Remote Attacks

REMOTE ATTACKS


Local attacks assume that attackers can access the local file
system on a victim host, while remote attacks assume that
attackers can only send data to the victim user.

1) Local attacks: As we mentioned in Section II, unsafe
DLL loading can be performed by placing a file with the
specified name in the DLL-hijacking directories. To exploit
this security vulnerability for local attacks, attackers require
write permission to the DLL-hijacking directory. According to
Table V and Table VI, most of the directories are not writable
by non-admin users. Therefore, if attackers do not have
administrator privilege, most local attacks can be prevented.
However, according to Microsoft [40], most Windows users
run with administrative privilege. Because of this fact, unsafe
DLL loadings should still be considered serious security
issues.

2) Remote attacks: To accomplish remote attacks exploiting
unsafe component loadings, attackers need to place
malicious files in the DLL-hijacking directories from remote

sites. However, accessing the file system of a remote host is
generally prohibited. For example, the system directory is
not accessible remotely unless the directory is shared to the
remote user or the system is exploited by other vulnerabilities
to enable this. Because of difficulty in remote exploitation,
unsafe component loadings have not been considered serious
security threats. However, as we mentioned in Section II-C,
several remote attack vectors based on unsafe component
loading have been recently discovered.

To find remote attacks on Microsoft Windows, we focus
on unsafe DLL loadings caused by the following three
conditions: resolution failure, filename specification, and
standard or alternate search order. According to the directory
search orders discussed in Table II, this type of unsafe DLL
loadings makes OS check the current directory corresponding
to “.” during DLL resolution. In this case, the directory
may be writable from the remote site because of software
malfunctions.



The purpose of many rogue programs is to cause your computer to yield information for a hacker's benefit. They can force visits to undesirable sites or aggressively reset your home page. This is for the sake of the program author being legitimately paid a few cents for every hit you make to certain web sites. They can cause relentless pop-ups to invade your system, generating additional income for the author if you visit those sites.

        To achieve these goals, it is necessary for those programs to be constantly running once they have been installed on your hard disk. A common way of doing this is by starting the program from certain registry keys which are actioned during system boot-up.

        Keys which can do this are displayed on the View Registry Run Keys form. If you are not confident to edit the registry, you can simply quarantine values of which you are suspicious. This allows you to restore them later if you wish. It is the safest way to experiment with registry run values.

        Amongst the files you should be suspicious of are executables in the form "xxxxxx32.exe" which are in the windows or system directory and are called at startup. You should also be suspicious of .DLL's which are run at startup in association with RUNDLL32.exe (Please note: Rundll32.exe is a legitimate Microsoft File). For example, "Rundll32 Webinfo.dll" is probably a rogue value which you should quarantine.



DANIEL S. ABRAHAMIAN
EXPOSES REMOTE ATTACKS
FEELMYFLAME