How the TLD4 rootkit gets around driver signing policy on a 64-bit machine

Started by Corrine, November 17, 2010, 12:20:39 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Corrine

November 17, 2010, 12:20:39 AM
QuoteMicrosoft's Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

See how its done at the SunbeltBlog:  How the TLD4 rootkit gets around driver signing policy on a 64-bit machine.

Story at The Register:  World's most advanced rootkit penetrates 64-bit Windows.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Corrine

#1
November 17, 2010, 06:30:10 PM
Additional information at Alert: Alureon rootkit & 64-bit windows


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages1
User actions