ITW malware and kernel vulnerabilities

Lately there's been a big focus on kernel vulnerabilities. They're nasty (even when strictly local) because they bypass everything, and there seem to be a lot of them lurking around. But how much malware in the wild actually uses these vulnerabilites?

e.g. I know Stuxnet and Duqu use kernel vulnerabilities, and both have IIRC made it into the wild. Are there any others?

More importantly, how many cases have there been of malware exploiting a kernel hole before it was patched?

We know these vulnerabilies exist, and are nasty; but how relevant are they to end users in most cases? Who's using them, aside from governments?

 

Assuming these exploits involve shellcode and infection of the O/S, the infection rates as of 2012 are extremely low according to, fwiw, the latest MS Security Intelligence Report. If this data counts toward how relevant these exploits are to end users, then so far probably not that relevant yet, especially for those using recent 64 bit O/S' like Win 7 or 8.

 

I see, thanks. Though they seem to lump kernel exploits together with other OS exploits...

 

Yeah, I think you're right. Well I guess we'll eventually see how much of a problem they become, but so far it looks like the easy targets such as Java and Adobe and the social engineering fake AV exploits are going to be at the forefront for a while yet. Hopefully these kernel exploits don't reach mainstream status. At least for now they don't seem to be easy to pull off properly, but if they ever do become child's play for hackers...

 

Well, Linux has Seccomp, and I think FreeBSD's Capsaicin is similar. I hope something like that is in the works for Windows too.

 

Unfortunately, they can use these easy targets first(java, adobe) to gain local access, then do privilege escalation using Kernel exploits.

No problem for us, I assume as there's not much ITW malwares that use such strategies and these would probably be the case only for targeted attacks.

Actual duqu type remote code execution on kernel mode vulnerabilities seems to be difficult to exploit by malware authors because more often than not, BSODs will be the result. And as a possible precaution for that possible zero-day duqu-type exploit in the future, I simply remove/unregister the t2embed.dll or apply that MS fix-it for duqu. Since I have no use for the time being for such proper renderring of embedded fonts or true-type fonts.

EDIT:
Aside from targeted attacks or the so called state-sponsored malwares like duqu, stuxnet, there is another malware family that seems to use the escalation of priviliges, the strategies as described to bypass sandboxes, AVs, HIPS, AEs, i.e. Gapz trojans. Don't know the infection rate however.

 

For windows, a permanent solution could have been a complete revamp on their model of putting graphics or fonts renderring on the kernel for better performance and opt for putting those in user mode instead.

 

Stuxnet, Duqu etc... they might not be only exploits. They might well be bckdoors puposely kept by MS. Who knwo how many more vulnerabilities/ backdoors exist. These exploits must extremely difficult to be mitigated by the end users.

I agree that most of these might be used only in sophisticated targeted attcaks, though.