{"id":7618,"date":"2013-07-16T12:49:42","date_gmt":"2013-07-16T17:49:42","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=7618"},"modified":"2013-07-16T12:49:43","modified_gmt":"2013-07-16T17:49:43","slug":"signed-mac-malware-using-right-to-left-override-trick","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2013\/07\/16\/signed-mac-malware-using-right-to-left-override-trick\/","title":{"rendered":"Signed Mac Malware Using Right-to-Left Override Trick"},"content":{"rendered":"<p><a href=\"http:\/\/www.f-secure.com\/weblog\/archives\/00002576.html\">F-Secure<\/a>:<\/p><blockquote cite=\"http:\/\/www.f-secure.com\/weblog\/archives\/00002576.html\"><p>The objective here is not as convoluted as the one described in Kreb&rsquo;s post. Here it&rsquo;s simply to hide the real extension. The malware could have just used &ldquo;Recent New.pdf.app&rdquo;. However OS X has already considered this and displays the real extension as a precaution.<\/p><p>[&#8230;]<\/p><p>However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>F-Secure:The objective here is not as convoluted as the one described in Kreb&rsquo;s post. Here it&rsquo;s simply to hide the real extension. The malware could have just used &ldquo;Recent New.pdf.app&rdquo;. However OS X has already considered this and displays the real extension as a precaution.[&#8230;]However, because of the RLO character, the usual file quarantine notification [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[30,504,48],"class_list":["post-7618","post","type-post","status-publish","format-standard","hentry","category-technology","tag-mac","tag-malware","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/7618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=7618"}],"version-history":[{"count":0,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/7618\/revisions"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=7618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=7618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=7618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}