Home
Forums
News
Software
Rootkit List
Articles
Links
Contact Us




Click Flag for Translation

Subscribe to the Antirootkit Newsletter
Enter Email Address

Subscribe
Unsubscribe

Home > Articles

Holes in your programs and how they can help install Rootkits.


Have you ever wondered why you have anti virus, anti spyware, anti adware ( Microsoft Windows Defender, Spybot, Spywareblaster ) but but still get windows popping up with ads, your hard drive is constantly churning or your internet usage stats have gone sky high.

Many users have the latest greatest software for stopping viruses and spyware but what they don't know is that programs like Internet Explorer, Microsoft Word and other commonly used programs have "holes" in them that allow an attacker to take control of their computer from a remote location. The attacker can then install whatever application they want. Keyloggers and Spyware ( to name a few ) along with programs that send out Spam to millions of email accounts around the world seem to be the most popular at the moment.

A lot of these programs that an attacker installs are hidden by a rootkit which will prevent many scanning programs from finding the malware. For example when your Spyware scanner scans your computer the rootkit will "tell" the scanner "nothing here" but you will still get spyware pop-ups.

 

Attackers can come in through holes in your Programs

"Typically, a crimeware exploit will install a rootkit along with a package of spyware, adware, and other malware applications when you visit a site that has been set up, accidentally or deliberately, as an exploit distribution site. Aside from some hard disk activity, you probably won't know that anything has happened, until odd pop-ups start appearing. Those pop-ups may ask you to install some software, tell you there's a problem with your system, or even ask you for money."Explabs - Exploit Prevention Labs

 

When a program like MS Word is being written there are millions of lines of computer code being used. The possibility of human error when writing the code in inevitable and because there is no obvious signs of the error in the code the developer can overlook it.

Earlier this year a hole was found in various Microsoft Operating systems that allowed an attacker, who had made a graphic file ( WMF ) in a certain way, remote control of a users computer when they opened the graphic. All a user had to do was to visit a site that the graphic was being used on and they were infected.

"Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group. Seven months after Microsoft issued a patch, it’s still widely used by cybercriminals."
Explabs - Exploit Prevention Labs - August 2006 Exploits

Exploit Prevention Labs keep an eye out for what's happening with current software holes. According to Explabs in August 2006 a program called Webattacker that can be bought from as little as little as $20 was the most used attacking software used. It is updated regularly to include attacks on newly found software holes.

Only recently there was a new hole or vulnerability found in Internet Explorer. Code for attackers was posted on the Internet. Microsoft have not issued a patch for this hole and there is currently no known workaround. The new Internet Explorer problem is related to an ActiveX control (Microsoft DirectAnimation Path) that's part of the "daxctle.ocx" COM object. An attacker who successfully exploited the vulnerability could hijack the computer.

Read more about this problem from Microsoft's Website.

So what can a user do to stop themselves being attacked through a hole in their programs?
If a user runs in administrator mode they will always have a chance of being infected by a newly found hole. The attacker will have the option to install the malware whereas if a user was running as a restricted user then the attacker could not install the malware.
Users can also use products like Explabs SocketShield. This is an excellent piece of software that is updated as soon as new holes are found. They already provide protection from the new Internet Explorer hole.

New vulnerabilities command a lot of money from attackers. People who find a new hole in software can go to Hackers and malware writers and sell the details of the hole for substantial amounts of money as was seen with the WMF exploit. It goes without saying that there will be more and more rogue software engineers looking for software holes because of the monetary benefits. Maybe if Microsoft payed these guys for finding holes we could all rest a bit easier when surfing the Internet.

Keep Safe.

Steo - 16 Sep 2006

 

 

©2005 Antirootkit.com