CORP_INVOICE_08.14.2011_Pr.phyl\u202Ecod.exe
which would display as:
CORP_INVOICE_08.14.2011_Pr.phylexe.doc
This example felt a bit unconvincing to me, since the fact that the actual file extension now appears just before the dot. So, is the conclusion that you now need to pay attention to what comes before the dot? I decided to do some research of my own. The result is that I will never trust a filename ever again! What about you? Would you trust any of the following files?
Children.Of.Men-DVDiva.DIVX-RENEE.SCR
Chromezg.rat.baT
Windowstnerrot.MOOD-noitidE.evituc.7.Exe
Another important, but not as discussed character, is \u202D "Left-to-Right Override" (LRO), having the opposite effect of RLO. Using combinations of RLO and LRO, we can switch back and forth between adding characters to the end or the beginning of the string. As an example, the following obfuscated text
"\u202Et\u202Di\u202Eo\u202Dn\u202En\u202Dt\u202Er\u202De" (tionntre)
would display as
tionntre
With this technique you can completely obfuscate the file type by integrating the extension into what appears as the file name (as can be seen in the file names above). This means you need to be weary whenever an executable file extension (or the reverse of one) is contained in the displayed file name in conjunction with a dot.
Here's a list of examples of what you need to look out for if they appear anywhere in the file name:
.bat or tab.
.com or moc.
.exe or exe.
.scr or rcs.
.pif or fip.
.jar or raj.
...
These are just the obvious examples. If we were to include any file extension which opens up in a vulnerable program, you'd quickly realize that just about any filename could be potentially harmful.
/internot