Stealth Trojan Hijacks DLL File

Thursday, February 23, 2012 @ 03:02 PM gHale

Malware not only pushes to cause damage and steal information, it also goes about trying to be stealthy and avoid any detection.

Trojan.Dropper.UAJ hijacks a library file called comres.dll, altering it to ensure that each time it’s being used, the malware steps into play, said researchers at Bitdefender.

New Bot a Phishing Attack
DNS Flaw has Users Seeing Ghosts
Malnets a Constant Moving Target
Inexpensive, Effective Whitelisting

The dll file library sees use by popular applications, including web browsers, networking tools and other apps that communicate online.

Known as DLL load hijacking, this technique relies on the fact application aren’t programmed to use a certain library file, instead they utilize the one that’s most accessible, or placed in system folders.

To ensure the success of this mechanism, Dropper makes a copy of the genuine comres.dll file, alters it and then saves in the Windows directory from where the operating system usually accesses it when needed.

The Trojan then drops a Backdoor, identified as Backdoor.Zxshell.B, which actually contains the code compromising the system, Bitdefender researchers said.

Once this is accomplished, cybercriminals can add and remove user files and rights, change passwords, and execute files with elevated privileges.

The latest security products don’t rely only on signatures to identify malicious elements. They also monitor the activity of certain processes in search for abnormal behavior that may indicate the presence of malware.

Leave a Reply

You must be logged in to post a comment.