02109nas a2200181 4500000000100000000000100001008004100002260003300043653002600076653003700102653003000139653003500169653000900204100002000213700002200233245009600255520157600351 2019 d c2-4 OctoberaSofia, Bulgaria10afile name obfuscation10aInstant messaging malware attack10aMicrosoft Skype for Linux10aright-to-left Unicode override10aWine1 aVeneta Yosifova1 aVesselin Bontchev00aPossible Instant Messaging Malware Attack Using Right-to-Left Unicode Overriding Characters3 a
The right-to-left special Unicode character has a legitimate use for languages that are transcribed in a right-to-left direction or in an environment that combines both right-to-left and left-to-right languages, like web pages, emails, desktop documents and text messages. These writing systems include right-to-left languages such as Persian, Arabic and Hebrew. The “right-to-left” attacks have been used for many years for malicious purposes, mostly in email communications. Early in 2018, Kaspersky Lab published an article described a vulnerability in the Windows client of the popular instant messenger Telegram. This vulnerability uses the Unicode “right-to-left” character to obfuscate the name of the malware file. This paper describes a possible attack that we discovered. It uses a combination of the “right-to-left” override attack and instant messaging malware attack and presents a realistic threat for another widely used messenger - Microsoft’s Skype for Linux. The purpose for conducting this research was to describe an exploit that we discovered and to warn the people who use this communication application about it, as well as to appeal to the producer for fixing it. Additionally, it is important to emphasize that the attack scenario developed by us also impacts other applications that allow file transfer (e.g., e-mail clients) and run on Linux systems with Wine installed.
This paper is included in the program of DIGILIENCE 2019 and will be published in the post-conference volume.