Six tricks scammers use to con you into clicking a malicious .exe file
For years, security experts have been saying you’ll be safe if you steer clear of opening .exe files you randomly encounter online.
Well, they’re wrong.
Cyber crooks, a resourceful bunch, employ a wide variety of methods to trick you into downloading and executing a binary file. They can get you even if you are 100 percent certain you’re opening a text document, image or other file format.
Here are some examples of how they do it:
1. The “hide known file types” method
Windows systems have an option to hide extensions for known file types set to `on’ by default. This means that, as long a program is installed to handle a specific file extension, the system won’t display its extension. For instance, a file with a name such as “name.jpg.exe” will appear in explorer as “name.jpg” where JPG seems to be the real extension of the file, and not .exe. Add a JPG icon to that file and you have the perfect bait for the unwary user. However the system will execute it as an .exe file.
2. The “shortcut method”
Take the situation in which a shortcut towards a malicious file is created. This shortcut can have any name and of course, any extension, (let’s take here as an example a file with an .jpg extension). And if the shortcut is set to execute the command “C:WINDOWSsystem32cmd.exe /c name.jpg”, the shortcut of the malicious file in our example having a .jpg extension will be executed as an .exe file, no matter the extensions added at the end.
3. The “RTLO” method
A file with the name “Al[RTLO]gpj.exe”, where [RTLO] passes as a white (invisible) character that forces the characters to align from right to left, will appear in explorer as “Alexe.jpg”. Although JPG appears as the true extension of the file, the Windows Explorer will treat the file as it really is, namely an executable file.
4. The “Registry” method
Associating a certain extension to a file type is possible just by setting some values in interface or in Registry so files with a certain extension are treated as files with completely different extensions (particularly executables are of great interest here). For instance, when double clicking a JPG file, the system will try to execute it just like an application, rather than sending it to whatever photo viewer you may have installed on your PC. More to the point, the attacker only has to take a virus, change its extension from EXE to JPG, then send it to your compromised computer for viewing. You may believe that this is a JPG, but your system will know better and thus treat it like a regular exe file.
5. The “debugger/spoof application” method
Debugging is a technique that helps programmers find errors in their applications. They are a great help in spotting the problems and are a vital component of writing, testing and running software. When something goes wrong, you can attach a debugger to a specific application to see what happens when it runs.
Cyber-crooks have been using this debugger method for a while in order to force a legit application you might be frequently using (such as the Windows Calculator) to such a debugger. Except for the fact that, instead of a legit debugger, they associate it with a virus. So every time run that application, the virus (associated to that app as its debugger) is also initialized. Say, if notepad.exe has set as debugger malware.exe, every time notepad.exe is opened, implicitly any file with .txt, malware.exe is also initialized.
6. The “exploit” method
This method doesn’t really imply any tricks as the file extension is in plain view. However, making use of the vulnerability of various file formats, an exploit can execute code, initialize a file that was either on the disk or downloaded from the Internet. For instance, opening a rigged PDF file will drop and install a piece of malware without the user even realizing that something is something wrong.
All these being said, it is highly recommendable that you have a good antivirus on your system at all times. Don’t click or download anything unless you trust the source.
This article was written with the help of my colleague Doina Cosovan, BitDefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.