Windows AutoRun-NOX Worm Extended Rootkit RepertoireResearchers at F-secure, an anti-virus company, have found the most sophisticated and subtle Windows rootkit software till date. They have named it AutoRun-NOX worm. The AutoRun-NOX worm has extended the standard Vxer trick in which software vulnerabilities are exploited to infect the system. This software includes functionality which enables the worm to exploit security bugs in Windows by hooking parts of the system that runs below antivirus packages radar. F-secure reported that majority of malware having rootkit functionality interferes with Windows kernel and try to implement code in the kernel mode. Generally, a particular driver is assigned to perform this function and AutoRun-NOX is different. It exploits vulnerability to perform the job. However, it is unusual such technique is used for a malware. Furthermore, following the re-mapping of memory, the malware formats a CPalette object that further look for palette object in shared kernel memory structure. As this memory is writable, it could be changed to add a pointer for special function which would erase any of the existing SST hooks. At the end, the function starts working with a call to GetNearestPaletteIndex. Afterwards, the restoration of palette object takes place without leaving any trace of attack. Moreover, the worm exploits a long standing vulnerability of Windows which was patched in April 2007 by Microsoft. It involved GDI privilege elevation flaw. Additionally, the worm resorts to plan B that uses more common driver method if the strike using GDI flaw fails. In addition, the most interesting feature of this sophisticated malware program is its ability to change the Microsoft Windows desktop in such a way that it appears status bar is forwarding alert message pointing to virus infection. Another prominent threat making round these days is the XP Antivirus 2008 exploit and some similar names. In this, a user receives socially engineered message prompting to download malicious antivirus program, which further detects several malicious viruses and asks users to buy the program for removing them from the system. In most cases, the only malware installs onto the system is none other than XP Antivirus 2008. Related article: Windows XP Fault Strike Firewall » SPAMfighter News - 14-10-2008
Share and tell your friends!
| All SPAMfighter products offer a free trial!
SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.
Optimize your Slow PC for better performance. Try FREE scan now
SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.
Remove Spyware with SPYWAREfighter - Free 30 days trial
Antivirus software for your Windows PC - Free 30 days trial | ||||||||||||||||||||||||||||
| <<< | >>> | ||||||||||||||||||||||||||||
SPAMfighter is
