Darkmegi Exploits Java Using Kernel Rootkit

According to the security firm McAfee, the Darkmegi malicious program, which has rootkit features, is starting to abuse vulnerability within Java so drive-by download assaults can be executed.

The threat, discovered McAfee Labs, had no precedence when it was spread via exploiting Microsoft's CVE-2012-0003 security flaw, which was MIDI vulnerability for execution of remote-code.

Very recently, Darkmegi appeared in Java Runtime's CVE-2011-3544 vulnerability that facilitated execution of remote-code through drive-by download assaults from the attack toolkit "Gong Da Pack." When Darkmegi infects computers with its kernel rootkit, it enables compromising the systems hard.

The malware plants its kernel payload onto the com32.sys file of Drivers directory. Thereafter, the rootkit plants one user-mode namely com32.dll that's made to infect iexplore.exe and explorer.exe. Besides, the kernel also influences ntfs.sys (having IRP_MJ_DEVICE_CONTROL, IRP_MJ_CREATE, and IRP_MJ_CLOSE) and fastfat.sys by fastening onto their Dispatch table and thus not letting software to scan com32.sys or com32.dll, explained Craig Schmugar researcher at McAfee. Infosecurity published this on April 17, 2012.

More specifically, after the rootkit hijacks a computer's operating system, it prevents reading/replicating secured files, while tries replicating the rootkit driver onto a different directory.

Simultaneously, Schmugar discovered that Darkmegi didn't conceal the locations of its files. Thus, he pondered over the reason that prompted malware writers for making the effort towards developing a rootkit while still keep their files exposed despite aiming for safeguarding them. He thought that probably certain anti-rootkit programs considered files, which the Windows Application Programming Interface returned, in contrast with those any anti-rootkit created with the help of crude 'New Technology File System' (ntfs) file-scrutiny. Incase of discrepancies, the same were produced as skeptical, the researcher added.

Moreover, one more trick the Trojan program applied involved using some 25MB garbage-data mask over the malware-infected files it maintained. Usually malware were known to be of not even 1MB in size. Actually, below 0.03% of all familiar malicious programs were more than 25MB. That was one more illustration about the manner wherein malware writers kept on altering their techniques for bypassing file-centric defenses.

Security specialists said that with instantaneous kernel-memory supervision, one could block Darkmegi during installation.

» SPAMfighter News - 4/25/2012