M-unition reposts their concept of using DLL order hijacking for malware persistence

01 Sep 2010

M-unition (the blog for Mandiant) wrote up a new post to differentiate their concept of DLL order hijacking for malware persistence vs. the DLL order hijacking for initial execution that has been hitting the nets lately. Basically the take-away is that tools like autoruns from sysinternals aren't useful for finding even the simple to write malware if it takes advantage of this technique. Basically, just trojan a DLL, or write a DLL that passes through the calls to the real DLL, and in your DLL you get execution for your malware code. There are MANY ways of getting execution. You don't have to get energy from the registry Run key or other common spots in the registry. This is further proof that white-listing is the way to go.