How a Trojan Virus Pretends to Be a PDF Using the RLO Method
You cannot guarantee that a file is truly an image, video, PDF, or text file by looking at file extensions. On Windows, attackers can execute a PDF as though it were an EXE.
This is quite dangerous, because a file that you download from the internet, mistaking it for a PDF file, may actually contain a very harmful virus. Have you ever wondered how attackers do this?
Trojan Viruses Explained
Trojan viruses derive their name from the attack of the Achaeans (Greeks) in Greek mythology on the city of Troy in Anatolia. Troy is located within the borders of today’s Çanakkale city. According to the narratives, there was a model wooden horse built by Odysseus, one of the Greek kings, to overcome the walls of the city of Troy. Soldiers hid inside this model and secretly entered the city. If you’re wondering, a copy of this horse model is still found in Çanakkale, Turkey.
The Trojan horse once represented a clever deception and an ingenious feat of engineering. Today, however, it is viewed as malicious digital malware whose sole purpose is to harm target computers undetected. This virus is called a Trojan because of the concept of being undetected and causing harm.
Trojans can read passwords, record the keys you press on your keyboard, or take your entire computer hostage. They are quite small for this purpose and can cause serious damage.
What Is the RLO Method?
Many languages can be written from right to left, such as Arabic, Urdu, and Persian. Many attackers use this nature of language to launch various attacks. A text that is meaningful and safe for you when you read it starting from the left may actually be written from the right and refer to a completely different file. You can use the RLO method that exists in the Windows operating system to deal with right-to-left languages.
There is an RLO character for this in Windows. As soon as you use this character, your computer will now start reading the text from right to left. Attackers using this get a good opportunity to hide executable filenames and extensions.
For example, suppose you type an English word from left to right, and that word is Software. If you add the Windows character RLO after the letter T, anything you type after that will be read from right to left. As a result, your new word will be Softeraw.
To understand this better, review the diagram below.
Can a Trojan Be Put in a PDF?
In some malicious PDF attacks, it is possible to put exploits or malicious scripts inside the PDF. Many different tools and programs can do this. Moreover, it is possible to do this by changing the existing codes of the PDF without using any program.
However, the RLO method is different. With the RLO method, attackers present an existing EXE as if it were a PDF to trick the target user. So only the image of the EXE changes. The target user, on the other hand, opens this file believing it to be an innocent PDF.
How to Use the RLO Method
Before explaining how to show an EXE as a PDF with the RLO method, review the image below. Which of these files is PDF?
You cannot determine this at a glance. Instead, Y=you need to look at the contents of the file. But in case you were wondering, the file on the left is the actual PDF.
This trick is pretty easy to do. Attackers first write malicious code and compile it. The compiled code gives an output in exe format. Attackers change the name and icon of this EXE and turn its appearance into a PDF. So how does the naming process work?
This is where RLO comes into play. For example, suppose you have an EXE named iamsafefdp.exe. At this stage, the attacker will put an RLO character between iamsafe and fdp.exe to rename the file. It is quite easy to do this in Windows. Just right-click while renaming.
All you have to understand here is that after Windows sees the RLO character, it reads from right to left. The file is still an EXE. Nothing has changed. It just looks like a PDF in appearance.
After this stage, the attacker will now replace the icon of the EXE with a PDF icon and send this file to the target person.
The image below is the answer to our earlier question. The EXE you see on the right was created using the RLO method. In appearance, both files are the same, but their content is completely different.
How Can You Protect From This Type Of Attack?
As with many security problems, there are several precautions you can take with this security problem. The first is to use the rename option to check the file you want to open. If you choose the rename option, the Windows operating system will automatically select the area outside the file’s extension. So the unselected part will be the actual extension of the file. If you see the EXE format in the unselected part, you should not open this file.
You can also check if a hidden character has been inserted using the command line. For this, simply use the dir command as follows.
As you can see in the screenshot above, there is something strange about the name of the file named util. This indicates that there is something you should be suspicious of.
Take Precautions Before Downloading a File
As you can see, even a simple PDF file can make your device fall under the control of attackers. That’s why you shouldn’t download every file you see on the internet. No matter how safe you think they are, always think twice.
Before downloading a file, there are several precautions you can take. First of all, you should make sure that the site you are downloading from is reliable. You can check the file you will download later online. If you are sure of everything, it is entirely up to you to make this decision.