The PoisonIvy malware is now utilizing a technique called DLL preloading to avoid detection. Can you describe how...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
DLL preloading works and provide some mitigation options for enterprises?
Ask the Expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
DLL preloading, also known as binary planting, was first reported about three years ago. This technique exploits the insecure configuration in Windows for searching the current working directory for dynamic link libraries (DLLs) used within legitimate files.
Recently, Trend Micro Inc. documented that the PoisonIvy malware utilizes DLL preloading to bypass antimalware utilities. PoisonIvy also injects malicious code into a copy of Internet Explorer (iexplore.exe) running in the background to communicate over the network while bypassing firewalls.
PoisonIvy incorporated these new features to evade antimalware tools and to make the initial infection file look more legitimate. A user might assume the file, which could be masked as a Microsoft Word or Adobe Flash file, is safe and open it, allowing the file to load malware into the current working directory and execute it.
Unfortunately, not much has changed in the years since this attack was disclosed, but the learned functionality of the malware might provide some additional insight into the development practices of the malware authors. If malware authors prioritize new functionality based on requests from attackers or the impact of the new functionality, it might suggest making the attack reliable or effective -- or even including it at all -- was a lower overall priority.
To protect your enterprise from both the malware and attacks using the malware, DLL preloading mitigation steps should be taken, such as applying Microsoft FixIt and using the most recent versions of installed programs. These steps will help to minimize the chance of malicious DLLs being loaded. In addition, endpoint and network antimalware tools can also protect against PoisonIvy.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.