To expand on the other answer you got, there's nowhere to put DLLs by default. You install what you need in your directory in Program Files and at that point you may as well statically link them.
Or you may as well not. DLLs sitting next to your executable are pretty much like static linking, except with one crucial difference - they can still be swapped out by end user if the need arises. For instance, to apply a fix, or to swap out or MITM the DLL for any number of reasons. It's a feature that's very useful to have on those rare occasions when it's needed.
- An installer you used could've been compromised. For example, the attacker swaps out a DLL for a bad one, uploads the modified installer to a file sharing site, and gets you to download it from there.
- The application has its DLL swapped/modified on the fly before or during installation by pre-existing malware in your system.
- DLL is replaced at some point post installation.
All of these attack vectors can be pulled against a statically-linked program too, and the privileges they require also allow for more effective attacks - like modifying a system component, or shipping in a separate malware process. Crypto miner will be more effective if it's not tied to execution of Super Editor 2013, even if it's delivered by its installer :).
Problems with malware have little to do with dynamic linking. They stem from the difficulty in managing execution of third-party code in general.
> All of these attack vectors can be pulled against a statically-linked program too
Yeah, but then the attacker would have to pull them against a bazillion apps, in stead of just infecting a bunch of more or less generic DLLs and then just replace all copies of those wherever he finds them.
Which is why I said, "the privileges they require also allow for more effective attacks". If you can scan my system and replace popular DLLs in every application that bundles them, you may as well drop a new Windows service running your malware. Or two, and make them restart each other. Or make your malware a COM component and get the system to run it for you - my task manager will then just show another "svchost.exe" process, and I'll likely never notice it.
