“Dropper” Trojan Hijacks Critical DLL File to Avoid Detection

The latest pieces of malware are not only developed to ensure that they cause maximum damage and steal all the sensitive information they can find on the infected devices, they’re also designed to avoid being easily detected by security solutions. Such is the case of Trojan.Dropper.UAJ.

According to Bitdefender experts, Dropper hijacks a library file called comres.dll, altering it to ensure that each time it’s being used, the malware steps into play.

Of course, the dll file is not chosen at random. This particular library is utilized by many popular applications, including web browsers, networking tools and other apps that communicate online.

Known as DLL load hijacking, this technique relies on the fact that many application aren’t programmed to use a certain library file, instead they utilize the one that’s most accessible, or placed in system folders.

To ensure the success of this mechanism, Dropper makes a copy of the genuine comres.dll file, alters it and then saves in the Windows directory from where the operating system usually accesses it when needed.

The Trojan then drops a Backdoor, identified by Bitdefender as Backdoor.Zxshell.B, which actually contains the code compromising the system.

Once this is accomplished, cybercriminals can add and remove user files and rights, change passwords, and execute files with elevated privileges.

Fortunately for Internet users, the latest security products don’t rely only on signatures to identify malicious elements. They also monitor the activity of certain processes in search for abnormal behavior that may indicate the presence of malware.

As we’ve seen yesterday when Trusteer researchers presented the Shylock malware, even the most sophisticated anti-detection techniques can be identified by a reliable security software, which is why internauts are always recommended to ensure that their computers are protected with a modern, up-to-date solution.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.