Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (55)
  • add to favourites
    Add to Bookmarks

Invisible characters

Read: 614 Comments: 3 Rating: 8

How many characters does the paragraph contain? Most users will likely be surprised by this question. The answer seems simple: all the characters are visible and countable. But that’s not quite the case.

First, some characters are invisible.

Many people have heard that computer typography makes use of non-printable characters which are literally invisible. But this invisibility is not some kind of defect or unique feature but rather standard behaviour. Currently, UTF-8 is one of the most common text encodings, and it is being used on virtually every modern website. One of its many advantages is that it’s chock-full of invisible characters! These include, for example Zero Width Space (U+200B). Here it is: "". Can you see it? No? And yet it's right there.

A text editor or processor can render a text containing this character or take certain steps to make it visible.

Of course, the way characters are displayed depends on the specific font being used as well as on the text editor.

How can one use characters of this kind?

I remember how, many years ago, I sometimes took advantage of nonprintable characters to make my "target" max out their traffic or database storage space quota. For example, I would write "Hello! What's up?" and add thousands of invisible characters to the phrase. A short message becomes rather bulky.

The Anti-virus Times has already written about email bombs, but what should a bomb located within text be called?

Spies can meddle with invisible characters too:

…is there a way to make a text completely invisible?

We turn every byte in a string into a three-digit octal number and replace every digit with an invisible character.

Malware authors can as well:

The first method was used to make code look like it was written in JavaScript, while the second one changed it beyond recognition and the third rendered it completely invisible.

The code would consist of two sections: the visible section (which can be obfuscated using one of the techniques described above) and the invisible section.

As far as the visible section goes, no explanation is required. But the trick with the invisible part is this: we feed our harmful code (why else would we need to hide it?) into our obfuscation-and-invisibility engine, which turns the script from visible to invisible, i.e., a string consisting of a tab and space characters.

So obfuscation routines are used to hide the code in plain sight. Anyone viewing the code will only see the visible section which facilitates the extraction and decompression/rearrangement of the malicious code. But the malicious code will remain invisible. As if it doesn't exist.

An anti-virus will definitely find the code and parse it—after all, it is an application. But the user will be perplexed and will probably consider the file to be harmless.

Ladies and gentlemen, here is an example

Let's consider this piece of code:

alert("Hello world!");

Once our obfuscation engine has processed the code (I won't go into the details because they’re not particularly interesting), it will output something like this:


Please note that the semi-colon is located inside the quotation marks, while in reality that’s not the case (you can verify this by opening it in virtually any text editor, such as Sublime ).

And here is what the decoding routine looks like:

var revealJS = function(s){return s.match(/(.{4})/g).map(function(b){return b.split('').map(function(i){return Array.apply(null,{length:10}).map(,Number).concat('abcdef'.split(''))['⁡‌‍‎‏‪‫‬‭‮'.split('').indexOf(i)]})}).map(function(c){return String.fromCharCode(0+"x"+c.join(''))}).join('')}

Want to see how the “helloworld” variable will be displayed in a browser? Open the link from which you've copied this string. Quite impressive.

And here is the conclusion from a post about the search for an employee engaged in espionage.

This is something that could happen, so it’s vital that you understand the risks involved in copying pieces of text.

Dr.Web recommends

In our Anti-virus Times articles, we often mention that copying text or links can be hazardous. This issue sheds some light on another aspect of the problem: by copying a piece of text, you can inadvertently also copy some code or a message. It may prove to be harmless or malicious—you won't be able to see the difference. Meanwhile, an anti-virus doesn't rely on vision and won't fall for tricks of this kind.

#anti-virus_scan #technologies

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.