Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Sophisticated rootkit invades 64-bit Windows operating system

Add to del.icio.us     Digg this story Digg this

November 17, 2010

A sophisticated and obscure rootkit that for years has ravaged 32-bit versions of the Windows operating system has begun attacking 64-bit versions of the Microsoft operating system as well, and seems to be spreading rapidly across many countries.

The ability of the worm Alureon to infect 64-bit versions of Windows 7 and Windows Server 2008 R2 is something of a coup for its creators, since Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks.

However, Alureon crossed into the 64-bit platform sometime in August, according to Internet security firm Prevx.

And according to some recent research published by GFI Software, the latest TDL 4 installation penetrates 64-bit versions of Windows by bypassing the OS's kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source.

The rootkit achieves that by attaching itself to the master boot record in a hard drive's unit and then changing the computer or server's boot options in the background, and most likely completely undetected by the system's admin.

“The hard drive's boot option is then changed in memory from the code executed by infected MBR,” GFI Technical Fellow Chandra Prakash wrote. “The boot option configures the value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit then changes this config setting value to a lower level of validation that effectively allows loading of an unsigned malicious rootkit DLL file.”

According to various researchers at Prevx, TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected computers. Once installed it is undetectable by most anti-malware programs.

In keeping with TDL's high degree of complexity, the rootkit uses low-level instructions to disable debuggers, making it rather difficult for white hat hackers to perform any form of debugging and the subsequent removal of the rootkit.

One of the advanced protections Microsoft added to 64-bit versions of Windows such as Windows 7 was kernel mode code signing policy. Microsoft also added a feature known as PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel.

TDL manages to circumvent this protection as well, by altering a machine's MBR so that it can intercept Windows startup routines during boot time.

Add to del.icio.us     Digg this story Digg this

Source: Prevx Internet Security LLC.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.


You can link to the Internet Security web site as much as you like.


| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Get your Linux or Windows dedicated server today.