05F707AE0DD5B77E1C3EACC8C3384CA2 Windows Flaw Corrected Years Ago Is Still Exploited by Hackers

Windows Flaw Corrected Years Ago Is Still Exploited by Hackers

While Microsoft fixed a security flaw in 2013, it resurfaced. At issue: the Windows DLL (Dynamic Link Library) signature system. And to top it off, hackers are exploiting this loophole by associating it with one of the worst banking malware, Zloader.

Windows Flaw Corrected Years Ago Is Still Exploited by Hackers

In a 2013 security bulletin, Microsoft declared that it had corrected a security flaw concerning its DLLs, which allowed a hacker to take complete control of the machine. We thought we definitely had this threat in Windows, but now it resurfaces almost a decade later.

The security researchers at Checkpoint were responsible for this discovery: the flaw is still being exploited because its fix is ​​not activated by default. And the techniques of hackers having evolved, they now take the opportunity to pair it with Zloader banking malware. Thus, last November, Checkpoint was able to list nearly 2,200 victims in 111 countries, all of which have one thing in common: Zloader was installed because of the DLL flaw.

Windows Dll Flaw However Been Corrected

DLLs are to Windows what pumpkins are to Halloween: they are essential for the proper functioning of the system and its applications. They are present in all versions of the OS, from its creation in 1985 until the very recent Windows 11 released last year. But to avoid any attempt to hijack the DLLs of a Windows PC, Microsoft digitally signs each of them. In theory, therefore, they are inviolable.

On the other hand, a succession of flaws concerning the signatures of DLLs came to question everything a few years ago: known under the names of CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151, Microsoft had yet well managed to fix them. On the other hand, if the editor of Windows had quickly found a way to fill it in 2013, he felt that it was better to find another solution. Even if it means deactivating the patch by default in 2014 because "its impact on applications could be high"!

Hackers have therefore come back to the DLL flaw and put the cover back. They do this by injecting a malicious script into the DLL file without affecting the signature assigned by Microsoft. And they take the opportunity to spread the ZLoader banking malware on their victims' computers, malicious software that had already resurfaced last August.

Once installed, the malware modifies Windows Defender preferences and patches the registry. Then the attacker has complete access to the system and can download or retrieve any file, run scripts, etc. Suffice to say that he can do absolutely anything he wants with the data that is on the compromised PC.

The Method Used to Spread the Malware Could Spread Like Wildfire

"When you see a signed DLL file, you're pretty sure you can trust it, but it shows that you don't always," says Kobi Eisenkraft, malware researcher at Checkpoint. "I think we will see more and more of this method of attack ." According to Checkpoint, the malware spread campaign has many similarities to that of MalSmoke, which took place in 2020.

"We have a fix, but no one is using it," says Kobi Eisenkraft. "Therefore, a lot of malware could attack businesses and personal computers using this method." Checkpoint, therefore, recommends applying the update from Microsoft, allowing strict checking of DLLs and Authenticode.

Here's how to go about it if you want to install the fix:

Open Windows Notepad and copy and paste the following lines:

  • Windows Registry Editor Version 5.00
  • [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Cryptography \ Wintrust \ Config]
  • "EnableCertPaddingCheck" = "1"
  • [HKEY_LOCAL_MACHINE \ Software \ Wow6432Node \ Microsoft \ Cryptography \ Wintrust \ Config]
  • “EnableCertPaddingCheck” = ”1”
  • Please save the file: name it whatever you like, but give it the extension .reg (rather than .txt)
  • Run it. The file will then patch the Windows registry.

Note that some signatures, however legitimate, may appear to be invalid. It doesn't seem to apply to significant applications, however.

Post a Comment