Scott
09-01-2010, 03:10 PM
This is really bad news. 64-bit operating system users are no longer invincible to rootkits.
"The era of 64-bit rootkits has officially dawned."
http://www.net-security.org/images/articles/broken-win-64bit.jpg
http://www.net-security.org/malware_news.php?id=1446&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+S ecurity%29
First rootkit targeting 64-bit Windows spotted in the wild
Alureon rootkit is back, and has acquired the ability to hijack computers running 64-bit versions of Microsoft Windows, proclaimed Marco Giuliani, security researcher with security company Prevx.
According to him, the era of x64 rootkits has officially dawned.
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html
Follow-up: http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html
... Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.
... TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.
Why this is a worrying and important news? x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows's kernel....
Microsoft Technet's blog post:
http://blogs.technet.com/b/mmpc/archive/2010/08/27/alureon-evolves-to-64-bit.aspx
Normally, 64-bit Windows has several protections against untrusted modifications to the kernel, including a requirement that all drivers be signed, and PatchGuard, which prevents tampering of certain system structures. Aside from intercepting the OS boot sequence early in the cycle, the malware also reconfigures the operating system in a visible way to accept loading of unsigned drivers. Since the method used to do this is a supported extensibility feature of the kernel used by full disk encryption and compression software, it does not actually violate the guarantees PatchGuard provides about system integrity.
"The era of 64-bit rootkits has officially dawned."
http://www.net-security.org/images/articles/broken-win-64bit.jpg
http://www.net-security.org/malware_news.php?id=1446&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+S ecurity%29
First rootkit targeting 64-bit Windows spotted in the wild
Alureon rootkit is back, and has acquired the ability to hijack computers running 64-bit versions of Microsoft Windows, proclaimed Marco Giuliani, security researcher with security company Prevx.
According to him, the era of x64 rootkits has officially dawned.
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html
Follow-up: http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html
... Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.
... TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.
Why this is a worrying and important news? x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows's kernel....
Microsoft Technet's blog post:
http://blogs.technet.com/b/mmpc/archive/2010/08/27/alureon-evolves-to-64-bit.aspx
Normally, 64-bit Windows has several protections against untrusted modifications to the kernel, including a requirement that all drivers be signed, and PatchGuard, which prevents tampering of certain system structures. Aside from intercepting the OS boot sequence early in the cycle, the malware also reconfigures the operating system in a visible way to accept loading of unsigned drivers. Since the method used to do this is a supported extensibility feature of the kernel used by full disk encryption and compression software, it does not actually violate the guarantees PatchGuard provides about system integrity.