DLLs and System Security

Here's how DLLs can be threatened by computer viruses and how certain viruses work to create DLLs that are difficult to track. We suggest two tools besides anti-virus that will help you enhance your computer security.

DLLs may be infected by computer viruses in the same way as all your other data. In addition, viruses install DLLs on your computer that make it very difficult for anti-virus products to combat. This is the preferred strategy of many known dangerous viruses.

In each of these instances the original virus was hard to trace and left anti-virus companies baffled for a couple of days until remedies were developed. However, in the meantime, millions of computers worldwide were being infected and seriously threatened.

The following are just three malware types (Source: Panda Software) that infect or install DLLs and thus present a danger to your computer security and data stored within.

1. Hupigon.BS is a backdoor. A backdoor is a point of entry into your computer either through software or hardware and gives partial or complete remote access to someone through the Internet. Hupigon.BS receives remote control commands including to log the keystrokes typed by you, to obtain files from your computer, to download specific to run them later, and/or capturing screenshots. Hupigon.BS installs its own set of DLLs into all the processes running on your PC - in this way the backdoor makes sure that all its files and processes cannot be seen by some security tools and programs.

2. MTX is a worm that reaches your computer in a file with a PIF, EXE, or SCR extension through email. It passes itself as a harmless music file or image related to such famous people as Jimi Hendrix or Bill Gates. The worm will send itself to all your contact list in your address book every time you send out an email effectively reducing your bandwidth. The main effect is to infect and replace some of your original executables including EXEs and DLLs. Your registry settings are also infected.

The file name varies in each infection and can be one of the following:

NEW_NAPSTER_site.TXT.pif
METALLICA_SONG.MP3.pif
ANTI_CIH.EXE
INTERNET_SECURITY_FORUM.DOC.pif
ALANIS_Screen_Saver\ SCRREADER_DIGEST_LETTER.TXT.pif
WIN_$100_NOW.DOC.pif
IS_LINUX_GOOD_ENOUGH!.TXT.pif
QI_TEST.EXE
AVP_Updates.EXE
YOU_are_FAT!.TXT.pif
FREE_xxx_sites.TXT.pif
I_am_sorry.DOC.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
Protect_your_credit.HTML.pif
JIMI_HMNDRIX.MP3.pif
HANSON.SCR
zipped_files.EXE

When the attached file is run, MTX carries out its infection. From then on, MTX waits until a new e-mail message is sent from your infected computer.

When the user sends a message to any recipient, MTX immediately spreads. It sends another message to the same recipient attaching an infected file to it.

3. Sikou.A is a Trojan that connects to a certain IP address to download and install a DLL on the affected computer. This DLL then connects to another IP address and downloads other files, which contain remote control commands that the Trojan will carry out. Some of those commands are downloading and running files, shutting down the computer. Sikou.A repeats this process frequently to download the second DLL, so that the author of the Trojan may order new control commands to all affected computers by simply updating the auxiliary DLL on the server from where it is downloaded. Sikou.A reaches the computer embedded in a specially crafted Word document, which exploits a Microsoft vulnerability to execute the Trojan when you open the document.

Sikou.A creates the following files: A file with a random name and an EXE extension, in the Windows system directory. This file is a copy of the Trojan. 00015522.DLL, in the Windows system directory. This file is a DLL (Dynamic Link Library). 00015522.SYS, in the subfolder DRIVERS of the Windows system directory. This file is a driver that hides the files belonging to the Trojan. Sikou.A creates Windows Registry entries.

The Four Pillars of Security
You first suspect that there may be something happening to your computer because it is not as fast as it was just a few days back, the programs you usually run are not responding as well as they used to or your Internet connection is very slow. Anything could be wrong but you suspect that you may have a virus or your computer has been invaded by malware which has installed hidden DLLs onto your system.

Probably, your first instinct is to run an anti-virus and an anti-spyware. This may yield results but sometimes malicious programs just don't show up even though you are using the latest and the best products on the market. If you still find that your computer is not performing properly, you probably call up Windows Task Manager (CTRL+ALT+DEL) to see whether you can identify any process which looks strange or out of place.

If you do find a suspicious process Tasks Manager does not give you any sort of information to help you. By logging on to processlibrary.com you can get this information simply by either entering a search query or looking for the particular process in the directory-style listings found on the website. By following the advice detailed in each process description you can already fine-tune your system or clean up the malicious code. But with what?

Task Manager is limited in this scenario because:

  • It doesn't give you any information that allows you, at a glance, to determine what the various processes are and what they are doing;
  • It does not always show all the processes that are working in the background;
  • IT DOES NOT SHOW YOU MOST OF THE DLLs running on your computer
  • It does not highlight possible security threats or any harmless processes that are either not being used by the system or redundant;
  • You cannot determine what action to take on legitimate processes;
  • It doesn't give you the full complement of tools for full resource control to improve your system's performance and safeguard completely against existing or new threats. For example, if you found that you have a scheduler that is residual from a previously uninstalled software, neither does Task Manager tell you where the scheduler process is nor will it allow you to deactivate permanently.

This is where WinTasks comes in: it gives you a complete overview of all the processes and dlls running on your computer together with descriptions of what the processes are, where they are located and whether it is safe to terminate or block them. With this information you can use the full compliment of tools in WinTasks to terminate or block unwanted and harmful processes.

Processlibrary.com is the logical development of the information features of WinTasks and the database of this free online site is used to keep WinTasks continually updated. No two utilities on the market work together in such a way as to give you such a high-level of protection and performance.

To combat the dangerous threats to you computer, data and DLLs in your computer you need to:

  • Invest in good anti-virus software.
  • Install anti-spyware software.
  • Try to install a firewall as the third pillar of security.
  • Use processlibrary.com and WinTasks as a fourth component of security.


Newsletter Signup    |    Contact Us    |    Privacy Policy    |    Site Map

Copyright © Uniblue Systems Limited 2007. All rights reserved.