Text only | Text with Images

LandzDown Forum

Security => Security Alerts & Briefings => Topic started by: Frands on November 17, 2010, 05:54:24 PM

Title: Alert: Alureon rootkit & 64-bit windows- new
Post by: Frands on November 17, 2010, 05:54:24 PM
Hi  :)

QuoteRootkit able to bypass kernel protection and driver signing in 64-bit Windows

The 64-bit version of the Alureon rootkit / bot is able to bypass the special security features included in the 64-bit versions of Windows 7 and Vista and insert itself into the system. The tricks used have been known about in theory for several years, but until recently had not been used by malware in the wild. The 32-bit version of Alureon made headlines early this year, when the installation of a Microsoft patch left many systems unable to boot. The problem was caused by the previously unnoticed presence of the rootkit, which the patch effectively unmasked.

The 64-bit version of Alureon (aka. TDL) deactivates checks for driver signing and, even during the boot process, reroutes specific API calls in order to bypass the kernel's PatchGuard mechanism. Driver signing is intended to ensure that Windows only loads drivers from known vendors. PatchGuard is intended to protect the operating system kernel from being modified by malicious code.

More: http://www.h-online.com/security/news/item/Rootkit-able-to-bypass-kernel-protection-and-driver-signing-in-64-bit-Windows-1137225.html (http://www.h-online.com/security/news/item/Rootkit-able-to-bypass-kernel-protection-and-driver-signing-in-64-bit-Windows-1137225.html)

Search: Heise Online : http://www.h-online.com/security/  

Note: If you start the DOS-tool Diskpart via the comando promt in Windows typing ' lis dis ' (without the ' ), you should be able to see a list of all the drives on your computer. If the list is empty your computer may possible be infected by the Alureon rootkit / bot

The rootkit Alureon is also known as : TDSS, TLD3 or Tidserv.
Title: Re: Alert: Alureon rootkit & 64-bit windows- new
Post by: Frands on November 17, 2010, 06:09:25 PM
The diskpart looks something like this if things are OK:

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fpeecee.dk%2Fuploads%2F112010%2Fdiskpart.jpg&hash=2d845de1e3152e062445e7e7b8bb141dc7e79048)

Title: Re: Alert: Alureon rootkit & 64-bit windows- new
Post by: Frands on November 17, 2010, 06:13:50 PM
I did hadn't seen this tread. Sorry Corinne :rose: :blink: : Read on here as well: http://www.landzdown.com/index.php/topic,47454.0.html (http://www.landzdown.com/index.php/topic,47454.0.html)
Title: Re: Alert: Alureon rootkit & 64-bit windows- new
Post by: Corrine on November 17, 2010, 06:29:28 PM
Two places are better than one!  I'll post a link here from the other topic too. :)
Text only | Text with Images