Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New Rootkit exploits 64-bit version of Windows 7


16 Nov 2010   #1

Windows 7 Ultimate x64
 
 
New Rootkit exploits 64-bit version of Windows 7

Saw this today on The Register;

Quote:
A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well.

The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August, according to security firm Prevx.

According to research published on Monday by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS's kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit achieves this feat by attaching itself to the master boot record in a hard drive's bowels and changing the machine's boot options.
Source: http://www.theregister.co.uk/2010/11...4_bit_windows/


My System SpecsSystem Spec
.

16 Nov 2010   #2

Windows 8.1 Pro x64
 
 

Hopefully current AVs can stop it
My System SpecsSystem Spec
16 Nov 2010   #3

Windows 7 Enterprise x64 SP1, Ubuntu 11.04 x64
 
 

According to this:x64 TDL3 rootkit - follow up having UAC set to "Always Notify" will catch it.

Of course, you have to make sure not to click "Yes" when UAC asks to let it run...
My System SpecsSystem Spec
.


16 Nov 2010   #4

Microsoft Windows 7 Home Premium SP1 64-bit Build 7600 / Microsoft Windows XP Professional SP3
 
 

Will MS release a patch for this? is the first time a 64 bit system (at least for me) is in danger by something like this...

BTW, how can you be infected with this rootkit? unsecure web sites?

See ya!!!
My System SpecsSystem Spec
17 Nov 2010   #5

Arch Linux 64-bit
 
 

Quote:
Hengelo, The Netherlands, August 27, 2010 - With the discovery of a new variant of the advanced TDL3 rootkit, 64-bit Windows systems appear vulnerable for infection by this rootkit.

The TDL3 rootkit is infecting millions of computers worldwide since October 2009 and causes headaches for the market leading security vendors. The rootkit buries itself deep into Windows where most Antivirus programs are unable to detect it, simply because they think the malware is part of the operating system.

The new variant of the TDL3 rootkit is unique because it now is also able to infect 64-bit Windows by modifying the Master Boot Record (MBR) on the hard disk. From here it is able to intercept and modify startup routines so it can load its own driver. This 64-bit TDL3 rootkit is bypassing 2 security barriers that are unique for the security and stability of 64-bit Windows systems: both PatchGuard as well as the check on signed drivers, a requirement on 64-bit Windows.
...
Press Release - SurfRight
Quote:
Since build 79 (released on November 30, 2009) Hitman Pro is capable in detecting and removing the highly sophisticated TDL3 rootkit. Since then the rootkit has changed a dozen times to counteract the tools that were able to remove it.

A few days ago the TDL3 rootkit authors gave their creation a major update: support for 64-bit Windows.

64-bit Windows was always a problem for rootkits due to PatchGuard giving 64-bit Windows additional protection against this class of malware. Well no longer as the TDL3 rootkit took the leap to 64-bit!

We have made a video to illustrate that the 64-bit TDL3 rootkit works on Windows 7 Professional x64 and how it is detected (*) by Hitman Pro.
...
Hitman Pro detects 64-bit variant of TDL3 rootkit
My System SpecsSystem Spec
18 Nov 2010   #6

Win7 HP (x64)/Win7 Ultimate (x64)
 
 

Thanks for this - UAC at default for me
My System SpecsSystem Spec
18 Nov 2010   #7

Windows 8.1 Pro (x64)
 
 

Quote   Quote: Originally Posted by FerchogtX View Post
Will MS release a patch for this?
A patch for what? This doesn't exploit any holes in the operating system.
My System SpecsSystem Spec
18 Nov 2010   #8

win7
 
 

Anybody know if this rootkit can get you if you are running on a virtual machine or via something like "Deep Freeze"??
My System SpecsSystem Spec
18 Nov 2010   #9

Windows 8.1 Pro (x64)
 
 

Quote   Quote: Originally Posted by wilywombat View Post
Anybody know if this rootkit can get you if you are running on a virtual machine or via something like "Deep Freeze"??
If you actively install it, e.g., you do not turn UAC off and run with god powers 24/7.
My System SpecsSystem Spec
18 Nov 2010   #10

Windows 7 x64
 
 

I always run at UAC at max. and change my user a/c to standard for normal use. In addition I have enabled password prompt as well for UAC. I really do not find this the least bit annoying, just twice a month or so escalate my a/c to admin, run the various updates / patches for other programs and I am good to go.
My System SpecsSystem Spec
Reply

 New Rootkit exploits 64-bit version of Windows 7




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:35 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33