a critical DLL flaw fixed years ago is still exploited by hackers

While Microsoft fixed a security flaw in 2013, it resurfaces. At issue: the Windows DLL (Dynamic Link Library) signature system. And to top it off, hackers are exploiting this loophole by associating it with one of the worst banking malware, Zloader.

Malware PC Windows
Photo credit: Phonandroid.

In a security bulletin from 2013, Microsoft said it had fixed a security flaw concerning its DLLs, a security breach that allowed a hacker to take full control of the machine. We thought we definitely had this threat in Windows, but now it resurfaces almost a decade later.

It was the security researchers at Checkpoint who were responsible for this discovery: the flaw is still being exploited because its fix is ​​not activated by default. And the techniques of hackers having evolved, they now take the opportunity to couple it to banking malware. Zloader. Thus, last November, Checkpoint was able to list nearly 2,200 victims in 111 countries, all of which have one thing in common: Zloader was installed because of the DLL flaw.

The Windows DLL flaw has however been corrected

DLLs are to Windows what pumpkins are to Halloween: they are essential for the proper functioning of the system and its applications. They are present in all versions of the OS, from its creation in 1985, until the very recent Windows 11 released last year. But to avoid any attempt to hijack DLLs from a Windows PC, Microsoft digitally signs each of them. In theory, therefore, they are inviolable.

In contrast, a succession of flaws concerning the signatures of DLLs came to question everything a few years ago: known under the names of CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151, Microsoft had nevertheless succeeded in correcting them. On the other hand, if the Windows editor had quickly found a way to fill it in 2013, he felt that it was better to find another solution… Even if it means deactivating the patch by default in 2014, because “its impact on applications could be high ”!

Read also: Valak – this devastating malware steals your data in the easiest way possible

Hackers have therefore come back to the DLL flaw and put the cover back. They do this by injecting a malicious script into the DLL file, without affecting the signature assigned by Microsoft. And they take the opportunity to distribute the ZLoader banking malware on their victims’ computers, malware that had already resurfaced last August.

Once installed, the malware modifies Windows Defender preferences and patches the registry. Next, the attacker has full access to the system and can download or retrieve any file, run scripts, etc. Suffice to say that he can do absolutely anything he wants with the data that is on the compromised PC.

The method used to spread the malware could spread like wildfire

“When you see a signed DLL file, you’re pretty sure you can trust it, but it shows that you don’t always,” says Kobi Eisenkraft, malware researcher at Checkpoint. “I think we will see more and more of this method of attack. ” According to Checkpoint, the malware spread campaign has many similarities to that of MalSmoke, which took place in 2020.

“We have a fix, but no one is using it,” says Kobi Eisenkraft. “Therefore, a lot of malware could attack businesses and personal computers using this method.” Checkpoint therefore recommends applying the update from Microsoft allowing strict checking of DLLs and Authenticode.

Here’s how to go about it if you want to install the fix in question:

  • Open Windows Notepad and copy and paste the following lines:
    [HKEY_LOCAL_MACHINELogicielMicrosoftCryptographieWintrustConfig]

    « EnableCertPaddingCheck”=”1 »
    [HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftCryptographyWintrustConfig]

    « EnableCertPaddingCheck”=”1 »

  • Save the file: name it whatever you like, but give it the extension .reg (rather than .txt)
  • Run it. The file will then patch the Windows registry and voila.
  • Note that some signatures, however legitimate, may appear to be invalid. It doesn’t appear to be for major apps, though.

Source : Wired

Leave a Comment