Trojan hijacks often-used DLL file for stealthier approach
Posted on 22.02.2012
A new dropper Trojan has been detected by BitDefender researchers, and this one utilizes an interesting technique in order to hide from antivirus software installed on the compromised computer.

Instead of adding itself to the Startup list - a move that is obvious both to AV solutions and savvy users - it takes a library file (comres.dll) commonly used by a number of popular browsers, communication apps and networking tools, copies it and changes it so that every time it is called the malware springs to life and, finally, saves it in the Windows directory folder.

Why there? Well, the malware takes advantage of the fact that some apps have specified only the name of the dll file they need to function, instead of a full path to that dll. So, every time they need that particular file, they use the one modified by the malware as it's more accessible.

"The dropper patches the copy by adding a single new malicious function to the original code library to be imported and launched with the rest of its functions.Next, the Trojan drops the file 'prfn0305.dat' (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system," explain the researchers. "And everything is now in place. The moment the system calls the code library, the malware is turned on."

The backdoor effectively allows cybercriminals to add or delete users, change passwords, add or remove user privileges, and run executable files with elevated privileges.


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Aug 29th