Rootkit has rhythm
A critical flaw in Windows multimedia library "winmm.dll" is already being actively exploited to spread rootkits, according to a warning from the anti-virus experts at Trend Micro. Attackers are embedding specially crafted MIDI files into web pages with are then opened by Internet Explorer using a plugin from Windows Media Player. The sound of background music covers the MIDI file using the vulnerability to execute shell code which installs a rootkit onto the system.
Attackers takes advantage of "heap spraying" where they copy their code onto the application's heap several times. They then write long sequences of NOP instructions with their malicious code at the end. The hope is that the application will trip on the heap and will end up jumping somewhere into the long NOP sequences where it will slide down the sequence (hence the name "NOP Slide") until it lands on, and runs, the malicious code.
The flaw affects all versions of Windows except Windows 7 – Microsoft closed the vulnerability two weeks ago in January's Patch Tuesday. Those who have not yet installed the patches should install them as soon as possible because, with the help of a freely available Metasploit module, it is simple to create a matching exploit.
(djwm)