Gud noon Frenzzz...
Researchers at antivirus company Softwin (software developer Bitdefender) found a complex Trojan horse that uses a non-trivial methods to disguise the code in the operating system. While
a simple malware can add itself to startup, making changes to the registry - and so are easily identified by antivirus software, a new Trojan Trojan.Dropper.UAJ uses its own approach: it is introduced into one of the major Windows-libraries (comres.dll) , so that all applications that access this library, run the malicious code to execute.
Trojan makes a copy of the original file comres.dll, modifies it and then save the folder Windows, where it by default cause all of the programs, for example, explorer.exe.
Changes in the file library include the addition of just one function, which are imported together with a general list of functions.Next. After that, the Trojans put on a disk file prfn0305.dat (Bitdefender antivirus identified it as a Backdoor.Zxshell.B). Now everything is in place, and when you call the DLL system is launched, the backdoor, which allows the functionality to perform any action on the system, including the launch of other files, adding and deleting users, changing passwords, etc.
According to the specialist, the selection comres.dll due to the fact that this library is widely used by most Web browsers, as well as many programs for communications and networking applications, that is a popular and indispensable library of the operating system.
Since this is not a trojan its own library and modify an existing system, he has successfully worked on many versions of Windows, including Windows 7, Windows Vista, Windows 2003, Windows 2000 and Windows NT in 32-bit and 64-bit environments.
The attack uses a technique known as "DLL load hijacking" - it uses a vulnerability / function of Windows, when an application does not specify the full path to the library, and specify only the name. In this case, the operating system itself runs the library and looking for the file with that name, which is closer. In the first place - in the folder of the application, then - in a folder, Windows, and so on.Thus, attackers can shove another version of the library, simply by placing a file closer to the application and does not replace the original file.
Trojan makes a copy of the original file comres.dll, modifies it and then save the folder Windows, where it by default cause all of the programs, for example, explorer.exe.
Changes in the file library include the addition of just one function, which are imported together with a general list of functions.Next. After that, the Trojans put on a disk file prfn0305.dat (Bitdefender antivirus identified it as a Backdoor.Zxshell.B). Now everything is in place, and when you call the DLL system is launched, the backdoor, which allows the functionality to perform any action on the system, including the launch of other files, adding and deleting users, changing passwords, etc.
According to the specialist, the selection comres.dll due to the fact that this library is widely used by most Web browsers, as well as many programs for communications and networking applications, that is a popular and indispensable library of the operating system.
Since this is not a trojan its own library and modify an existing system, he has successfully worked on many versions of Windows, including Windows 7, Windows Vista, Windows 2003, Windows 2000 and Windows NT in 32-bit and 64-bit environments.
The attack uses a technique known as "DLL load hijacking" - it uses a vulnerability / function of Windows, when an application does not specify the full path to the library, and specify only the name. In this case, the operating system itself runs the library and looking for the file with that name, which is closer. In the first place - in the folder of the application, then - in a folder, Windows, and so on.Thus, attackers can shove another version of the library, simply by placing a file closer to the application and does not replace the original file.
0 comments:
Post a Comment