Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Testing DLL Search Order Hijacking against security features.
Message
<blockquote data-quote="Andy Ful" data-source="post: 888816" data-attributes="member: 32260"><p>Here is a creative example of how DLL hijacking can be used to hide the infection chain (the malicious DLL is embedded in the MSI installer so in most cases it will be blocked by SmartScreen, the infection chain uses also VBS scripting):</p><p></p><p>"<em>During the time we monitored the Metamorfo campaign, we’ve seen 5 different software components, manufactured by respected software vendors, abused in the attack. They come from Avira, AVG and Avast, Damon Tools, Steam and NVIDIA </em>"</p><p></p><p>"<em>Metamorfo is a known piece of Banker malware that resurfaced at the end of last year and almost exclusively focuses on Brazilian victims. Novelty aside, the exciting aspect of this malware is the way it employs various techniques to evade malware defenses and the tremendous work put into finding executables from various well-known software vendors that are susceptible to DLL side-loading. But why would an actor put so much effort into finding these legitimate vulnerable executables when attackers could launch rundll32.exe or regsvr32.exe to load any DLL? The answer is that, this way, attackers increase their chances of evading user-suspicious detection. Anti-malware solutions generally monitor actions performed by Windows binaries like rundll32.exe or regsvr32.exe as they are the go-to tools for mainstream attackers. Also, executing their malware DLL with the help of these processes would raise a red flag for incident responders and threat hunters. Therefore, by choosing prominent software vendors to mask their actions, attackers can remain undetected. A digital signature and familiar name in Version Info might seem benign to casual users as well. The usage of COM objects for starting up the executables and loading the DLLs also helps actions go under the radar if the AV does not monitor them. Some variants have a second layer of defense evasion consisting of DLL injection into legitimate processes like wmplayer.exe or dllhost.exe, making the injection from a trusted AV component seem plausible, then masking malicious actions behind a seemingly benign Windows process. Metamorfo bypasses detection of AV vendors that whitelist applications based on trusted digital signatures. Bitdefender products employ advanced algorithms to monitor process behavior, and therefore are unaffected by whitelists.</em>"</p><p></p><p>[URL unfurl="true"]https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf[/URL]</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 888816, member: 32260"] Here is a creative example of how DLL hijacking can be used to hide the infection chain (the malicious DLL is embedded in the MSI installer so in most cases it will be blocked by SmartScreen, the infection chain uses also VBS scripting): "[I]During the time we monitored the Metamorfo campaign, we’ve seen 5 different software components, manufactured by respected software vendors, abused in the attack. They come from Avira, AVG and Avast, Damon Tools, Steam and NVIDIA [/I]" "[I]Metamorfo is a known piece of Banker malware that resurfaced at the end of last year and almost exclusively focuses on Brazilian victims. Novelty aside, the exciting aspect of this malware is the way it employs various techniques to evade malware defenses and the tremendous work put into finding executables from various well-known software vendors that are susceptible to DLL side-loading. But why would an actor put so much effort into finding these legitimate vulnerable executables when attackers could launch rundll32.exe or regsvr32.exe to load any DLL? The answer is that, this way, attackers increase their chances of evading user-suspicious detection. Anti-malware solutions generally monitor actions performed by Windows binaries like rundll32.exe or regsvr32.exe as they are the go-to tools for mainstream attackers. Also, executing their malware DLL with the help of these processes would raise a red flag for incident responders and threat hunters. Therefore, by choosing prominent software vendors to mask their actions, attackers can remain undetected. A digital signature and familiar name in Version Info might seem benign to casual users as well. The usage of COM objects for starting up the executables and loading the DLLs also helps actions go under the radar if the AV does not monitor them. Some variants have a second layer of defense evasion consisting of DLL injection into legitimate processes like wmplayer.exe or dllhost.exe, making the injection from a trusted AV component seem plausible, then masking malicious actions behind a seemingly benign Windows process. Metamorfo bypasses detection of AV vendors that whitelist applications based on trusted digital signatures. Bitdefender products employ advanced algorithms to monitor process behavior, and therefore are unaffected by whitelists.[/I]" [URL unfurl="true"]https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
