LandzDown Forum

Hi  

Rootkit able to bypass kernel protection and driver signing in 64-bit Windows

The 64-bit version of the Alureon rootkit / bot is able to bypass the special security features included in the 64-bit versions of Windows 7 and Vista and insert itself into the system. The tricks used have been known about in theory for several years, but until recently had not been used by malware in the wild. The 32-bit version of Alureon made headlines early this year, when the installation of a Microsoft patch left many systems unable to boot. The problem was caused by the previously unnoticed presence of the rootkit, which the patch effectively unmasked.

The 64-bit version of Alureon (aka. TDL) deactivates checks for driver signing and, even during the boot process, reroutes specific API calls in order to bypass the kernel's PatchGuard mechanism. Driver signing is intended to ensure that Windows only loads drivers from known vendors. PatchGuard is intended to protect the operating system kernel from being modified by malicious code.

More: http://www.h-online.com/security/news/item/Rootkit-able-to-bypass-kernel-protection-and-driver-signing-in-64-bit-Windows-1137225.html

Search: Heise Online : http://www.h-online.com/security/  

Note: If you start the DOS-tool Diskpart via the comando promt in Windows typing ' lis dis ' (without the ' ), you should be able to see a list of all the drives on your computer. If the list is empty your computer may possible be infected by the Alureon rootkit / bot

The rootkit Alureon is also known as : TDSS, TLD3 or Tidserv.

I did hadn't seen this tread. Sorry Corinne : Read on here as well: http://www.landzdown.com/index.php/topic,47454.0.html