Malware and DLLs

I'm taking a SANS malware analysis class from @hal_pomeranz

He showed us that malware sometimes uses very few DLLs compared with normal executables.

Here's how to see that using PEiD

I opened a legit program (Cain.exe) in PEiD, clicked the Subsystem arrow, and then the ImportTable arrow.

This shows the DLLS it uses:

Compare that to this Brazilian banking trojan, which loads only one DLL, because it's packed and the only code immediately executable is the unpacker.

Posted 8-6-13 by Sam Bowne