DLL loading pops back into the malware picture

According to Lordian Mosuela, a security researcher with the anti-spam and zero-day remediation specialist, it's been a year since he and his team have seen a DLL (dynamic link layer) hijacking technique which loads a malicious DLL that affects hundreds of programs.

The method, he explains in his latest security posting, involves dropping a collection of normal files together with the malicious DLL from within a directory.

The most interesting aspect of this latest Deskpan hack, he says, is only the file `deskpan.dll'was detected as malicious, although, he adds, a DLL file inside a folder immediately looks like a DLL hijacking candidate.

“Once the user opens the document file, the malicious DLL also gets loaded. This attack also works with any legitimate rich text format file (.rtf), or text file (.txt). In order to execute the malicious file “deskpan.dll”, it needs to be located in the folder named “[any characters]. {42071714-76D4-11D1-8B24-00A0C9068FF3}”, he said.

Mosuela says - quite correctly, Infosecurity notes – that Deskpan.cpl is the Display Panning CPL Extension, a module related to the display settings of pictures that appear on a user’s screen. Together with associated DLLs, this extension allows users to adjust the advanced display adapter properties and display monitor properties.

Once executed the malware creates the following files and registry entries:

%UserProfile%\Local Settings\UPS.exe
%UserProfile%\Local Settings\cisvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run UPS = “%UserProfile%\Local Settings\UPS.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cisvc = “%UserProfile%\Local Settings\cisvc.exe “

The malware then tries to connect to a remote site using port 443, says the Commtouch researcher.

Commtouch has terms this flaw as CVE 2011-1991 and notes that it was patched by Microsoft last month with a security update MS11-071 that supports most versions of Windows.

The patch reportedly addresses the vulnerability by correcting the manner in which Windows components load external libraries. The update also corrects registry key entries to restrict the loading of external libraries.

Command antivirus, says Mosuela, detects this malware as W32/Trojan2.NOXC.


What’s Hot on Infosecurity Magazine?