Tuesday, July 16, 2013

Signed Mac Malware Using Right-to-Left Override Trick


The objective here is not as convoluted as the one described in Kreb’s post. Here it’s simply to hide the real extension. The malware could have just used “Recent New.pdf.app”. However OS X has already considered this and displays the real extension as a precaution.


However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.

1 Comment RSS · Twitter

"Problem" reported to Apple in August 2011.

Leave a Comment