Professional Documents
Culture Documents
DLL SIDE-LOADING:
A Thorn in the Side of
the Anti-Virus Industry
Author: Amanda Stewart
SECURITY
REIMAGINED
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
CONTENTS
Abstract ................................................................................................................................................................................................................................................................................................................................................................ 3
WinSxS detailed.................................................................................................................................................................................................................................................................................................................. 3
Malware volume................................................................................................................................................................................................................................................................................................................ 5
Malware detection....................................................................................................................................................................................................................................................................................................... 5
Recommendations............................................................................................................................................................................................................................................................................................................... 10
Software developer............................................................................................................................................................................................................................................................................................. 10
QA analyst................................................................................................................................................................................................................................................................................................................................... 11
Endpoint user..................................................................................................................................................................................................................................................................................................................... 11
2 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
1
Microsoft. “Dynamic-Link Library Security.”
2
National Vulnerability Database. “Vulnerability Summary for CVE-2000-0854.” September 2008.
3
Amanda Stewart. “Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick.” May 2013.
4
Gabor Szappanos. “Targeted malware attack piggybacks on Nvidia digital signature.” February 2013.
5
Abraham Camba. “Unplugging PlugX Capabilities.” September 2013.
3 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
Figure 1: Representation of
typical side-by-side assembly6
The problem with this technique is that it offers Figure 2). This omission may inadvertently grant
little to no validation of the loaded DLL other than trusted installer privileges to malicious payloads.
what is explicit in the manifest’s DLL metadata (see
1 2 3
Not Much
Validation
6
Microsoft. “Side-by-side Assemblies.” July 2010.
4 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
What This All Means For hashes to create blacklists and whitelists. (One
Dll Side-loading such example is the NSRL database, which
When polymorphic malicious payloads are contains hashes of wellknown legitimate
delivered with legitimate executables, endpoints binaries.) AV products then compare the hash
face greater risks. With WinSxS, malware can values of questionable files against these lists
bypass anti-virus scanners for a longer period. to identify them as malicious or benign.
This dynamic has several implications for the • Section-based hashes. The second signature-
volume, detection, and variety of malware creation technique splits the binary into
deployed by threat actors worldwide. sections and generates hash signatures for
each section. A common example is portable
Malware volume executable (PE) sections, in which hash values
Security professionals’ main challenge can be are generated from the binary’s PE sections
summed up with a simple question: How can we (such as .text, .rdata, and data) and size.
tackle clusters of malware quickly?
• Code-section hashes. The third-most common
Malware is mushrooming. According to one study, technique involves hash values based on code
the volume of malware samples in the wild has sections of the malware sample.
grown 60 percent since 2010.7
All three of these static signature-generation
Even as the number of unique malware samples techniques can be used in automation or manual
rises, they are growing more difficult to detect. analysis. Regardless of which technique comes into
Anti-detection techniques such as binary packing, play, signature-based detection is quickly reaching
compression, encryption, compiler variation, and its practical limits when it comes to the central
polymorphism have made malware harder to challenge of finding malware clusters quickly.
identify.
To understand why, consider how security vendors
To keep up with these dual challenges, anti-virus generate malware signature. Signature generation
vendors mix automated and manual techniques to starts with sample origin. This sample origin can be
generate new malware signatures. a specific malware family or previously seen
malicious code that has spawned the need for the
Malware detection signature.
Most signature creation and detection techniques
fall into one of the following categories: Attackers’ anti-detection techniques (such as
code-morphing) can generate a large volume of
• Basic whole-file hash generation. The most
common signature-creation technique unique binary samples from the same malware
involves generating a basic hash value for the family—each with a unique hash value. Because
file as a whole. This technique uses whole-file signature matching is limited to specific hash
7
Sophos. “Year in Review: 2011.” December 2011.
5 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
samples, timely detection becomes less and less appear once and never occur again.
possible for as the volume o f newly introduced
unique samples grows. The PlugX family of malware, which uses DLL
side-loading techniques to infect target machines,
This increasingly larger volume of unique samples demonstrates the long-tail theory in action.
also becomes more difficult to cluster based on
static techniques because of a phenomenon known Figure 3 shows a collection of unique PlugX related
as the long-tail theory. samples discovered within the last year. Of those
samples, only 46 percent were uploaded to
The long-tail theory of malware distribution VirusTotal. While this example represents a very
The long-tail theory describes the unique small sampling, the long-tail phenomenon has held
distribution of occurrences. Applied to malware, true in broader FireEye detection statistics.
the theory explains why many samples may only
16
Figure 3: Sample
distribution.
14
12
Number of Sources
10
0
309 Unique Samples
6 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
PlugX And DLL side-loading These two malicious payloads combine to form the
In 2013, FireEye Labs discovered a spear- DLL that exists only in the benign executable’s
phishing attack targeting Chinese political rights memory. This distinction is crucial—OINFO11.
activists. This email contained an attachment exe’s hash value is listed in the National Software
exploiting a vulnerability in Windows ActiveX Reference Library (NSRL) database, which means it
controls (CVE-2012-0158) to drop several is listed in a publicly used binary whitelist.
binaries that appear benign in isolation but
combine to form a malicious executable. In OINFO11.exe (hash value:
Figure 4, the green highlighted icon represents 31cad2960a660cb558b32ba7238b49e)
the seemingly benign executable that contains originated from an Office 2003 Service Pack 2
the DLL side-loading vulnerability. update. In this attack, this sample loads a spoofed
DLL component (Oinfo11.ocx). When Oinfo.ocx is
OINFO11.exe (hash value: loaded into memory, it loads, decompresses, and
a31cad2960a660cb558b32ba7238b49e) decodes a secondary component (OInfo.ISO).
originated from an Office 2003 Service Pack 2
update. In this attack, this sample loads a spoofed These two malicious payloads combine to form the
DLL component (Oinfo11.ocx). When Oinfo.ocx DLL that exists only in the benign executable’s
is loaded into memory, it loads, decompresses, memory. This distinction is crucial—OINFO11.
and decodes a secondary component (OInfo. exe’s hash value is listed in the National Software
ISO). Reference Library (NSRL) database, which means it
is listed in a publicly used binary whitelist.
Figure 4: PlugX X
+
targeted attack 202.69.69.41;90
INFILTRATION
Victim
X X
DECOY
DROPS
PAYLOAD RETRIEVE
NEW
Extracts PLUGINS
Creates
ews.exe
IN MEMORY
OCX
KEYLOGGER FILE
msiexec.exe
NvSmart.hip
7 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
Executes
Passes virus
malicious
scan
payload
Some anti-virus software may utilize this database Figure 6 shows the OINFO11.exe DLL import
to ignore benign executables and reduce false table, which includes the functions GetOfficeData
positives. Because the malicious payload exists and DeleteOfficeData. Any file that is loaded
only in memory, the sample is not detected or from the side-by-side directory and adjacent to
removed, and the attack persists (see Figure 5). the primary executable should be validated for
these functions. Usually, executables using the
How To Recognize DLL Side-loading side-by-side feature will have these resources
Vulnerability located in the embedded manifest file.
Security professionals have several methods of
examine software for the DLL side-loading Validating the file and functions must involve
vulnerability. This section explains the fastest and more than simply checking for the correct
easiest method: validating the DLL imports. filename and functions names.
8 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
Figure 7: Original
exported function
Figure 8: Spoofed
exported function
Take OINFO11.exe, for example. Compare the Samples exhibiting similar behavior
functions of the original supplementary file Table 1 lists executables from large corporations
Oinfo11.ocx and a spoofed version. Figure 7 that have been used in APT PlugX attacks that
shows the original assembly for GetOfficeData. occurred before the OINFO11.exe attacks.
In the spoofed version (Figure 8), the same Attacks that use these files do not always mirror
function does nothing. the DLL-side-loading methods exactly, but the
concept is the same
9 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
The file name DirComp.dll is accompanied with a • Call SetDllDirectory with an empty string.
hash for validation. This may seem a simple Recommended by Microsoft, keeping the
concept, but it can provide a minimum check on string parameter empty disables the safe DLL
DLL validation. search mode and prevents automatic DLL
loads by API calls to LoadLibrary.8
8
Microsoft. “SetDllDirectory function.”
10 www.fireeye.com
DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry
PE explorer http://www.heaventools.com/overview.htm
FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com
© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or
service marks of their respective owners. RPT.DLL.EN-US.082014
11 www.fireeye.com