I was reading two security blog posts recently from security vendors which seemed a little “off”:
The first one was from Avira talking about a great new feature: as I understand it, in the new version of their product if an application is permitted by the Application rules of the firewall, the port rules are not checked. So my thought was: long live the injected DLLs.
The second one was from ThreatExpert. The post is somewhat murky and self contradicting. As I understand it, it says that Conficker uses two separate methods of injecting DLL’s, neither of which is particularly new (in fact the first one is very old). This seems to be stupid, since why would it inject multiple copies of the DLL in the same process? I’m not saying that malware doesn’t have bugs (in fact most of them have a lot of bugs), but my hunch is that the analyst missed a conditional jump somewhere (ie. the second method is called only if the first one fails for example).
PS. I would have left a comment on their blog asking for clarification, but they didn’t enable comments. A blog with partial feed and/or no commenting facility is not a blog!
Image taken from DeclanTM’s photostream with permission.