Unfortunately not always the case. If something is configured correctly, it's possible to bypass virus detection software in various ways. If it's not an email attachment, it's via a link. And may bypass detection because of file size or something else. Paul Hibbert had this happen via a fake sponsor and a fake pdf file. Then with most KZbinrs. The malware is being packed in zip folder and auto downloading after being directed to a pdf with a script. The browser and virus detectors miss it. And if the person finds it and unpacks it, they usually run Redline Stealer and get their accounts and many other things hacked. Usually it's in the form of a WMG, UMG, Copyright claim or Strike. But unfortunately for Paul, it came in the form of a fake sponsor campaign
@DM8Mydog Жыл бұрын
it'd be in a .zip, .rar, .ace, .tgz ... most AVs *should* handle them fine, but I can imagine other scenarios that would be trickier. Like passworded zips - the con would be in convincing the victim that there was a legitimate need for the file to be password protected. and I can see my folks falling for this. Can't you?
@NonuGamezRobloxE Жыл бұрын
@@TheJoshShephard can i get some videos of this?
@OzoneGrif Жыл бұрын
Wow, thanks for sharing this information; this is a major security flaw! I hope Antivirus companies will do something to protect users against files with UTF characters.
@Kyurem_originale_Form Жыл бұрын
I tested it on MacOS and it only reverses the characters in front of the file extension. The file extension (as well as the point) is always shown last and in left to right order. So no problem for MacOS 👍😊
Жыл бұрын
Not that MacOS uses the extension to identify executable files anyway…
@bazoo513 Жыл бұрын
This is an advanced version of a prank I played on nocives in the old days of ASCII terminals on Unix, DEC RSX orVMS, or HP-RTE systems. Neat.
@knghtbrd Жыл бұрын
I could've guessed there were RTL shenanigans the moment you showed extensions and .exe appeared in the middle of the filename. But I'm somewhat used to unicode shenanigans because I spend time thinking about how to render the text "as intended". That's nasty and gonna bite a lot of people! Might've bitten me if I hadn't just dealt with RTL stuff just a few weeks ago! 😬
@mind.journey Жыл бұрын
What if it was written as ReadmeXE.docx?
@autohmae Жыл бұрын
Those unicode characters are pretty well known in the IT security industry, but a great reminder, I'll try and find a way to get these on our systems.
@klopferator Жыл бұрын
Very interesting, I knew about the unicode character, but didn't think it would be allowed in filenames. Wtf? Windows prevents you from having : or / in the filename, but allows non-printable characters?
@simontay485111 ай бұрын
You can't have \ or / in a file name because they are used for path names. C:\windows\system32 for example.
@MarcoIino Жыл бұрын
Really terrifying... I checked what happens if you upload such a file to a ftp server and cloud services like google drive etc. and it turns out that the filename gets changed back in a way that .exe (in this example) is at the end of the filename again after the download. Tested w. Win 10 Firefox/Chrome. Filename before upload: "info-texe.txt" after download: "info-t_txt.exe". I tried it also via Email. Same result. As soon as you download the file to your pc its renamed again. At least some protection.
@syriuszb8611 Жыл бұрын
OS should show all executable types with additional sign on icon just like with the shortcut. That way, no matter the icon or name, it would be obvious from the start.
@JohnSmith-xq1pz Жыл бұрын
Everybody is gangster until ThioJoe logs in
@krishcshah Жыл бұрын
That is really really smart. I can see myself falling for this too.
@intodarknes9157 Жыл бұрын
Probably the easiest way to be save is to set the security level of the windows defender to maximum. This will require your manual confirmation for every action is taken on admin level. This prevents attacks from exe files because they need admin rights to change security critical files.
@jongeduard Жыл бұрын
Great video!! Possibilities are endless!!!🤣 It's not the first evil trick that people do with Unicode characters. There exists also some messing with what sites show in google search results by looking like official websites but actually exchanging characters for very simular other Unicode characters. Learning new things everyday!!!🙃🙃
@minecraftify95 Жыл бұрын
I already knew that. RIGHT TO LEFT OVERRIDE!
@RobBulmahn Жыл бұрын
I wasn't aware of this trick, but at the same time I don't think I would have fallen for it, because I always make sure "Show File Extensions" is enabled (no idea why MS disables that by default), and seeing "Test.exe.docx" would still set off alarm bells in my head, even if the "exe" wasn't at the very end.
@moncefbkb9353 Жыл бұрын
True but what if the name of the file was "annexe.docx", then you wouldn't find the "exe" part weird as an experienced user, and for standard users, they would still click on "ann.docx" out of curiosity. Edit : I realized it'd say "anndocx" if we disable showing extensions, so the attack would only work if they know you have showing extensions enabled.
@RobBulmahn Жыл бұрын
@@moncefbkb9353 I still think that sort of thing would be weird, but I suppose it also depends on what type of files you expect to encounter. Regardless, I could easily see this tricking a lot of people. I just tend to be very suspicious of any attached files unless it's from someone I know and I'm explicitly expecting them to send something.
@JojOatXGME Жыл бұрын
What about “n1c DOT executivesummary DOT doc”? This is an example from a German news outlet which published an article about that in 2011. I used “ DOT ” instead of an actual dot to avoid KZbin deleting the comment. The actual text would be “[RTLO]cod DOT yrammusevituc[LTRO]n1c[LTRO] DOT exe”.
@krissam7791 Жыл бұрын
Ironically, people probably won't fall for this if they don't have file extensions enabled.
@JessicaFEREM Жыл бұрын
Always remember scr files should be treated as EXEs, as that's what they are. You can rename any file to scr and it will still run.
@Xnoob545 Жыл бұрын
"i guarantee you will be wrong" But I wasn't I knew what was going on instantly
@finnchillah3974 Жыл бұрын
as soon as he said "i guarantee you're wrong" at the start, i was like "that's gotta be the unicode reverse thing, right?" and as soon as he said it was using an invisible character i was like " C A L L E D I T "
@HuskyNET Жыл бұрын
I feel like I just want to show off, but I paused the video before he gave the answer and thought about it and that was the only thing that I could come up with on how to do it, because Windows shows this file as an executable. However, I would have assumed that Microsoft had prevented this security flaw long ago, because this was already in the news during Windows Vista times.
@inx1819 Жыл бұрын
i thought its too obvious that it's just a hidden file extension so I put my bet on weird unicode magic and I was right lol
@TheTHORDummy Жыл бұрын
You can also notice that this file is secretly something else if the UAC prompt shows up because a word document would never ask for the UAC prompt