TDS-3 & dll injection

Hi, I've just been reading over here:
http://www.abxzone.com/forums/showthread.php?t=80119
about a threat and if you read through the posts, a technique called dll injection is mentioned. In this post, a link to this article is posted which says TDS-3 is poorly equiped to handle this threat:
http://home.arcor.de/scheinsicherheit/dll.htm
I would point out that the article was written in August 2003.

My question, has anything thing been done since then to address this issue?

Cheers - Dave.

 

Forgot the whole discussion about ProcessGuard? Process Guard uses that for Close Message handling.
Also in the DiamondCS forum at the DiamondCS site are several postings about that subject, there are separate tools like APM for that purpose as it is against the principes of DiamondCS to have dll injection automatically in a program, a user has to be in command, like with ProcessGuard and APM.

Among others in this thread (you'll have to join the forum as a member to read it --free)
http://www.diamondcs.com.au/forum/showthread.php?t=1880&highlight=dll injection

 

Hi Jooske, thanks for the quick reply!

I see I've got another weeks worth of reading to do to get some sort of handle on this! I've only just heard of dll injection.

Thus far, would I be correct in saying that TDS-3 DOES NOW detect dll's that have been "injected" but will not remove them? AND that APM is the preferred app to do the removal aspect?

Where does one get APM?

Thanks - Dave.

 

www.diamondcs.com.au on the products page for the free tools!
One needs 2000/nt/xp to be able to use it.
I mean to say: DiamondCS never includes anything into any program we can not control/use ourselves manually, so we have separate tools or programs, like ProcessGuard or this APM tool, etc.
I give you the whole page as there are many more very nice and usefull tools there
Have fun with them!

 

Cheers Jooske, I'm onto it!!

 

Hi wbth, Your best defence against .dll injection would be Process Guard.
The DCS website has some very useful information regarding the new threats here: http://www.diamondcs.com.au/processguard/index.php?page=attacks

HTH Pilli

 

TDS doesnt protect against DLL injection because there's no need to - Process Guard can protect TDS as well as every other process on your system against that, so it'd be a waste of resources and possibly introduce conflicts if TDS protected itself also. So, individual security applications (anti-virus, firewall, etc etc) shouldn't be required to protect themselves - that's the job of process protection systems such as Process Guard.

 

If people are interested in this issue I will probably update the article on DLL injections. This is mainly because a tool has been released which allows script kiddies to statically inject malicious DLLs into trusted host applications. Just a few mouse clicks are necessary...

The tool does not patch a loadlibrary into the host application. By contrast, the IAT is patched. Static DLL injection is more dangerous than dynamic DLL injection since system firewalls like Process Guard, System Safety Monitor or Tiny Personal Firewall are unable to detect statically injected trojan DLLs. You need an AV/AT with a module scanner in order to identify them as malware.

See here for an example: http://home.arcor.de/testbed/ewido.jpg

 

This is the TDS forum, please plug your Ewido program elsewhere, thankyou.

So the 'script kiddie' has to be physically sitting at the victims computer in order to use this attack. And wouldn't you also need to TERMINATE the process before you can modify its file? The termination would be blocked by Process Guard.

To patch the IAT you need to modify the file. As soon as it executes, Process Guard will alert you that the file has changed, so you can block the execution.

Like TDS3, which lets you scan process, modules, mutexes, drivers, and everything else in memory.

Best regards,
Wayne