Never a DuLL Day

It was a busy morning, for a weekend, but nothing out of the ordinary. In the afternoon a new variant of the Dlena family of proxy Trojans came in. It seems the author thought he would try a new trick.

Troj/Dlena-B has much in common with Troj/Dlena-A, but instead of copying itself to <System>\rpcc.exe, it installs itself as <System>\rpcc.dll, modifying just one bit of one byte in the file, namely the flag that tells Windows “this is a DLL.”

Given that the <System> folder contains mostly DLLs, maybe the author thought this would be less conspicuous and help evade detection? It is true that anti-virus products sometimes use contextual information, and sometimes process DLL files and EXE files differently, but in this case the author shot himself in the foot: In our internal lab analysis three extra Genotype characteristics were automatically triggered, each saying “This DLL file looks more like an EXE than a Dynamic Link Library.”

Did he really think we would be so easily fooled?