Trojan hijacks often-used DLL file for stealthier approach
Posted on 22.02.2012
A new dropper Trojan has been detected by BitDefender researchers, and this one utilizes an interesting technique in order to hide from antivirus software installed on the compromised computer.

Instead of adding itself to the Startup list - a move that is obvious both to AV solutions and savvy users - it takes a library file (comres.dll) commonly used by a number of popular browsers, communication apps and networking tools, copies it and changes it so that every time it is called the malware springs to life and, finally, saves it in the Windows directory folder.

Why there? Well, the malware takes advantage of the fact that some apps have specified only the name of the dll file they need to function, instead of a full path to that dll. So, every time they need that particular file, they use the one modified by the malware as it's more accessible.

"The dropper patches the copy by adding a single new malicious function to the original code library to be imported and launched with the rest of its functions.Next, the Trojan drops the file 'prfn0305.dat' (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system," explain the researchers. "And everything is now in place. The moment the system calls the code library, the malware is turned on."

The backdoor effectively allows cybercriminals to add or delete users, change passwords, add or remove user privileges, and run executable files with elevated privileges.






Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //