It has been a year since we have witnessed a DLL hijacking technique which loads a malicious DLL that affects hundreds of programs. The method involves dropping a collection of normal files together with the malicious DLL from within a directory. We recently analyzed the following archive sample. Only the file “deskpan.dll” was detected as malicious.
A DLL file inside a folder immediately looks like a DLL hijacking candidate. Once the user opens the document file, the malicious DLL also gets loaded. This attack also works with any legitimate rich text format file (.rtf), or text file (.txt). In order to execute the malicious file “deskpan.dll”, it needs to be located in the folder named “[any characters]. {42071714-76D4-11D1-8B24-00A0C9068FF3}”.
Deskpan.cpl is the Display Panning CPL Extension, a module related to the display settings of pictures that appear on a user’s screen. Together with associated DLLs, this extension allows users to adjust the advanced display adapter properties and display monitor properties. Ordinarily it is installed in the windows/system32 directory.
Once executed the malware creates the following files and registry entries:
- %UserProfile%\Local Settings\UPS.exe
- %UserProfile%\Local Settings\cisvc.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run UPS = “%UserProfile%\Local Settings\UPS.exe”
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cisvc = “%UserProfile%\Local Settings\cisvc.exe “
It then tries to connect to a remote site using port 443.
This particular flaw has been labeled as CVE 2011-1991 and has been patched by Microsoft last month with a security update MS11-071 (it affects most versions of Windows). The patch addresses this vulnerability by correcting the manner in which Windows components load external libraries. The update also corrects registry key entries to restrict the loading of external libraries.
Command antivirus detects this malware as W32/Trojan2.NOXC. Keeping your antivirus definitions up to date and applying the latest Microsoft Windows updates, will protect you from malware such as this.
Leave a reply
