A password stealing Trojan called AdService is being quietly distributed by adware bundles that typically install other programs such as Russian adware, extensions, clickers, adware, and fake system optimization programs.
AdService uses Chrome DLL hijacking to load itself when Chrome is executed so that it can steal information from Facebook and Twitter accounts.
AdService Executes via Chrome DLL Hijacking
To give a little background info about DLL Hijacking, when a program is executed and needs to load a particular DLL the program can either load it from a specific location or can just specify the DLL it wishes to load and let Windows find it for them. In the latter scenario, when Windows tries to find the DLL it uses a search path to find the DLL and the first location it looks is in the folder that the executable is located. If requested DLL is found, it will automatically load that DLL into the program.
Malware can take advantage of this by placing malicious DLLs in a program's folder that contain the same name of a DLL that the program would normally load from another folder. This causes the program to execute the malicious DLL instead of the legitimate one that it was expecting.
In this case, the AdService Trojan is placing a malicious version of the winhttp.dll in the C:\Program Files (x86)\Google\Chrome\Application folder. When a victim starts Chrome, chrome.exe will load the malicious version of winhttp.dll executed instead of the one in C:\Windows\system32.
...
......
