Code Injection allows firewall bypass trojans Beast, Flux and lots more

Home > Software > ProcessGuard > Attacks > Code Injection

Method: Process-Injecting Trojans
Description: Most trojans run in the form of a single, normal process and typically don't interfere with other processes, but there exists a unique class of trojans that do interfere with other processes - sometimes with devastating results. These parasitic trojans are known as Process-Injecting Trojans.

There are many reasons why a trojan might want to inject code or a DLL into other processes, but there are two main reasons:
- The trojan can execute code in the context of the other process (so process-monitoring tools such as file monitors, registry monitors, firewalls, etc) will see the process that was injected into as being the process performing the actions - not the trojan itself. This has been used as a Leaktest method, where a trojan would inject into an application typically trusted by the firewall such as the web browser, before attempting to connect out to the Internet in the context of the web browser.
- The trojan can modify code in the process it has injected into, allowing it to change the behaviour of existing code, as well as add new code. This has been used by trojans such as Optix Pro which attempt to modify common functions in all processes on your system in an attempt to make itself invisible to those processes. This is sometimes referred to as user-mode rootkit-style injection.

SOLUTION: DiamondCS ProcessGuard easily prevents injection attacks by securing the attack vectors used by these trojans to inject their code and/or DLLs. There are multiple ways trojans use code injection to inject a DLL trojan or the whole trojan file itself. The attack vectors are typically VirtualAllocEx and WriteProcessMemory in the newest trojans, this is direct code injection. SetWindowsHookEx is also used in older DLL injection methods. Once injected, these trojans use CreateRemoteThread to start the injected code or DLL as a new thread. The system functions used to inject and then execute code in other processes are critical, without the access to these functions the trojan is unable to inject anything.

Brand new trojans using these methods appear every day, yet all of them fail on a ProcessGuard protected system, highlighting the usefulness of such a protection system - see the example below.

Case Examples:

DID YOU KNOW? Trojans can ONLY be detected if the vendor of your anti-virus/anti-trojan scanner has a sample of the trojan. Unfortunately, this often isn't the case, and you may be infected with a trojan even if your scanner tells you you're clean. Even if you're protected by a firewall, there are many firewall-bypassing and firewall-killing tricks that are commonly used by trojans that effectively render firewalls useless.

THERE IS A SOLUTION. ProcessGuard has unique and powerful capabilities allowing it to intercept process execution, process injection, and a variety of process attacks used by trojans, and this works even if the trojan is new and not detected by any scanners.

As an example, Beast is an extremely popular trojan - there was recently a lot of discussion by security professionals regarding this high profile trojan. Beast is a trojan which has been heavily distributed in many edited forms (effectively new, undetected variants). The trojan server is modified to bypass detection to antivirus/antitrojan scanners, or a "private" version of BEAST is purchased which is effectively a new variant that isn't detected by scanners.

To test this, we modified a Beast server in our lab and within a very short time the file was no longer being detected by 3 major anti-virus scanners and 3 anti-trojan scanners. These modifications are surprisingly easy for hackers to make, and there are tens of thousands of users who discuss this matter on trojan forums and do have a lot of success infecting users. There are tutorials on making undetected trojans, hex-editing existing trojans, and so on, although often the answer to the user is simply "go purchase an undetected version for $50".

The custom-modified undetectable Beast trojan was still blocked - no other program can offer this level of protection. There were two layers of security in effect here. The first was when the Beast file was initially executed - ProcessGuard intercepted the execution (before any code was allowed to run), and asked if the file should be allowed to execute. We chose yes (for this test), but usually the user would simply click No, which would prevent the program from executing (and thus prevent any infection). After allowing the file to execute, it then tried to inject into winlogon.exe. ProcessGuard intercepted this and blocked the injection, preventing the trojan from taking place in the system.

The obvious benefit is that when a new DLL injecting trojan or rootkit is released (or not released to anyone) you dont need any database update - ProcessGuard blocks the INFECTION METHOD itself. ProcessGuard adds a layer of protection to your system which easily defeats the latest, high tech trojans.

Return to Top