Hmm, interesting AV evasion technique: Seemingly legitimate app, but the download page gives both a malicious DLL and the main executable, the main executable uses LoadLibrary insecurely. On Feb 22, 2012 9:33 AM, "ACROS Security Lists" <[email protected]> wrote:
> Hi Jeff, > > > I don't believe a PE/PE+ executable needs a DLL extension to > > be loaded by LoadLibrary and friends. > > True, any file can be loaded this way, but our pretty extensive > experimenting showed > extremely few cases where legitimate applications (in this case mostly > installers) > loaded anything other than <something>.dll. The operating assumption here > is that the > initial executable (installer) is friendly but whatever it loads with > LoadLibrary* > can be potentially malicious. The attacker can therefore not choose which > file the > initial executable will load with LoadLibrary* but must plant a file that > the > executable is already set to load. > > > Perhaps a scanning/cleansing tool would be helpful. > > Certainly. In the mean time, "del Downloads\*" is a free and efficient > superset of > that ;-) > > Cheers, > Mitja > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
