Windows Hit With Kernel Zero-Day Bug, Ransomware Attack

kernel bug

The kernel flaw stems from an error in the Win32K.sys, enabling hackers to execute arbitrary code attacks that can circumvent the built-in UAC security mechanism on the operating system.

The UAC, a feature that limits the access of application software to standard user privileges unless authorized by an administrator, is embedded in Windows operating systems such as Vista and Windows 7.

Proof of concept code detailing the Windows kernel vulnerability and how it can be used in attacks was published in the wild last week, according to an advisory from Danish security research firm Secunia. Microsoft is currently investigating the issue.

Essentially the flaw opens up the door for malicious hackers to launch distributed denial of service attacks or gain elevated privileges after they have infiltrated a user's machine. However, the threat is somewhat mitigated by the fact that hackers have to use two vulnerabilities in order to successfully launch an attack.

Sponsored post

Thus far there are no active attacks in the wild but security researchers anticipate that some will emerge in subsequent weeks until Microsoft releases a patch fixing the bug.

Meanwhile, security researchers at CA Technologies detected a malicious ransomware file circulating on the Web in spam e-mails.

The malicious file attachment, a variant of Win32/Sasfis, is designed to download a malware component, identified as the Win32/Yuakee.A Trojan used to bypass UAC functions on Windows Vista, and subsequently install it in the victims' computer. The Trojan exploits an older vulnerability and is unrelated to the recent UAC bypass POC.

In Windows 7, the malware executes the System Preparation Tool, while deleting the legitimate file cryptbase.dll. In Windows versions 6.0 and below, the Trojan will execute the master boot record (MBR) ransomware that will save the original MBR in another location while overwriting it with its own code.

The malware then forces a victims' systems to reboot and display a message that falsely warns them that their PCs are blocked and hard drives are encrypted. The message then requires users to submit their sign-on password, and threatens data loss if the users attempt to restore the hard drives.

"On this note, the ransomware is trying to inject fear and attempts to deceive users that the system and personal files were encrypted," said Zarestel Ferrer, CA senior research engineer, in a blogpost Tuesday.

However, in reality, the ransomware has only infected the MBR and not other files, so users can safely use rescue disks and boot disks to restore their systems MBR.