64-bit rootkit spreading | bit

64-bit rootkit spreading

Published on 31st August 2010 by Gareth Halfacree

64-bit rootkit spreading

The latest build of the Alureon rootkit is able to infect 64-bit Windows builds – the first to do so.

A particularly virulent rootkit targeting Windows machines – known as Alureon – is back, and this time it comes in a 64-bit edition.

With more and more systems coming with 64-bit builds of Windows pre-installed in order to take advantage of 4GB – or more – of RAM, it was only a matter of time before crackers starting coding malware to accommodate the shifting target landscape – and it looks like that day is here.

According to Help Net Security this latest build of Alureon is the first rootkit in the wild with the ability to successfully infect and hide itself in 64-bit Windows builds.

Running the 64-bit version of Windows has traditionally offered some protection from rootkits and other malware packages, as the differing memory locations mean that a 32-bit rootkit attempting a buffer overflow exploit may find that it overwrites the wrong part of memory and fails to execute – or, in the best case scenario, fails to overflow at all. Sadly, it looks like that small measure of protection is rapidly vanishing.

Despite protections built into the latest versions of Windows – including Kernel Mode Code Signing, which prevents unsigned – and therefore unauthorised – code from accessing kernel memory and Kernel Patch Protection – the latest Alureon build continues to infect systems world-wide, by installing a modified Master Boot Record and immediately causing Windows to restart. When the MBR is loaded, the rootkit can load its kernel module without the protections kicking in.

It looks like the authors are still finding their feet in the world of 64-bit infections, however; PrevX researcher Marco Giuliani claims that the current version found in the wild appears to be a “beta build,” as its infection attempts “didn’t always fully work” in internal testing.

Are you surprised that it has taken the ne’er-do-wells this long to develop rootkits for 64-bit Windows, or just saddened that yet more of Microsoft’s well-meaning protection systems have been rendered useless? Share your thoughts over in the forums.

Previous Article

Share This News Story

25 Comments

Discuss in the forums Reply

fingerbob69 31st August 2010, 09:57 Quote

Thanks for the warning …but how do I best protect myself?

Gareth Halfacree 31st August 2010, 10:02 Quote

Quote:
Originally Posted by fingerbob69
Thanks for the warning …but how do I best protect myself?

Well, I moved to Linux – but I appreciate that’s not always an option. šŸ˜‰

Best things to do:
1) Don’t download dodgy copies of software.
B) Keep your system up-to-date
iii) Run a decent anti-virus and anti-spyware scanner
IV) Refrain from clicking links that you know you shouldn’t

They don’t offer complete protection, but that should see you a lot safer than most.

leveller 31st August 2010, 10:06 Quote

Gareth, do all current antiV pick up root kits? Going back a couple of years there was only a downloadable detector from MS’s website.

Neoki 31st August 2010, 10:15 Quote

Leveller,

All decent AV/IS products will contain Anti-Rootkit modules.

Joey9801 31st August 2010, 12:08 Quote

Hurrah for opensuse šŸ™‚

Unknownsock 31st August 2010, 12:29 Quote

The question being is, why do people write stuff like this?

No seriously, I’d love to meet the guy who killed my computer a while back..

mrbens 31st August 2010, 12:43 Quote

Quote:
of 4GB – or more – of RAM

What’s with all the hyphens (-) all over this news article?!

Hyphens are to join two words, commas are to break up sentences. šŸ™‚

LooseNeutral 31st August 2010, 13:32 Quote

More bad news. I’ve had to wear out some ears and rear parts about viruses and the like to friends who just won’t, or perhaps can’t understand. Or, more often don’t care that they spread this crap around like a friggin plague! A lot of my Mac friends don’t get it either. “Hello, sure your machine is fine but your a CARRIER! What’s that… Windows won’t work anymore and you don’t know what to do? I can’t imagine WHY!” I wonder if this will take down a Mac running Boot Camp or the like? So, any idea where they found this wild thing roaming about and why the great protectors (Antivirus devs) haven’t raised the red flags yet? SShh! Not so loud šŸ˜¦

borandi 31st August 2010, 13:57 Quote

Quote:
Originally Posted by mrbens

Quote:
of 4GB – or more – of RAM

What’s with all the hyphens (-) all over this news article?!

Hyphens are to join two words, commas are to break up sentences. šŸ™‚

They’re dashes. Dashes are used like commas but often to form a differential clause opposite in context or character to the first. In this case though, commas would be more appropriate šŸ™‚

Gareth Halfacree 31st August 2010, 14:16 Quote

Quote:
Originally Posted by mrbens
What’s with all the hyphens (-) all over this news article?! Hyphens are to join two words, commas are to break up sentences. šŸ™‚

I know, I know, I should be using an Em-dash for asides – but the last time I tried that, it broke non-UTF-8 browsers. :p

bogie170 31st August 2010, 15:56 Quote

So whats the best Alureon Rootkit finder to see if you have been infected?

greigaitken 31st August 2010, 16:13 Quote

Microsoft totally missing a great cash cow here. New OS overy six months so once malware developed for it – just buy the new OS. They wont even have to worry about making pointless incapable secuirity anymore

RichCreedy 31st August 2010, 17:59 Quote

will you buy a new os every 6 months i dont think so

Bakes 31st August 2010, 18:11 Quote

Quote:
Originally Posted by greigaitken
Microsoft totally missing a great cash cow here. New OS overy six months so once malware developed for it – just buy the new OS. They wont even have to worry about making pointless incapable secuirity anymore

That’s a great idea! I mean, what with the having to rewrite the entirety of Windows every six months, I think you’re on to something here!

Seriously though, security is a journey, not a destination, and if Microsoft’s 64bit security principles have been useful in preventing rootkits since Vista (beta builds of Vista were available 4 years ago) that’s a massive success in my book. Think of all the computers that haven’t been rootkitted due to running 64bit Windows.

veato 31st August 2010, 20:45 Quote

Got it yesterday. Along with the other crap it brought down too! The other stuff went easily but this nasty bugger hung around. Even when every piece of AV I had couldnt find it anymore I was still getting stuff like URL redirtections. Had to perform a full format last night!

Boogle 31st August 2010, 21:33 Quote

Quote:
Originally Posted by LooseNeutral
More bad news. I’ve had to wear out some ears and rear parts about viruses and the like to friends who just won’t, or perhaps can’t understand. Or, more often don’t care that they spread this crap around like a friggin plague! A lot of my Mac friends don’t get it either. “Hello, sure your machine is fine but your a CARRIER! What’s that… Windows won’t work anymore and you don’t know what to do? I can’t imagine WHY!” I wonder if this will take down a Mac running Boot Camp or the like? So, any idea where they found this wild thing roaming about and why the great protectors (Antivirus devs) haven’t raised the red flags yet? SShh! Not so loud šŸ˜¦

Aaaarghhh stop bringing back the memories! šŸ˜„

thehippoz 31st August 2010, 22:19 Quote

Quote:
Originally Posted by Unknownsock
The question being is, why do people write stuff like this?

No seriously, I’d love to meet the guy who killed my computer a while back..

he’d just root you again after you beat him up šŸ˜€

skybarge 31st August 2010, 22:49 Quote

Quote:
Originally Posted by thehippoz

Quote:
Originally Posted by Unknownsock
The question being is, why do people write stuff like this?

No seriously, I’d love to meet the guy who killed my computer a while back..

he’d just root you again after you beat him up šŸ˜€

Plus you’d get in trouble for beating up a 10 year old script kiddie most prob šŸ™‚ or someone with advanced autism

Pookeyhead 31st August 2010, 22:54 Quote

If you need to check for this beasty being present….

Quote:
If you did not have proactive detection in place, you can (currently) manually check to see if the bootkit is installed. As a side effect of the bootkit, the Disk Management pane of the Computer Management console will fail to show the system drive altogether:

It will also fail to show up in the command line using diskpart:

Lifted from MS Malware Protection Centre.

Keyword there being CURRENTLY. As soon as this is known to the developers of this crap, then that will probably be “fixed”.

LooseNeutral 1st September 2010, 00:19 Quote

Quote:
Originally Posted by Pookeyhead
If you need to check for this beasty being present….

Lifted from MS Malware Protection Centre.

Keyword there being CURRENTLY. As soon as this is known to the developers of this crap, then that will probably be “fixed”.

Much Appreciated! Thanks;)

azrael- 1st September 2010, 06:53 Quote

Well, one way around this would be using GPT instead of MBR. The good thing: Windows 7 x64 supports (booting from) it. The bad thing: AFAIR you’d need a motherboard with (U)EFI support as well. The really bad thing: Once (U)EFI takes over from BIOS (if it’ll ever happen) it’s going to be soooo much easier to write even more nasty malware/root kits.

Taniniver 1st September 2010, 07:45 Quote

Quote:
Originally Posted by azrael-
Once (U)EFI takes over from BIOS (if it’ll ever happen)

I think we will start to see it more and more soon, since we are reaching the hard drive size limitation imposed by the BIOS – you can’t boot from a drive bigger than 2 TB (approx) without UEFI.

fingerbob69 1st September 2010, 10:36 Quote

I think we will start to see it more and more soon, since we are reaching the hard drive size limitation imposed by the BIOS – you can’t boot from a drive bigger than 2 TB (approx) without UEFI.

Surely the answer to that (assuming you want to perpetuate BIOS) is that all computers come with atleast to drives: a small boot drive with enough spare space to allow for service packs, security updates etc and a larger storage drive for everything else.

In fact why not sell windows pre loaded onto an ssd that you can then just swop out with each new os upgrade or of course if the os becomes fataly infected?

HourBeforeDawn 2nd September 2010, 18:32 Quote

the latest version of TDSKiller should take care of this if you get infected.

LooseNeutral 3rd September 2010, 04:14 Quote

Quote:
Originally Posted by HourBeforeDawn
the latest version of TDSKiller should take care of this if you get infected.

Again, Thanks fellas! I don’t suppose a system under warranty would cover this crap šŸ˜• :(Sounds like a plus for the mfg’s šŸ˜” Hmmm NAH, ‘nother crazy conspiracy theory!?

Discuss in the forums

Posted via email from lamont price (at) posterous.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: