McAfee sheds light on the Darkmegi kernel rootkit

McAfee sheds light on the Darkmegi kernel rootkit
McAfee sheds light on the Darkmegi kernel rootkit

Darkmegi was discovered a few months ago when it exploited a MIDI (musical instrument digital interface) remote code executive vulnerability in Windows Media Player.

The new drive-by attacks exploiting a Java runtime remote code execution flaw use the Gong Da Pack exploit kit, McAfee researcher Craig Schmugar explained in a blog.

Darkmegi “drops its kernel driver to com32.sys in the Drivers directory. This rootkit drops a usermode component, com32.dll, which gets injected into explorer.exe and iexplore.exe. It also hooks the Dispatch table of ntfs.sys [IRP_MJ_CLOSE, IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL] and fastfat.sys to prevent applications from reading (or scanning) the com32.dll and com32.sys files”, Schmugar related.

Once Darkmegi has compromised the operating system, attempts to copy or read protected files are rejected.

In addition, the malware pads its files with 25MB of garbage data to appear legitimate, since most malware is under 1MB, the McAfee researcher explained.

At the same time, Schmugar found that Darkmegi does not hide its file locations. “So why does a malware author go to the trouble of creating a rootkit and yet not hide the files he or she aims to protect? One reason is that some antirootkit tools compare a list of files returned by the Windows API [application programming interface] against a tool-created list created from raw NTFS [new technology file system] scanning. Any discrepancies are presented as suspicious”, he wrote.

What’s hot on Infosecurity Magazine?