Years ago, malware virus programs known as "twins," "spawners," or "companion viruses" relied on a little-known feature of Microsoft Windows/DOS, where even if you typed in the file name Start.exe, Windows would look for and, if found, execute Start.com instead. Companion viruses would look for all the .exe files on your hard drive, and create a virus with the same name as the EXE, but with the file extension .com. This has long since been fixed by Microsoft, but its discovery and exploitation by early hackers laid the groundwork for inventive ways to hide viruses that continue to evolve today.
Among the more sophisticated file-renaming tricks currently employed is the use of Unicode characters that affect the output of the file name users are presented. For example, the Unicode character (U+202E), called the Right to Left Override, can fool many systems into displaying a file actually named AnnaKournikovaNudeavi.exe as AnnaKournikovaNudexe.avi.
Lesson: Whenever possible, make sure you know the real, complete name of any file before executing it.
Stealth attack No. 4: Location, location, location
Another interesting stealth trick that uses an operating system against itself is a file location trick known as "relative versus absolute." In legacy versions of Windows (Windows XP, 2003, and earlier) and other early operating systems, if you typed in a file name and hit Enter, or if the operating system went looking for a file on your behalf, it would always start with your current folder or directory location first, before looking elsewhere. This behavior might seem efficient and harmless enough, but hackers and malware used it to their advantage.
For example, suppose you wanted to run the built-in, harmless Windows calculator (calc.exe). It's easy enough (and often faster than using several mouse clicks) to open up a command prompt, type in
calc.exe and hit Enter. But malware could create a malicious file called calc.exe and hide it in the current directory or your home folder; when you tried to execute calc.exe, it would run the bogus copy instead.
I loved this fault as a penetration tester. Often times, after I had broken into a computer and needed to elevate my privileges to Administrator, I would take an unpatched version of a known, previously vulnerable piece of software and place it in a temporary folder. Most of the time all I had to do was place a single vulnerable executable or DLL, while leaving the entire, previously installed patched program alone. I would type in the program executable's filename in my temporary folder, and Windows would load my vulnerable, Trojan executable from my temporary folder instead of the more recently patched version. I loved it -- I could exploit a fully patched system with a single bad file.
Linux, Unix, and BSD systems have had this problem fixed for more than a decade. Microsoft fixed the problem in 2006 with the releases of Windows Vista/2008, although the problem remains in legacy versions because of backward-compatibility issues. Microsoft has also been warning and teaching developers to use absolute (rather than relative) file/path names within their own programs for many years. Still, tens of thousands of legacy programs are vulnerable to location tricks. Hackers know this better than anyone.
Lesson: Use operating systems that enforce absolute directory and folder paths, and look for files in default system areas first.