Old Becomes New: DLL Loading is Back

Tuesday, October 18, 2011 @ 03:10 PM gHale

Cybercriminals are using a new DLL hijacking technique that seems to be working even though that technique has been falling by the wayside.

The method involves dropping a collection of normal files together with the malicious DLL from within a directory, said Lordian Mosuela, a security researcher with the anti-spam and zero-day remediation specialist Commtouch.

Weak Sites Victimize Visitors
Beware of Printers Spreading Malware
ZeuS Gains More Power
Chrome Update Repairs Microsoft Alert

Mosuela said it has been a year since he and his team have seen a DLL (dynamic link layer) hijacking technique. This process loads a malicious DLL that affects hundreds of programs.

The most interesting aspect of this latest Deskpan hack, Mosuela said, is the only file detected as malicious was `deskpan.dll,’ although, a DLL file inside a folder immediately looks like a DLL hijacking candidate.

“Once the user opens the document file, the malicious DLL also gets loaded. This attack also works with any legitimate rich text format file (.rtf), or text file (.txt). In order to execute the malicious file “deskpan.dll”, it needs to be located in the folder named “[any characters]. {42071714-76D4-11D1-8B24-00A0C9068FF3}”, he said.

Deskpan.cpl is the Display Panning CPL Extension, a module related to the display settings of pictures that appear on a user’s screen, Mosuela said. Together with associated DLLs, this extension allows users to adjust the advanced display adapter properties and display monitor properties.

Once executed the malware creates the following files and registry entries:
%UserProfile%\Local Settings\UPS.exe
%UserProfile%\Local Settings\cisvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run UPS = “%UserProfile%\Local Settings\UPS.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cisvc = “%UserProfile%\Local Settings\cisvc.exe “

The malware then tries to connect to a remote site using port 443, Mosuela said.

Commtouch termed this flaw as CVE 2011-1991 and notes Microsoft patched it last month with a security update MS11-071 that supports most versions of Windows.

The patch addresses the vulnerability by correcting the manner in which Windows components load external libraries. The update also corrects registry key entries to restrict the loading of external libraries.

Command antivirus, Mosuela said, detects this malware as W32/Trojan2.NOXC.

Leave a Reply

You must be logged in to post a comment.