Mitigating DLL Hijacks Revealed in Vault 7/Fine Dining With The Platform

John T. Haller's picture
Submitted by John T. Haller on March 13, 2017 - 10:57pm

Over the past few days, Wikileaks posted a series of documents purported to be from the CIA in a dump of files dubbed "Vault 7". Within those documents are references to a project called "Fine Dining" which details how a field agent can alter their own software on a portable device to include additional functionality to enable spying and other covert activities while appearing innocuous to those who happen to see the agent using their portable software. The process is detailed well in a Q&A by Sophos software.

List of Affected Software

The list of affected software includes VLC Player Portable, Irfan View, Chrome, Opera, Firefox, ClamWin, Kaspersky TDSS Killer, McAfee Stinger, Sophos Virus Removal Tool, Thunderbird, Opera Mail, Foxit Reader, LibreOffice, Prezi, BabelPad, Notepad++, Skype, Iperius Backup, Sandisk Secure Access, U3 Software, 2048, LBreakout2, 7-Zip Portable and Portable Linux CMD Prompt. Some Launchers are also affected by these techniques.

How The Vulnerability Is Exploited

In most affected apps, the app itself is vulnerable. Thunderbird, for example, is vulnerable if you add a DLL in a specific location. Opera Mail is vulnerable to having one of its built-in DLLs replaced with something else. When the field agent's DLL is loaded by the base app, the DLL will then do whatever it is coded to do (copy files, listen in on network traffic, etc). The base app will continue working as usual while this occurs allowing the agent to play a game, check their email, or browse the web. The leaked documents detail which specific DLLs to use for each app.

How We Mitigate The Risk

Today's Platform release adds a security module to scan for the specific techniques outlined above. Every DLL addition recommended in the leaked document is specifically scanned for by the platform before a vulnerable app is launched. This includes DLLs located alongside an AppNamePortable.exe launcher whether or not it is affected as some apps will load DLLs from there as well as their own path. DLLs listed in the leak as vulnerable to replacement within an affected app are securely SHA256 hashed by the platform and compared to the known hash for that version of the app's DLL.

Why Mitigate When Users Aren't Affected

We are choosing to mitigate this risk even though our users are currently unaffected by this issue due to the possibility that new attacks against users could be created using these techniques in the future now that they are more widely known and publicized. While our techniques won't mitigate every attack, making our users more secure is important to us.

Example Alerts

Here are examples of the two new alerts that have been added to the Platform:

Going Forward

Going forward, we will be watching for additional affected apps and additional vulnerable locations within the already affected apps. We will also be updating the PA.c Launchers to address any existing side by side DLL vulnerabilities as well as adding hardening features to allow the PA.c Launchers to help protect and verify the apps directly. We'll also be updating the base apps like Skype, Chrome, Thunderbird, etc as soon as their publishers address the vulnerabilities within them and release new versions. We hope this addresses any concerns you may have and helps you feel confident about enjoying your portable apps every day!

Story Topic:


John T. Haller's picture

Individual launchers are affected by a different version of this by placing fake versions of specific Windows DLLs next to them. Anything compiled with NSIS before version 2.50 is vulnerable to that. This isn't what Fine Dining details, though. The goal of Fine Dining is to be as hidden as possible. Millions of Windows apps can have DLLs injected into them. I'd wager most Windows software is vulnerable to some sort of it. If a given infected PC has write access to your portable device, it could add one. Of course, it could easily wipe your drive, infect an app's EXEs and DLLs with a virus, or lock your data in an encrypted ransomware container, too. All of the latter are much more likely.

Realistically, DLL hijacks aren't really a major issue unless a compounding factor is introduced. That's happened before in the context of Windows installers, for example. The majority of Windows installers were vulnerable to specific hijacks for over a decade until a little over a year ago. It wasn't really an issue because only an already infected system would trigger it. But then browsers with some poor security decisions like Chrome allowed any website to download any infected/fake DLL they wanted to the user's Download directory without user interaction. So, you could download a digitally signed installer from a legitimate software site, but if you ran it directly from your Download directory and used something like Chrome, it might load one of those infected DLLs. Even worse, since it was a local software installer, it would be running as admin. That's why NSIS was patched in December 2015 and why the PA.c Installer was updated to NSIS 3 beta 3 (something we don't normally do) a few weeks later. To mitigate that specific attack which also had the side effect of hardening it against other DLL hijacks. For even more protection, the Platform also bypasses the Download directory and only runs the app installers it downloads in a clean TEMP directory that is created specifically to run installers. This directory is then deleted when you close the updater/app store.

For end users who move portably, the biggest issue right now is possible infection of your portable device as you move PCs. We mitigate that a bit by having antivirus scanners including a commercial scanner on our Carbide Drive and by recommending scanning your drive with your local antivirus any time you've used it on a PC that you aren't sure is clean before accessing your apps. For end users that only use our software on their local machine or that sync it between multiple clean machines using their cloud folders, Fine Dining and DLL hijacking in general is a bit of a moot point.

Sometimes, the impossible can become possible, if you're awesome!

Great work... Better prevent when possible even when this means delay or even blocking apps than being blamed of doing nothing!

Keep up the great work you guys are doing!

All thumbs up from the Netherlands!

Thank you for sharing this information and for taking corrective actions.

+ Every rule has its exception; excepting this one.