|26 Apr 2011||#1|
| || |
A Second MSRT Release in April
In continuation of our support for the takedown activities on the Win32/Afcore botnet, we are releasing a second edition of MSRT in April. This edition includes variants of Afcore released by the criminals behind it at approximately the same time as the previous edition of MSRT.
|My System Specs|
|27 Apr 2011||#2|
| || |
I was just going to post this as a new thread - it's an extension of the above...
Microsoft patches TDL4 rootkit on 64-bit (& 32-bit) systems
Note from me: There is an extra version of April's Malicious Software Removal Tools (mrt.exe), along with miscellaneous security updates, some optional available on Windows/Microsoft Update and apply to all systems XP, Vista and Windows 7, both 32 and 64-bit).
Modifications made as part of a Windows update released by Microsoft this week effectively kill the notorious TDL4 rootkit on 64-bit Windows Vista and 7.
Since 64-bit Windows only accepts digitally-signed drivers, there are very few rootkits that manage to infect such systems.
One of them is TDL4, the latest version from the TDSS family of rootkits. It installs itself in the master boot record, making it possible to modify the operating system since the first moment it starts.
On 64-bit systems, it leverages a BCD (Boot Configuration Data) option called BcdOSLoaderBoolean_WinPEMode to disable the code integrity checks in the OS.
On Tuesday, Microsoft released KB2506014, an update which according to the corresponding advisory "addresses a method by which unsigned drivers could be loaded by winload.exe."
Security researchers from ESET note that this update removes the BcdOSLoaderBoolean_WinPEMode option abused by the TDL4 rootkit. In addition, the update intentionally modifies the size of a file called kdcom.dll by adding a KdReserved0 exported symbol.
Under normal circumstances TDL4 checks the size of this file's export directory and replace it with its own malicious version. According to the ESET researchers the change made to kdcom.dll serves no other purpose than to prevent the rootkit from replacing it.
They also point that users of 32-bit Windows won't benefit from this update unless they install it manually, because TDL4 disables the Windows Update service on such systems.
"Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ," they write.
|My System Specs|
|Similar help and support threads for2: A Second MSRT Release in April|
|Operation b79 (Kelihos) and Additional MSRT September Release||Security News|
|New Windows 7-Based OS Release on April 27||News|
|April 2010 Security Bulletin Release||News|
|April 2010 Bulletin Release Advance Notification||News|
|Windows 7 Release Date Scheduled For April||News|
|Microsoft official hints at April for Windows 7 RC release||News|
|Windows 7 Release Candidate Expected For April Release||News|