Malicious Program Employs Fresh DLL Installing Method

According to Commtouch, its security researchers have found one fresh DLL hijacking method that cyber-criminals are employing with a malicious program, despite the curbing of DLL loading during current periods.

Naming the particular malicious program as W32/Trojan2.NOXC, the company states that it exploits a Windows bug, which let components for installing outside libraries using one specific style.

Basically, within a directory, DLL files instantly appear as DLL compromising elements. And if these files are viewed, malevolent DLL files as well get installed. The said assault as well takes place using lawful files of 'rich text format' i.e. .rtf, alternatively just 'text' i.e. .txt.

Security Researcher Lordian Mosuela for the zero-day remediation and anti-spam specialist says that this new Deskpan hijack represents a particularly interesting aspect that is merely the 'deskpan.dll' file is recognized as malevolent, albeit DLL files within directories instantly appear as DLL compromising elements. Infosecurity reported this in news on October 14, 2011.

Now for running the malevolent deskpan.dll file there is requirement for locating it inside the directory's folder labeled "[any characters]. {42071714-76D4-11D1-8B24-00A0C9068FF3}."

Following this, the registries created with the malicious program, namely "%UserProfile%\LocalSettings\cisvc.exe" and "%UserProfile%\Local Settings\UPS.exe" try to establish a link with a remote destination utilizing port 433.

A module which is associated with exhibiting picture settings on the end-user's computer screen is Deskpan.cpl where the Display Planning has a CPL extension. The combination of this extension with related DLLs lets end-users make suitable 'display monitor' and 'advanced display adapter' properties.

This demonstrates that it isn't necessary for the malicious program to appear as an .exe file rather it can appear as innocuous images, PDFs or Microsoft docs for concealing something that's vicious.

Moreover, the thing most interesting is that specific vulnerability is called CVE2011-1991 that Microsoft patched in September 2011 using the MS11-071 security update. The patch fixes this flaw via rectifying the way Windows installs outside libraries. It even fixes registries for obstructing outside libraries from getting installed.

It is therefore advisable that users update their anti-virus definitions, while deploying trustworthy AV software that'll safeguard them from the above kind of malicious program, researchers emphasize.

Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected

» SPAMfighter News - 10/24/2011