Challenge Caused by DLL Hijacking Malware against Active Defense Technology

Challenge Caused by DLL Hijacking Malware against Active Defense Technology

The malware, taking advantage of DLL to hijack vulnerabilities, which appeared in 2000 has began to make further use of normal signature software to confront active defense now. This method has become more and more popular. This kind of malware is usually made up of the following two parts: the normal software with digital signature; malicious DLL file that will be loaded for execution by the previous normal software.

Active defense technology refers to monitoring the systematic call to determine whether it carries malicious actions during the execution of a program. Some actions exist in both normal software and malware, such as creating Autostart. If active defense technology indiscriminately makes alarms, it will affect user experience and the normal use of the software. Therefore, active defense technology also includes the credit rules for some kinds of software normally, such as, whether the software contains digital signature, whether the software creates the user-visible windows and so on. Except from active defense technology, some other malware detection means usually take that whether containing digital signatures as a significant determine rule. Right under this situation, malware authors begin to make use of the normal signature files to load malicious DLL file in order to escape from the detection of active defense.

We found such a case. The malware distributed together with video playback software that named Storm. In the software, Host.exe is a normal program with signature, which will load the BFVUpdateM.dll file that includes malicious programs when being executed and execute the RunUpdate function the latter realized. After the loading of BFVUpdateM.dll, it will decrypt the 360Sate.tmp file under the same directory and extract the codes that contain the actual malicious functions and then copy these three related files to C:\Windows\ directory. When the BFVUpdateM file finds it is under this directory, it will decrypt and execute the malware in the 360Safe.tmp file (the main function is adding the shortcuts of ads to computer desktops.).

Normally, this kind of malware will appear in view of compression archive in order to keep the signatures of normal programs complete. The other method is to release and execute them through a dropper, but in this way dropper will be the parent process of the normal one and it will be tracked and detected by active defense technology. For escaping from being detected, malware might send messages to establish process to avoid this parent process issue.

The attack mode herein brings new challenges not only to active defense technology, but to malware automatic analysis system that only supports single file.