DLL Hijacking: When computers are helpless

Assaid Ayoub
Nov 4, 2018 · 3 min read

If you’ve stumbled someday upon suspicious behavior in your browser:

  1. Messy Popups
  2. Rogue ads
  3. Slow Browser

I feel your pain. If you haven’t yet, congratulations on being safe and savvy!

To make it worse, these symptoms appear as soon as you open up your browser. Moreover, your browser might launch automatically at startup leaving you confused as to who’s in charge of your computer.

Chances are, your computer is infected with a malicious DLL.

I got one word for you: Freeware!

You probably think the internet is a paradise of ressources that are one Google search away, until you’re faced with a Pandora’s box of malware hidden inside the freeware that you’ve willingly installed on your computer.

Epimetheus opening Pandora’s box

Most of the time your freeware will ask, during installation, for elevated privileges using U.A.C. Unaware of any risks, you might confirm this request.

This will allow the installer to put specific files on your system: Your freeware will work fine, but it brings additional files into your system, specifically your browser’s directory!

These files can be in the form of a DLL, specific files used by your programs to use some pre-existing functions and avoid hard-coding every possible function from scratch.

As it turns out, browsers miss some DLLs when executed. This can be exploited by an attacker using these steps:

  1. Create a malicious DLL (adware, spyware…) that has the name of a missing DLL for a popular browser (See Chrome’s case here)
  2. Create a freeware that hosts the DLL and upload it into a website or a social network platform
  3. Wait for people to download and install it
  4. The freeware will put the malicious DLL into your browser’s directory
  5. Your browser will look for this DLL at each startup and load it

Adware is only one version of the evil this can bring, as the attacker can virtually attach any given payload to your computer including remote access using reverse connection from your computer.

But wait, what about my Antivirus?

Sure, you probably have an antivirus with up to date virus definitions. However this can’t always stop the DLL as malware authors use different technique to hide the malware signature.

What can I do to avoid being infected?

  1. Pay attention to the feature that you tick when installing freeware and go through advanced installation option to verify all the options.
  2. You should get suspicious if additional components are made available such as toolbars or plugins
  3. Avoid downloading freeware that doesn’t seem to have an official website maintaining it
  4. Invest in a commercial complete version of a well reviewed antivirus that include in-memory scans and rootkit protection (you can compare AV products here)

What can I do if I am already infected?

  1. Don’t panic
  2. Avoid entering any credentials in your browsers and desktop applications
  3. Activate viewing hidden files and folders
  4. Download Sysinternal’s sigcheck tool and use it to search unsigned DLLs in your browsers directories (locate it by viewing the properties in your browser’s shortcut)
  5. Any unsigned DLLs should raise suspicion immediately
  6. Take a copy of these unsigned DLLs elsewhere and remove them
  7. Restart the browser. If symptoms are gone, then you’ve done well!
  8. If nothing happens try installing an antimalware solution and run a full scan
  9. Finally, if nothing works, you should seek the help of a professional or post your question in a support forum to get personalized assistance

Hope this helps!

For those who’re willing to dive into the more technical details on how this works, you can check out this tutorial and test it on your own lab.

Feel free to share your personal experience on this subject on the comments below.

Assaid Ayoub

Written by

Cyber Security Enthusiast

More From Medium

Also tagged Malware

Top on Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade