Windows x64 bit operating systems have long been a tier above 32-bit in terms of security but now the x64 bit operating systems are the newest targets for a certain rootkit. Security company Prevx found that the rootkit TDL3, which has been active for several months, got a new update that allows it to infect x64 bit Windows. This is an unprecedented development and marks the first appearance of an in the wild x64 rootkit.
x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel.
Windows Vista 64 bit and Windows 7 64 don’t allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won’t allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren’t usually signed – at least, they shouldn’t be.
The second technique to prevent kernel mode drivers from altering Windows kernel behavior is the Kernel Patch Protection, also known as PatchGuard. This blocks every kernel mode driver from changing sensitive areas of the Windows kernel. Prevx describes how the rootkit gets past both techniques:
To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive’s master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.
The first attempt at breaking the x64 kernel security was the Whistler bootkit but the first in the wild x64 compatible attack is this rootkit. The Prevx community had been seeing infections during the past nine days leading up to 8/26/2010 when the article was written and it is surely still active. The rootkit is spreading via porn websites and exploit kits. Prevx is currently analyzing the rootkit and thinks that TDL3 is under new owners, which are modifying it for x64 compatibility. Right now it seems to be in beta because it doesn’t always work but it will be important to keep an eye on it.
Join 16,500
View the Original article
No comments:
Post a Comment