Never a DuLL Day

Filed Under: Malware, SophosLabs

It was a busy morning, for a weekend, but nothing out of the ordinary. In the afternoon a new variant of the Dlena family of proxy Trojans came in. It seems the author thought he would try a new trick.

Troj/Dlena-B has much in common with Troj/Dlena-A, but instead of copying itself to <System>\rpcc.exe, it installs itself as <System>\rpcc.dll, modifying just one bit of one byte in the file, namely the flag that tells Windows "this is a DLL."

Given that the <System> folder contains mostly DLLs, maybe the author thought this would be less conspicuous and help evade detection? It is true that anti-virus products sometimes use contextual information, and sometimes process DLL files and EXE files differently, but in this case the author shot himself in the foot: In our internal lab analysis three extra Genotype characteristics were automatically triggered, each saying "This DLL file looks more like an EXE than a Dynamic Link Library."

Did he really think we would be so easily fooled?

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s