Yet Another Java Exploit

Thursday, April 19, 2012 @ 03:04 PM gHale

Java is truly becoming a security disaster as Darkmegi, malware that uses a kernel rootkit component to infect computers, started exploiting a flaw in Java to conduct drive-by attacks.

Darkmegi first became public a few months ago when it found a MIDI (musical instrument digital interface) remote code executive vulnerability in Windows Media Player.

Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats
Utilities Under Daily Attack
Security Firm Finds Attack Signs

The new drive-by attacks exploiting a Java runtime remote code execution flaw use the Gong Da Pack exploit kit, said McAfee researcher Craig Schmugar.

Darkmegi “drops its kernel driver to com32.sys in the Drivers directory. This rootkit drops a usermode component, com32.dll, which injects into explorer.exe and iexplore.exe. It also hooks the Dispatch table of ntfs.sys [IRP_MJ_CLOSE, IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL] and fastfat.sys to prevent applications from reading (or scanning) the com32.dll and com32.sys files.” Schmugar said.

Once Darkmegi compromises the operating system, attempts to copy or read protected files end up rejected.

In addition, the malware pads its files with 25MB of garbage data to appear legitimate, since most malware is under 1MB, the McAfee researcher explained.

At the same time, Schmugar found Darkmegi does not hide its file locations.

“So why does a malware author go to the trouble of creating a rootkit and yet not hide the files he or she aims to protect? One reason is that some antirootkit tools compare a list of files returned by the Windows API [application programming interface] against a tool-created list created from raw NTFS [new technology file system] scanning. Any discrepancies are presented as suspicious,” Schmugar said.

Leave a Reply

You must be logged in to post a comment.