NVIDIA Tool Becomes Accomplice

Thursday, February 28, 2013 @ 04:02 PM gHale


A specially crafted RTF document was leveraging a vulnerability in Word to execute a tool from NVIDIA’s graphics card drivers on victims’ computers.

The executable file, called nv.exe, has a digital signature, and is actually the original file with no changes, said researchers at Sophos.

RELATED STORIES
Nvidia Zero Day Eliminated
NVIDIA Closes Hole in Unix Driver
Researchers Bypass Microsoft IE Fix
More Victims in IE Zero Day

The reason for this method became clear after the NvSmartMax.dll library, which copied with the Word document and the .exe file onto computers, ended up analyzed: The library was home to the actual malicious code that set up a permanent backdoor, the researchers said. The malicious functions in the library ended up executed by the nv.exe file signed by NVIDIA.

The attackers took advantage of the fact that executable files first look for libraries in their own folder. In this case, nv.exe therefore tries to execute functions from its DLL but, instead, finds and uses an evil twin first. The attackers may have been using the signed binary as a detour in order to help their malicious code slip past any anti-virus software installed.

The prepared Word document consists of a statement from the Tibetan Youth Congress, a non-governmental organization that works for Tibetan independence, which suggests this cyber attack was once again targeting pro-Tibet groups.



Leave a Reply

You must be logged in to post a comment.