Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.
Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.
Gurong.a uses the physical memory device as its initial injection vector to install a call gate to the Global Descriptor Table (GDT) that resides in system address space. Call gates are things we do not see everyday. Below is a definition from Wikipedia:
“Call gate is a mechanism in intel x86 architecture for changing privilege level of CPU when it executes a predefined function call.”
For more detailed information about call gates you should have a look at the IA-32 Intel Architecture Software Developer’s Manual, Volume 3A.
What this means is that through the call gate Gurong.a can execute parts of its code in privilege level 0 (kernel mode) without adding any additional code to the system address space. This code has full access to the system address space and privileged instructions. For example, the code that hides a process by modifying its object structure is actually part of the wmedia16.exe image (the file name used by the worm) and resides in user address space.