Sophisticated rootkit invades 64-bit Windows operating system
November 17, 2010
A sophisticated and obscure rootkit that for years has ravaged 32-bit versions of the Windows operating system has begun attacking 64-bit versions of the Microsoft operating system as well, and seems to be spreading rapidly across many countries.
The ability of the worm Alureon to infect 64-bit versions of Windows 7 and Windows Server 2008 R2 is something of a coup for its creators, since Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks.
However, Alureon crossed into the 64-bit platform sometime in August, according to Internet security firm Prevx.
And according to some recent research published by GFI Software, the latest TDL 4 installation penetrates 64-bit versions of Windows by bypassing the OS's kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source.
The rootkit achieves that by attaching itself to the master boot record in a hard drive's unit and then changing the computer or server's boot options in the background, and most likely completely undetected by the system's admin.
“The hard drive's boot option is then changed in memory from the code executed by infected MBR,” GFI Technical Fellow Chandra Prakash wrote. “The boot option configures the value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit then changes this config setting value to a lower level of validation that effectively allows loading of an unsigned malicious rootkit DLL file.”
According to various researchers at Prevx, TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected computers. Once installed it is undetectable by most anti-malware programs.
In keeping with TDL's high degree of complexity, the rootkit uses low-level instructions to disable debuggers, making it rather difficult for white hat hackers to perform any form of debugging and the subsequent removal of the rootkit.
One of the advanced protections Microsoft added to 64-bit versions of Windows such as Windows 7 was kernel mode code signing policy. Microsoft also added a feature known as PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel.
TDL manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines during boot time.
Source: Prevx Internet Security LLC.
You can link to the Internet Security web site as much as you like.