Are you worried about hackers and viruses?
Guest author Toufique Ahmed explains why you have to worry about DLL Hijacking.
If DLL Hijacking is unfamiliar to you, don’t worry.
Toufique will explain what it is, how it hurts your computer, and how to stop it.
DLL Hijacking: What is it?
How it works and How to stop it
by Toufique Ahmed
DLL hijacking is a term you’ve probably never heard of as a regular user of any computer. But the fact that you’ve not heard about it doesn’t mean it doesn’t exist. In fact, DLL hijacking is one of the most effective methods employed by recent hacking attacks. The strategy has also been in use since the early years of 2000, causing data loss in a wide array of Windows operating systems over the years.
If you’ve ever been a victim of any hacking, you should read this article to make sure your operating system has not been DLL hijacked as well as the simple steps you can take to stop it right away.
Before we proceed to explain the what and how of the DLL hijacking technique, it is imperative that we have a firm grasp of what DLL files are and how they operate.
DLL stands for Dynamic Link Libraries. These files are specially designed to house information, institutions, and data that allow other programs to execute certain functions that are associated with such DLL files.
DLL files are accessible to multiple applications simultaneously and present a tremendous opportunity to reduce the consumption of resources such as memory and RAM as the code is only loaded when there is a need for it. This consequently makes the system run faster and smoother.
Another advantage that DLL files give users and developers is the ability to share and enhance functionalities without the need to relink applications as the data is accessible to several applications all at the same time.
DLL hijacking basics
DLL files serve many functions in the Windows operating systems and can be said to be part of the foundations of the Windows OS. Due to the manner in which the search path of these files is applied, hijackers and attackers can influence the system that is used to find executed files.
In the absence of a hard coding on the search path, any authenticated user can add any file into a directory using the default setting.
The search path method employed by this DLL hacking technique allows the hijacker to insert a malicious DLL file into a path that will eventually be requested at one time or another. By having knowledge about the path that is utilized by the DLL file when it is requested, the hijacker can plant a malicious DLL file with a file name similar to the real file somewhere towards the top of the path so it is typically reached before the user can access the real, non-malicious DLL file. For instance, a user looking to print a file hits “print” on his computer. This process then activates the .exe file and the DLL file responsible for the printing service. In this case, where such a file has been hijacked, an attacker has inputted a malicious path into the document file and thus, a malicious code is loaded.
In a bid to mitigate the vulnerability of this flaw in the search path, Microsoft has made significant efforts by continually changing the order for DLL search over the years. Unfortunately, hijackers have also employed several tactics to find the spaces in the new order as well as other vulnerabilities exploited from additional programs over the years.
The truly scary part of these attacks is the fact that they are quite easy to pull off and because the vulnerability persists in the Windows operating system, attackers employ DLL hijacking as their means of penetration quite commonly.
Two relevant case studies can be pulled off the malware Youndoo, a browser hijacker that employed DLL hijacking to reset user’s homepages and search engines to its own preferences. The file was delivered to most victims through a legitimate free software installation. During the installation, the file was found to have entered some of its resource files in folders where the Firefox and Chrome browser .exe files were situated. When either of these .exe programs was double-clicked or opened by a user, the planted DLL file by the hijacker took control first and loaded up. This caused the homepage and search engine for these users to switch to Youndoo rather than the regular homepage preset by the user or the regular Chrome or Firefox start/homepage.
The Vawtrak banking Trojan software also employed a form of DLL hijacking as the attackers had found a way to insert the malware while loading Microsoft Word documents. The DLL malware was spread via a spam email that appeared as a parking ticket notification and as soon as the links contained in these emails were clicked, the victims are hacked through the Trojan DLL that records keystrokes, capture screenshots and gives admin privileges to all files, passwords, and certificates stored on the computer in question.
Knowing when something’s up
In order to detect DLL attacks, software developers should keep an eye on the changes to their DLL files such as modifications, replacements or renames. Regular PC users should be able to spot unusual activity in their browsers and be wary of spam emails. Browser hacks are very popular and can be easily discovered when they keep getting redirected to the same website or unexpectedly discover that their homepage and search engines have been changed without their permissions.
Preventing DLL attacks
There are a handful of precautions and solutions that can be taken to ensure that sensitive information is not obtained for your PC and you don’t become the subject of DLL hijacking. Some of these tips include:
- Use a professional and licensed antivirus and anti-malware software that is always updated
- Desist from opening suspicious emails and enabling functions that you are unfamiliar with within web and desktop apps.
- Stop downloading freeware software from untrusted websites or sites that are not credible.
- Don’t download DLL files that are suspicious from your system only from trusted Microsoft websites or from credible sources.
- Uninstall any recent programs installed after you begin to experience a change to your browser homepage and search engine. If you do not know which programs may be the cause of the problem, open the system restore tool and restore to a point before you installed the suspected culprit software.
This post was made possible by the support of our readers.
Readers, please share so people know how to prevent DLL hijacking.