I've written before about the wonders of Unicode but this post is an example of its dark side. Over at the Microsoft Malware Protection Center there is an interesting post about the use of Unicode by malware. It seems that the trojan
TrojanDropper:Win32/Vundo.L hijacks the Russian social networking sites
vkontakte.ru and redirects them to another—presumably malware, the story doesn't say—site.
The normal way of doing this is to add an entry to the
hosts file (
%SystemRoot%\system32\drivers\etc\hosts) but when they checked the
hosts file it was clean—no entries for the Russian site. Then they displayed hidden files and discovered another
hosts file that had been corrupted. How could this be? You can't, of course, have two files with identical names in the same directory. By now, you've guessed the answer: the visible
hosts file had the
o replaced with the Unicode character 0x043E, which is a Cyrillic character that looks like the Roman character
o. That meant that TCP/IP ignored the “clean”
hosts file because it had the wrong name and ussed the hidden one instead.
I've heard of this trick being used in URLs to snare the unwary into going to a rogue site that appears to be legitimate but this is the first time I've seen it used this way. A very simple but effective trick.