Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit
Security researchers from F-Secure have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date. The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.
Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this. Worm.Win32.AutoRun.nox has a payload that restores the original function pointers back to the kernel’s System Service Table (SST). The usual motivation for malware to do this is to remove any SST hooks installed by security software or other malware that might affect its successful operation.
As noted, normally a special driver or the physical memory device is used to get access to kernel-mode memory to restore the pointers. AutoRun.nox is different — it uses “GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)” to do the job. For malware, its rather unique to see such a technique being used.
The worm uses a long-standing Windows vulnerability, patched by Microsoft in April 2007, involving a GDI privilege elevation flaw. If the attack using the vulnerability fails, the worm falls back to plan B – using the more common (but less elegant) driver method.
After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack.
If attacking this vulnerability fails, the worm goes back to the tried-and-true “special driver” method. The driver is detected by us as Rootkit:W32/Agent.UG. Either way, if the attack is successful, the machine is compromised as the attacker can access the kernel and execute code, or cause a denial of service. This attack will only work on unpatched machines running without the latest updates. Microsoft ranks this vulnerability as Important and recommends that users apply the update immediately.
More on CyberInsecure:
November 5th, 2008 at 3:55 pm
[…] only one article on the web talking about this malicious file, it’s available at cyberinsecure web page. The article doesn’t refer to a specific malware, and I don’t know if I have […]