Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications

DLL File Infection Bypasses Startup On Windows

BitDefender UK : 23 February, 2012  (Technical Article)
BitDefender explains the function of a new trojan which remains hidden in a DLL file to outsmart Windows startup and remain active
DLL File Infection Bypasses Startup On Windows
Catalin Cosoi, Chief Security Researcher at antivirus solutions provider Bitdefender announces that a complex Trojan takes advantage of a vulnerability in Windows code to stay hidden and active

“Viruses, worms and Trojans all need to be running with the operating systems to cause any damage. Most add themselves to the Startup list by adding their path to the Startup Registry key, but this makes them easy to detect by antivirus solutions or computer-savvy users. Unlike this “regular malware”, Trojan.Dropper.UAJ comes with its own approach - it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well.”

“And what is brand new in terms of approach, is the fact that the Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder, where the operating system normally looks for a DLL to load when it is required. The common tactic used until this innovative malware meant that the Trojan would copy itself instead of the genuine file with the exact same name.”

“The dropper patches the copy by adding a single new malicious function to the original code library to be imported and launched with the rest of its functions. Next, the Trojan drops the file “prfn0305.dat” (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system. And everything is now in place. The moment the system calls the code library, the malware is turned on.”

“Cyber-crooks chose to go for comres.dll because it is widely used by most internet browsers, in some communication applications or networking tools - which makes it popular and basically indispensable for the operating system. Since the dropper attacks the DLL file found on the system, rather than trying to overwrite its own version, Trojan.Dropper.UAJ is able to run on Windows7, Windows Vista, Windows 2003, Windows 2000 or Windows NT in both 32- and 64-bit environments.”

“This attack unites two type of exploitation. One is commonly known as "DLL load hijacking” which means a coding vulnerability in which some applications have specified only the name of the dll needed, instead of a full path to that dll. And if a compromised dll is placed “closer” to the app (ie in the application’s folder), the app will use that maliciously altered file (with the same name) instead of the genuine one. And the other one which is new refers to the function import technique, detailed in paragraphs two and three. The affected DLL file references code that can add or delete users, change passwords, add or remove user privileges, and run executable files with elevated rights.”
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012