PDA

View Full Version : Bad News: the first Win7 64-bit rootkit is in the wild



Scott
09-01-2010, 03:10 PM
This is really bad news. 64-bit operating system users are no longer invincible to rootkits.


"The era of 64-bit rootkits has officially dawned."

http://www.net-security.org/images/articles/broken-win-64bit.jpg



http://www.net-security.org/malware_news.php?id=1446&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+S ecurity%29


First rootkit targeting 64-bit Windows spotted in the wild
Alureon rootkit is back, and has acquired the ability to hijack computers running 64-bit versions of Microsoft Windows, proclaimed Marco Giuliani, security researcher with security company Prevx.
According to him, the era of x64 rootkits has officially dawned.




http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

Follow-up: http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html


... Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.

... TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.

Why this is a worrying and important news? x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows's kernel....


Microsoft Technet's blog post:

http://blogs.technet.com/b/mmpc/archive/2010/08/27/alureon-evolves-to-64-bit.aspx


Normally, 64-bit Windows has several protections against untrusted modifications to the kernel, including a requirement that all drivers be signed, and PatchGuard, which prevents tampering of certain system structures. Aside from intercepting the OS boot sequence early in the cycle, the malware also reconfigures the operating system in a visible way to accept loading of unsigned drivers. Since the method used to do this is a supported extensibility feature of the kernel used by full disk encryption and compression software, it does not actually violate the guarantees PatchGuard provides about system integrity.

Scott
09-01-2010, 03:11 PM
if you did not understand the Above then this should be more simple for you to understand, it certainly helped me.


A "rootkit" is unauthorized, total access to your computer. They can have varied effects, such as redirecting your Google searches to unwanted ad sites, or even stealing your banking details if you do online transactions on that computer.

64-bit systems (Windows 7) were, up until now, entirely immune to rootkits, because Microsoft included greater prevention steps to prevent them from even installing on your computer. That has completely changed, as the first 64-bit rootkit has hit the internet just recently... if you are using Windows 7 you are no longer invincible to rootkits.

As of now, if you are using your computer from a limited user account (NOT running as administrator) with UAC turned ON, then you should be fine. If not, I highly suggest turning this on as the rootkit won't be able to install itself if you practice these basic security measures.