Stealthy malware expands rootkit repertoire
Burrowing worm borrows Windows vuln
Posted in Spyware, 30th September 2008 11:46 GMT
Free whitepaper – Securing your Apache web server with a Thawte digital certificate
Security researchers have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date.
The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.
"Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode," net security firm F-Secure reports. "Typically, a special driver is used to do this... AutoRun.nox is different — it uses a vulnerability to do the job. For malware, it's rather unique to see such a technique being used."
The worm uses a long-standing Windows vulnerability, patched by Microsoft in April 2007, involving a GDI privilege elevation flaw. If the attack using the vulnerability fails, the worm falls back to plan B - using the more common (but less elegant) driver method.
A blog posting by F-secure containing screenshots and a detailed technical run-down of the worm's modus operandi can be found here. ®
Free whitepaper – Securing your online data transfer with SSL


The future of SaaS and IT infrastructure management
The mandate for application security
Extended Validation SSL Certificates
Avoiding 7 common mistakes of IT security compliance
The best practices guide for application security
Google cloud told to encrypt itself
Chinese firm hits back at cyberspy claims
BlockMaster SafeStick hardware-encrypted USB drive