Your one-stop web resource providing safety and security information to manufacturers

It always seems to be a cat and mouse game as a new variant of the PoisonIvy RAT uses an interesting technique to evade detection, researchers said.

The sample, detected as BKDR_POISON.BTA, abuses the VMware Network Install Library Executable (vnetlib.exe) to load, said researchers at Trend Micro.

Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available
Zero Day: IE 8 Falls Victim
DoL Site Spreads Poison Ivy

When vnetlib.exe executes, it loads a DLL file called newdev.dll. However, since PoisonIvy also disguises as newdev.dll, the malware loads instead of the legitimate file.

Once loaded, the threat creates registry entries to make sure it executes on every startup. In addition, in injects itself into a web browser process so that it can bypass firewalls.

Schneider Bold

The loading technique, also known as a DLL preloading attack or binary planting, is also seeing use by another known RAT, PlugX.

Pin It on Pinterest

Share This