ITW malware and kernel vulnerabilities

Discussion in 'malware problems & news' started by Gullible Jones, Mar 20, 2013.

Thread Status:
Not open for further replies.
  1. Lately there's been a big focus on kernel vulnerabilities. They're nasty (even when strictly local) because they bypass everything, and there seem to be a lot of them lurking around. But how much malware in the wild actually uses these vulnerabilites?

    e.g. I know Stuxnet and Duqu use kernel vulnerabilities, and both have IIRC made it into the wild. Are there any others?

    More importantly, how many cases have there been of malware exploiting a kernel hole before it was patched?

    We know these vulnerabilies exist, and are nasty; but how relevant are they to end users in most cases? Who's using them, aside from governments?
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Assuming these exploits involve shellcode and infection of the O/S, the infection rates as of 2012 are extremely low according to, fwiw, the latest MS Security Intelligence Report. If this data counts toward how relevant these exploits are to end users, then so far probably not that relevant yet, especially for those using recent 64 bit O/S' like Win 7 or 8.
     
  3. I see, thanks. Though they seem to lump kernel exploits together with other OS exploits...
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Yeah, I think you're right. Well I guess we'll eventually see how much of a problem they become, but so far it looks like the easy targets such as Java and Adobe and the social engineering fake AV exploits are going to be at the forefront for a while yet. Hopefully these kernel exploits don't reach mainstream status. At least for now they don't seem to be easy to pull off properly, but if they ever do become child's play for hackers...:blink:
     
  5. Well, Linux has Seccomp, and I think FreeBSD's Capsaicin is similar. I hope something like that is in the works for Windows too.
     
  6. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Unfortunately, they can use these easy targets first(java, adobe) to gain local access, then do privilege escalation using Kernel exploits.

    No problem for us, I assume as there's not much ITW malwares that use such strategies and these would probably be the case only for targeted attacks.

    Actual duqu type remote code execution on kernel mode vulnerabilities seems to be difficult to exploit by malware authors because more often than not, BSODs will be the result. And as a possible precaution for that possible zero-day duqu-type exploit in the future, I simply remove/unregister the t2embed.dll or apply that MS fix-it for duqu. Since I have no use for the time being for such proper renderring of embedded fonts or true-type fonts.

    EDIT:
    Aside from targeted attacks or the so called state-sponsored malwares like duqu, stuxnet, there is another malware family that seems to use the escalation of priviliges, the strategies as described to bypass sandboxes, AVs, HIPS, AEs, i.e. Gapz trojans. Don't know the infection rate however.
     
    Last edited: Mar 22, 2013
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    For windows, a permanent solution could have been a complete revamp on their model of putting graphics or fonts renderring on the kernel for better performance and opt for putting those in user mode instead.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Stuxnet, Duqu etc... they might not be only exploits. They might well be bckdoors puposely kept by MS. Who knwo how many more vulnerabilities/ backdoors exist. These exploits must extremely difficult to be mitigated by the end users.

    I agree that most of these might be used only in sophisticated targeted attcaks, though.
     
    Last edited: Mar 21, 2013
Loading...
Thread Status:
Not open for further replies.