Poison Ivy Variant Avoids Detection

Monday, June 24, 2013 @ 06:06 PM gHale

It always seems to be a cat and mouse game as a new variant of the PoisonIvy RAT uses an interesting technique to evade detection, researchers said.

The sample, detected as BKDR_POISON.BTA, abuses the VMware Network Install Library Executable (vnetlib.exe) to load, said researchers at Trend Micro.

Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available
Zero Day: IE 8 Falls Victim
DoL Site Spreads Poison Ivy

When vnetlib.exe executes, it loads a DLL file called newdev.dll. However, since PoisonIvy also disguises as newdev.dll, the malware loads instead of the legitimate file.

Once loaded, the threat creates registry entries to make sure it executes on every startup. In addition, in injects itself into a web browser process so that it can bypass firewalls.

The loading technique, also known as a DLL preloading attack or binary planting, is also seeing use by another known RAT, PlugX.

Leave a Reply

You must be logged in to post a comment.