You will often see malware authors distributing their malicious code as DLL instead of executable files. The following list outlines some of the reasons why attackers implement their malicious code as DLLs:
- A DLL cannot be executed by double-clicking; DLL needs a host process to run. By distributing the malicious code as a DLL, a malware author can load his/her DLL into any process, including a legitimate process such as Explorer.exe, winlogon.exe, and so on. This technique gives the attacker the capability to hide a malware's actions, and all the malicious activity performed by the malware will appear to originate from the host process.
- Injecting a DLL into an already running process provides the attacker with the capability to persist on the system.
- When a DLL is loaded by a process into its memory space, the DLL will have access to the entire process memory space, thereby giving it the ability to manipulate the process's functionality. For example, an attacker can inject a DLL into a browser process and steal credentials by redirecting its API function.
- Analyzing a DLL is not straightforward and can be tricky compared to analyzing an executable.
Most malware samples drop or download a DLL and then load the DLL into the memory space of another process. After loading the DLL, the dropper/loader component deletes itself. As a result, when performing a malware investigation, you may only find the DLL. The following section covers the techniques to analyze the DLL.