Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: TDL3 rootkit x64 goes in the wild


27 Aug 2010   #1
JMH

Win 7 Ultimate 64-bit. SP1.
 
 
TDL3 rootkit x64 goes in the wild

Quote:

It took some time but now x64 Windows operating systems are officially the new target of rootkits.

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.

Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.

They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.

Why this is a worrying and important news? x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows's kernel.

Windows Vista 64 bit and Windows 7 64 don't allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won't allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren't usually signed - at least, they shouldn't be.

The second technique used by Microsoft Windows to prevent kernel mode drivers from alterating Windows kernel behavior is the infamous Kernel Patch Protection, also known as PatchGuard. This security routine blocks every kernel mode driver from alterating sensitive areas of the Windows kernel - e.g. SSDT, IDT, kernel code.
More -
TDL3 rootkit x64 goes in the wild

My System SpecsSystem Spec
.

27 Aug 2010   #2

Systems 1 and 2: Windows 7 Enterprise x64, Win 8 Developer
 
 

Just like linux is (was?) safe. When something becomes very popular, it's fair game for nutcases.
My System SpecsSystem Spec
28 Aug 2010   #3

Windows 7 Home Premium 64 bit
 
 

Thanks for the post Jan

Does anyone know whether Sophos Anti-Rootkit wil spot this and deal with it?
My System SpecsSystem Spec
.


Reply

 TDL3 rootkit x64 goes in the wild




Thread Tools



Similar help and support threads for2: TDL3 rootkit x64 goes in the wild
Thread Forum
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough System Security
Mebromi: the first BIOS rootkit in the wild Security News
salvaging a TDL3 infected HDD System Security
tdl3 rootkit browsers hook to directdr.com & urbtk.com System Security
TDL3 Rootkit 64 Bit Driver System Security
x64 TDL3 rootkit - follow up. News
Interesting 'Read' about tdl3 rootkit Security News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:59 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33