Extremely Complex Windows Rootkit Discovered

Researchers from Finnish security vendor F-Secure have recently analyzed a worm with rootkit capabilities that tries to execute code directly into the OS kernel by exploiting a known Windows vulnerability. This is for the first time when the technique is encountered in such applications.

“Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode,“ explains the F-Secure Response Team. Such rootkit applications attempt to restore the function pointers back to their original state in the kernel's System Service Table (SST). This has the purpose of removing any possible hooks originating from security software on the system and is usually achieved through the use of a special driver allowing access to the kernel memory.

The driver technique is not new and, in consequence, no longer efficient either, because most security applications are able to identify and block this driver. F-Secure is detecting the driver as Rootkit:W32/Agent.UG, but this new application, named Worm.Win32.AutoRun.nox, is taking another approach. It tries to access the kernel memory by exploiting a privilege elevation vulnerability in GDI.

The vulnerability, identified as CVE-2006-5758 was patched by Microsoft in April 2007, but as demonstrated by other recent incidents, malware developers are counting more and more on users not updating their operating systems or installed software.

“After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack,” the F-Secure researchers detail the more technical aspects of the process.

But even if this vulnerability is patched and the exploitation attempt fails, the worm has a backup plan. It degrades back to the old technique of using a special driver and if the attack is successful, the system is compromised. In addition, the worm injects malicious code into the legit svchost.exe and iexplore.exe processes, creates a number of files and attempts to download others from a .ru host.