How a Trojan Virus Pretends to Be a PDF Using the RLO Method

Readers like you help support MUO. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

You cannot guarantee that a file is truly an image, video, PDF, or text file by looking at file extensions. On Windows, attackers can execute a PDF as though it were an EXE.

This is quite dangerous, because a file that you download from the internet, mistaking it for a PDF file, may actually contain a very harmful virus. Have you ever wondered how attackers do this?

Trojan Viruses Explained

Trojan viruses derive their name from the attack of the Achaeans (Greeks) in Greek mythology on the city of Troy in Anatolia. Troy is located within the borders of today's Çanakkale city. According to the narratives, there was a model wooden horse built by Odysseus, one of the Greek kings, to overcome the walls of the city of Troy. Soldiers hid inside this model and secretly entered the city. If you're wondering, a copy of this horse model is still found in Çanakkale, Turkey.

The Trojan horse once represented a clever deception and an ingenious feat of engineering. Today, however, it is viewed as malicious digital malware whose sole purpose is to harm target computers undetected. This virus is called a Trojan because of the concept of being undetected and causing harm.

Trojans can read passwords, record the keys you press on your keyboard, or take your entire computer hostage. They are quite small for this purpose and can cause serious damage.

What Is the RLO Method?

Many languages can be written from right to left, such as Arabic, Urdu, and Persian. Many attackers use this nature of language to launch various attacks. A text that is meaningful and safe for you when you read it starting from the left may actually be written from the right and refer to a completely different file. You can use the RLO method that exists in the Windows operating system to deal with right-to-left languages.

There is an RLO character for this in Windows. As soon as you use this character, your computer will now start reading the text from right to left. Attackers using this get a good opportunity to hide executable filenames and extensions.

For example, suppose you type an English word from left to right, and that word is Software. If you add the Windows character RLO after the letter T, anything you type after that will be read from right to left. As a result, your new word will be Softeraw.

To understand this better, review the diagram below.

Can a Trojan Be Put in a PDF?

In some malicious PDF attacks, it is possible to put exploits or malicious scripts inside the PDF. Many different tools and programs can do this. Moreover, it is possible to do this by changing the existing codes of the PDF without using any program.

However, the RLO method is different. With the RLO method, attackers present an existing EXE as if it were a PDF to trick the target user. So only the image of the EXE changes. The target user, on the other hand, opens this file believing it to be an innocent PDF.

How to Use the RLO Method

Before explaining how to show an EXE as a PDF with the RLO method, review the image below. Which of these files is PDF?

You cannot determine this at a glance. Instead, Y=you need to look at the contents of the file. But in case you were wondering, the file on the left is the actual PDF.

This trick is pretty easy to do. Attackers first write malicious code and compile it. The compiled code gives an output in exe format. Attackers change the name and icon of this EXE and turn its appearance into a PDF. So how does the naming process work?

This is where RLO comes into play. For example, suppose you have an EXE named iamsafefdp.exe. At this stage, the attacker will put an RLO character between iamsafe and fdp.exe to rename the file. It is quite easy to do this in Windows. Just right-click while renaming.

All you have to understand here is that after Windows sees the RLO character, it reads from right to left. The file is still an EXE. Nothing has changed. It just looks like a PDF in appearance.

After this stage, the attacker will now replace the icon of the EXE with a PDF icon and send this file to the target person.

The image below is the answer to our earlier question. The EXE you see on the right was created using the RLO method. In appearance, both files are the same, but their content is completely different.

How Can You Protect From This Type Of Attack?

As with many security problems, there are several precautions you can take with this security problem. The first is to use the rename option to check the file you want to open. If you choose the rename option, the Windows operating system will automatically select the area outside the file's extension. So the unselected part will be the actual extension of the file. If you see the EXE format in the unselected part, you should not open this file.

You can also check if a hidden character has been inserted using the command line. For this, simply use the dir command as follows.

As you can see in the screenshot above, there is something strange about the name of the file named util. This indicates that there is something you should be suspicious of.

Take Precautions Before Downloading a File

As you can see, even a simple PDF file can make your device fall under the control of attackers. That's why you shouldn't download every file you see on the internet. No matter how safe you think they are, always think twice.

Before downloading a file, there are several precautions you can take. First of all, you should make sure that the site you are downloading from is reliable. You can check the file you will download later online. If you are sure of everything, it is entirely up to you to make this decision.

Source: MakeUseOf

Australian (alleged) C-19 deaths misclassification of flu and pneumonia

Australian official mortality data show no clear evidence of significant excess deaths in 2020, implying from an older WHO definition that there was no COVID-19 pandemic. A seasonality analysis suggests that COVID-19 deaths in 2020 were likely misclassifications of influenza and pneumonia deaths.

Australian excess mortality became significant only since 2021 when the level was high enough to justify calling a pandemic. Significant excess mortality was strongly correlated (+74%) with COVID-19 mass injections five months earlier. 

Strength of correlation, consistency, specificity, temporality, and dose-response relationship are foremost Bradford Hill criteria which are satisfied by the data to suggest the iatrogenesis of the Australian pandemic, where excess deaths were largely caused by COVID-19 injections. 

Supporting this hypothesis also is the fact that the youngest 0-44 age group with lowest risks of COVID infection and death has suffered disproportionately the highest multiples of excess mortality with the advent of COVID injections-a result which is unlikely to have other natural explanations. Therefore, Australia appears likely to be experiencing an iatrogenic pandemic and the associated mortality risk/benefit ratio for COVID injections is very high.

See document:

Source: https://www.researchgate.net/publication/368426122_Australian_COVID-19_pandemic_A_Bradford_Hill_analysis_of_iatrogenic_excess_mortality

AFP Commissioner Avoids Questions About Police Assault of Peaceful Protester

If I was going to detain somebody, and they were a peaceful protester, I would endeavour to ensure that they didn’t get three broken ribs and fractured vertebrae, like happened after your officers,” Senator David Shoebridge put it to AFP commissioner Reece Kershaw last Monday.

“Do you agree that’s a poor outcome from an arrest?” the Greens senator then asked the head of the federal police, who was proving rather reluctant to consider the arrest, which saw Iranian protester Hamid Sotounzadeh hospitalised with serious injuries, was an issue worthy of raising.

As footage circulated by Counteract shows, Sotounzadeh was set upon by Australian Federal Police officers on 9 February, as he was demonstrating against Iran’s Islamic Revolutionary Guard Corps across the road from that nation’s embassy in Canberra.

Indeed, that Sotounzadeh suffered fractured bones and was rendered unconscious due to officers setting upon him, for peacefully protesting the IRGC over the months-long repressions its subjected Iranians to, has led to the charge that the local cops acted in a manner akin to those in Iran.

The clip of the arrest shows a fellow protester gradually becoming more and more distressed as she approaches her friend who’s lying on the ground, covered in scuff marks and no longer moving, as three AFP officers hover around him.

Sotounzadeh was still in hospital five days after the police assault. And despite an officer insisting he’d failed to follow orders prior to their having set upon him, the man hasn’t been charged with anything.

Investigating their own

Shoebridge raised the police assault with the AFP commissioner during budget estimates on 13 February, advising Kershaw that Hamid had still been in hospital that morning. However, the top cop appeared to have difficulty in answering any of the senator’s questions about the incident directly.

Kershaw was hesitant about Shoebridge’s assertion that the incident was a “violent arrest”, as well as to the suggestion that it involved “potential police misconduct”, and he wouldn’t confirm what sort of breach of the law the protester is supposed to have partaken in.

However, AFP acting deputy commissioner of operations Lesa Gale did confirm the professional standards unit is currently investigating the matter. And this ongoing internal investigation was the reason Kershaw gave for his slipperiness around questioning.

And when Shoebridge reiterated that one could “jump to the conclusion” that a violent arrest has occurred, when a peaceful protester ends up in hospital with broken ribs after being taken into custody, Kershaw replied, “That’s your view. That’s your opinion, based on your limited knowledge”.

Defiant after the fact

The footage capturing parts of the assault opens with an AFP officer repeatedly pushing at Hamid, who’s filming, and commanding him to step back, despite the fact, as Shoebridge suggested, that he’s standing across the road from the embassy, and the protester insists he’s well within his rights.

The police officer then lunges at Sotounzadeh, whose tackled to the ground and the footage cuts out.

Fellow protester Ali Beikzadeh told Australian Associated Press that Hamid had protested in the same spot for the past 16 weeks with no issue, and questioned whether the assault had been sparked by it being the 44th anniversary of the revolution that established the Islamic Republic of Iran.

As for his part, Sotounzadeh has since posted footage from his hospital bed on Instagram with a message written on the palms of his hands that states, “I’ll be back next week. IRGC terrorists.”

Over 500 protesters have been killed in Iran by government forces, since 22-year-old Mahsa Amini died in hospital after being arrested by the Iranian morality police for not wearing her hijab in accordance with government standards last September.

Source: Sydney Criminal Lawyers

Case against sling-tackle police officer thrown out - Australia's corrupt judicature

A magistrate has thrown out the criminal case against a police officer who knocked a man unconscious in a sling-tackle arrest during a heated anti-lockdown rally in 2021.

Beau Barrett, an acting sergeant, was suspended from Victoria Police and charged with recklessly causing injury and assault after footage of him tackling Daniel Peterson-English to the ground at Flinders Street Station went viral on social media.

Beau Barrett (centre) leaving Melbourne Magistrates’ Court in December.Credit:Joe Armao

The day Barrett tackled Peterson-English, hundreds of anti-lockdown and anti-vaccine mandate protesters marched through the CBD and occupied the Shrine of Remembrance, where they clashed with police attempting to clear the crowd.

Magistrate Rob Stary discharged the case on Friday morning, finding a jury could not possibly conclude Barrett had criminal intent and acted unlawfully when he tackled Peterson-English on September 22, 2021.

Stary said Peterson-English had acted in a menacing and abusive manner towards police, disregarding repeated requests from the officers to leave the station and keep his distance, and Barrett had acted on a perceived threat.

“Mr Peterson-English acts in a manner that is entirely provocative,” Stary told the court.

“It may be that the arrest was executed in a way that is not in strict accordance with the manual, but whether it could be said to be unlawful and whether it could be said to be done without any regard to the probable consequences and criminal intent, in my view a jury properly instructed could not convict Mr Barrett of those offences.”

The court earlier heard Peterson-English repeatedly hurled abuse at police, circled officers, and filmed them with his mobile phone in the lead-up to the violent incident.

Footage showed in court last year showed Peterson-English approaching the police and protective services officers inside the station at least four times over the course of more than an hour.

Witnesses told the court Peterson-English was acting erratically, barking at the officers and calling them “pigs”, “dogs” and “glorified snitches”.

See video: https://www.youtube.com/watch?v=xqi-9zXx03Q

Officers present during the incident said Peterson-English sounded “exorcist-like” as he yelled at police, leading some officers to believe he was intoxicated or suffering from mental health issues.

One PSO told the court he appeared so aggressive she pulled out her pepper spray in preparation for the situation escalating, something she had done less than a handful of times in her eight-year career.

After approaching police several times Peterson-English was arrested, fined for not wearing a mask, and released on the spot. He returned to the concourse area and continued to film the police shortly after.

It was then Barrett grabbed him from behind and tackled him to the ground, causing Peterson-English’s head to hit the floor and knocking him unconscious. The incident was captured on camera and widely circulated online.

Daniel Peterson-English. Credit:Instagram

Peterson-English, who wasn’t taking his prescribed anti-psychotic medication at the time of the incident and refused to be treated by paramedics, previously told the court he lived with post-traumatic stress disorder from the arrest.

The prosecution acknowledged Peterson-English had behaved inappropriately towards the officers, but argued Barrett used disproportionate force when he tackled the slim-built man to the ground using a technique that was not approved or taught during police training.

“It’s not a snap, in the heat of the moment decision, he has time to contemplate his actions,” the prosecution told the court.

“The complainant was standing, talking to another sergeant, there was no perceived threat by others at the time.”

Barrett refused to comment on the magistrate’s decision as he left the court hand in hand with his partner.

Victoria Police said in a statement it was aware the matter had been discharged and Professional Standards Command would begin an investigation.

Police said the officer remained suspended without pay, but this would be reviewed.

AI Helps Crack NIST-Recommended Post-Quantum Encryption Algorithm

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST in July 2022 for post-quantum cryptography has been broken. Researchers from the KTH Royal Institute of Technology, Stockholm, Sweden, used recursive training AI combined with side channel attacks.

A side-channel attack exploits measurable information obtained from a device running the target implementation via channels such as timing or power consumption. The revolutionary aspect of the research (PDF) was to apply deep learning analysis to side-channel differential analysis.

“Deep learning-based side-channel attacks,” say the researchers, “can overcome conventional countermeasures such as masking, shuffling, random delays insertion, constant-weight encoding, code polymorphism, and randomized clock.” 

The NIST-recommended encryption algorithms are the result of a NIST competition designed to provide encryption able to withstand quantum-computer attacks. Shor’s quantum algorithm will be able to defeat current classical encryption in polynomial time when quantum computers become a reality. This is expected by some to be within the next five to ten years – and has been called the cryptopocalypse.

The NIST approach to solving this issue is to develop more complex mathematical problems that are resistant to (although not necessarily proof against) quantum decryption. Such algorithms are described as quantum safe rather than quantum secure. Safe means it is safe until it is cracked; secure means it cannot be cracked by mathematical means. Basically, any problem based on mathematics could eventually be solved by mathematics.

The importance of the Swedish research is that quantum computers are not the only threat to encryption. Rapidly improving artificial intelligence may be a significant and more imminent threat to both classical and post-quantum encryption algorithms.

“[Our] approach is not specific for CRYSTALS-Kyber and can potentially be applied to other LWE/LWR PKE/KEM schemes. The recursive learning technique might have significance beyond side-channel attacks context,” say the researchers.

Skip Sanzeri, co-founder and COO at QuSecure, has already raised alarm at AI-assisted decryption. “New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner,” he told SecurityWeek.

Steve Weston, co-founder and CTO at Incrypteon, has two concerns. “Firstly, it’s around the very conscious decision that NIST made to accept semantic secrecy as the bar we should aim for, rather than perfect secrecy – meaning that it’s based on complexity of a problem to be solved; that is, it will take a lot of compute effort and / or time to solve. Why as an Industry are we not aiming for perfect secrecy?” 

Semantic secrecy is analogous to ‘safe’ encryption; perfect secrecy is analogous to ‘secure’ encryption. Perfect secrecy (secure encryption) can be obtained through the one-time pad. Qrypt has a one-time pad solution based on the simultaneous generation of quantum random numbers at both source and destination.

Incrypteon’s approach is to use Shannon’s equivocation point (in a patented technique known as perpetual equivocation) to minimize the key length for a one-time pad. Both approaches will be secure against AI-based decryption.

“Secondly,” continued Weston, “we only seem to be focused on securing against quantum attacks, not AI attacks. This is a real danger, if an AI operating on a single computer can break semantic post-quantum encryption.”

Weston has a further concern, which he calls ‘moot, but important’. “Why is it any innovation that comes out of trying to solve this problem (that is, creating an AI and quantum-resistant encryption with perfect secrecy characteristics) must then be ‘given away’ to NIST to be part of the process; requiring relinquishing of all IP rights for no reward or benefit?”

This approach, he suggests, will stifle innovation. “Why in 2023, is there no hybrid approach to industry standardization and IP ownership?”

Source:securityweek.com