Kingsoft drug overlord Security Warning: insecure dll files cause Windows attacks

On July 15, August 23, Microsoft released the 2269637 Security Bulletin, announcing that writing some nonstandard dll files may lead to execution of arbitrary programs, including virus Trojans. Kingsoft drug overlord security expert said that when the program is running, you need to search for files with dll extensions in the current path and system path. If the library file has defects such as writing non-standard files, this may cause Trojans and other malicious programs to be loaded. It is reported that this vulnerability may exist in multiple versions of Windows XP to Windows 7, and nearly third-party applications may also be exploited.

Microsoft Security Bulletin shows that this vulnerability may exist in multiple versions from Windows XP to Windows 7, and third-party applications may also be exploited. Attackers can exploit this vulnerability to create special programs or documents. If a user with administrative permissions opens these special files, the computer may be fully controlled by attackers.

Currently, the attack code has been published on the Internet. Hackers can create attack programs based on these Attack codes. Kingsoft drug overlord security lab has been tested to determine that these vulnerabilities are more serious. Wireshark, Windows Live email, Microsoft MovieMaker, Firefox, uTorrent, and PowerPoint are known to have been used.

As demonstrated, attackers construct a plugin_dll.dll with a hidden property and put it in the same path as a BT seed file. When users double-click this seed file to start BT download, they will call the calculator program, of course, real attackers will directly call harmful programs, rather than an interactive calculator.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" insecure dll causes windows to be attacked "src =" http://www.bkjia.com/uploads/allimg/131227/09151UX8-0.png "/>

In the same way, hackers can construct a pptimpconv. dll file and package a PPT file. When the user opens the pptfile, the specified attack program can run in the background.

According to an analysis by Kingsoft drug overlord security lab, this vulnerability exists in a wide range of third-party software except Windows systems. The dll file of the digital theft virus last week was maliciously exploited, similar to this vulnerability. It is recommended that software developers check their own DLL programs for risks by referring to the official Microsoft MSDN documentation.

Kingsoft drug overlord security lab will pay close attention to the progress of the vulnerability. Users can use Kingsoft guard to fix the vulnerability and use Kingsoft drug overlord 2011 security package to improve system security.

References:
Http://www.exploit-db.com/exploits/14723/
Http://www.exploit-db.com/exploits/14726/
Http://www.theregister.co.uk/2010/08/24/windows_dll_casualties/
Http://www.microsoft.com/technet/security/advisory/2269637.mspx
Http://blogs.technet.com/ B /srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx


Special thanks:
A rust sword

This article is from the "anti-virus circle" blog, please be sure to keep this source http://litiejun.blog.51cto.com/134711/384354