DLL Malware

I have been having a play with DLL's recently and have realised the potential advantages over normal executables, here are a few thoughts:

From what I understand, depending on how you create your DLL you can either Inject the DLL into a process and/or load it using a Loader (such as 'rundll32').

Heres an example of what could be done...

Create a custom loader which contains a copy of the DLL as an encrypted resource file (easily done in VB6);

Check for the existence of Sandboxes etc; If found we quit, otherwise:

Detect if we have Admin rights:

If we do, decrypt and extract the DLL to eg: %windir%\*random-file-name*.dll

If not, decrypt and extract the DLL to eg: %temp%\*random-file-name*.dll

Check the file actually extracted (and wasn't blocked):

If not try extracting again to a different folder eg: %userprofile%\*random-file-name*.dll

If it still fails we quit, and melt into null.

Alternatively I believe we could extract the DLL into memory and not even write to disk.

The Loader then detects the PCs default browser from the Registry;

Then creates a Suspended copy of the Default Browser;

Injects the DLL into the Suspended Process, this way we bypass the Firewall*.

If injection fails, load the DLL using 'rundll32' and hope everything goes ok (alternatively we could try inject into a different process, say MSN, Explorer.exe etc)

If injected we can then delete the DLL we extracted as it is now in memory.

Then exit the loader.

So based on the concept that we have injected the DLL, we now have no visible process running in Task Manager, and potentially have bypassed the Firewall without creating additional rules.

Startup methods?
Well we can either can add an entry for the Loader again (which would allow injection) or load the DLL using say rundll32 or from a Service via SVCHOST.

* This is simple Firewall Bypass which probably doesn't work anymore, but you get the idea.