Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 30th, 2008

Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit

Security researchers from F-Secure have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date. The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.

Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this. Worm.Win32.AutoRun.nox has a payload that restores the original function pointers back to the kernel’s System Service Table (SST). The usual motivation for malware to do this is to remove any SST hooks installed by security software or other malware that might affect its successful operation.

As noted, normally a special driver or the physical memory device is used to get access to kernel-mode memory to restore the pointers. AutoRun.nox is different — it uses “GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)” to do the job. For malware, its rather unique to see such a technique being used.

The worm uses a long-standing Windows vulnerability, patched by Microsoft in April 2007, involving a GDI privilege elevation flaw. If the attack using the vulnerability fails, the worm falls back to plan B – using the more common (but less elegant) driver method.

After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack.

If attacking this vulnerability fails, the worm goes back to the tried-and-true “special driver” method. The driver is detected by us as Rootkit:W32/Agent.UG. Either way, if the attack is successful, the machine is compromised as the attacker can access the kernel and execute code, or cause a denial of service. This attack will only work on unpatched machines running without the latest updates. Microsoft ranks this vulnerability as Important and recommends that users apply the update immediately.

Share this item with others:

More on CyberInsecure:
  • avast! Home And Professional aavmker4.sys Privilege Escalation
  • Researchers Discovered A New Technique For Stealthier Rootkits
  • New BIOS Attack Might Allow Malware Survive Hard-disk Format And BIOS Reflashing
  • Rootkit-based Exploits Could Eavesdrop Smartphones
  • Texas National Guard Website Remains Unavailable After Malware Infection

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit

    One Response to “Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit”

    1. […] only one article on the web talking about this malicious file, it’s available at cyberinsecure web page. The article doesn’t refer to a specific malware, and I don’t know if I have […]

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.