BHO and dlls
Results 1 to 10 of 11

Thread: BHO and dlls

Threaded View

  1. #1
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    BHO and dlls

    Found this posted on SANS this morning

    http://isc.sans.org/diary.html?storyid=3702

    After I searched the web a bit, I found out that Elia Florio from Symantec already described another variant of this same BHO which they called Trojan.Advatrix (Symantec's description is here). Besides the information I already had, that particular variant did something else to the machine. Something very, very mean.

    Elia found out that the BHO modifies Internet Explorer so that it becomes vulnerable to two security vulnerabilities: MS06-014 known as the MDAC vulnerability and MS07-017, known as the ANI vulnerability.

    These two vulnerabilities are probably the most exploited vulnerabilities in Internet Explorer today. The MS06-014 vulnerability is practically a part of every exploit pack today (and is certainly in MPACK, which is the most popular one). Exploits for the ANI vulnerability can also still be found almost everywhere.

    What makes me extremely worried is how hidden this whole thing is. The BHO just modifies Internet Explorerís image which means that no files are written to the disk. In other words, such a machine will look completely patched to Windows Update or any other patch checking system. However, while the BHO is active, the machine will be vulnerable to two most exploited client side vulnerabilities in last couple of years.

    The last line of defense, the anti-virus program, is not particularly helpful here either. The dropper I had was detected by only 13 out of 32 AV programs on VirusTotal and the DLL detection was even worse with only 7 AV programs detecting it.

    While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With todayís malware phoning home and installing stealth, updated modules, this is really a no brainer.
    MLF
    Last edited by morganlefay; November 29th, 2007 at 03:35 PM. Reason: forgot my sig
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •