Share

Top 5 Stories

News

McAfee sheds light on the Darkmegi kernel rootkit

17 April 2012

Darkmegi, malware that uses a kernel rootkit component to infect computers, has begun exploiting a flaw in Java to conduct drive-by attacks, according to McAfee Labs.

Darkmegi was discovered a few months ago when it exploited a MIDI (musical instrument digital interface) remote code executive vulnerability in Windows Media Player.

The new drive-by attacks exploiting a Java runtime remote code execution flaw use the Gong Da Pack exploit kit, McAfee researcher Craig Schmugar explained in a blog.

Darkmegi “drops its kernel driver to com32.sys in the Drivers directory. This rootkit drops a usermode component, com32.dll, which gets injected into explorer.exe and iexplore.exe. It also hooks the Dispatch table of ntfs.sys [IRP_MJ_CLOSE, IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL] and fastfat.sys to prevent applications from reading (or scanning) the com32.dll and com32.sys files”, Schmugar related.

Once Darkmegi has compromised the operating system, attempts to copy or read protected files are rejected.

In addition, the malware pads its files with 25MB of garbage data to appear legitimate, since most malware is under 1MB, the McAfee researcher explained.

At the same time, Schmugar found that Darkmegi does not hide its file locations. “So why does a malware author go to the trouble of creating a rootkit and yet not hide the files he or she aims to protect? One reason is that some antirootkit tools compare a list of files returned by the Windows API [application programming interface] against a tool-created list created from raw NTFS [new technology file system] scanning. Any discrepancies are presented as suspicious”, he wrote.
 

This article is featured in:
Application Security  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×