Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Alureon Bootkit Trojan - Crossing the 64 bit Barrier

31 Oct 2010   #1
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 
Alureon Bootkit Trojan - Crossing the 64 bit Barrier

UAC is there for a reason!
Quote:
Alureon Bootkit Trojan - Crossing the 64 bit Barrier

By negster22, 17 October 2010

There is a very prevalent rootkit (hidden malicious program) that has been infecting Windows computers for quite some time now. The general name the Microsoft Malware Protection Center has assigned to this for-profit motivated threat family is Alureon.

The primary symptom of infection is browser redirects - this means that your search results will take You to sites other than the ones they should normally resolve to. Security companies and researchers have a variety of names for this malicious program - while Microsoft refers to it as Alureon, some call it TDSS, some call it TDL#x where x represents the # of the variant that's detected. The most advanced and most insidious variant of this infection is called TDL4. However, many if not most malware researchers have resisted calling it TDL4, and still consider it to TDL3, because it's infection cycle has too much in common with its TDL3 predecessor to be labeled as a completely new variant.

Over time, this rookit has progressively gotten more and more crafty and it is now more difficult to detect and remove than it was previously because it began to infect the Master Boot Record (MBR) on an infected computer, making it technically a Bootkit. The MBR code is what enables your computer to boot up when your start it, and if it is corrupted your computer may not boot at all. Because it is so vital to the functioning of a Windows-based computer, Microsoft has provided Windows users with recovery commands that run from the Windows Recovery Environment, to replace the MBR with default Windows code appropriate to the Windows operating system that's installed.

More recently, in early August 2010, a new Alureon TDL variant that displayed the ability to infect Vista and Windows 7 64 bit based computers emerged.
This was a very unsettling but significant development, because very strict security measures that were integrated into 64 bit versions of Vista and Windows 7 (Patchguard and very stringent driver signing requirements) had to be bypassed to allow this to happen!

However, it's important to note, the infection can only compromise a 64 bit Windows 7 or Vista system, if User Account Control (UAC) is turned OFF or if the user casually approves the malicious action. Since UAC is ON by default, a user would either have to intentionally disable it, or approve a questionable action initiated by malware (if it was ON), thereby leaving themselves vulnerable to this type of exploit. When a user's behavior helps usher in a threat in this manner, the infection is said to rely upon "social engineering" techniques to compromise a system! Though this rootkit also infects 32 bit operating systems, it does so without initiating the automatic reboot that's required for it to circumvent the 64 bit operating system kernel safeguards. On 64 bit systems, this random reboot may serve as a small clue that something is amiss.

http://secure-comput...p_your_mbr.html



My System SpecsSystem Spec
.

31 Oct 2010   #2

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium SP1, clean install, upgrade disc
 
 

TY for the information, but its not good news.
My System SpecsSystem Spec
31 Oct 2010   #3
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

No, rootkits are never good news
My System SpecsSystem Spec
.


31 Oct 2010   #4

Windows 7 Ultimate x64, 7 Premium, & XP
 
 

I have a 64 bit 7 ultimate...is this like something I should be watching for? Help me understand this ...lol...
My System SpecsSystem Spec
31 Oct 2010   #5
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
Boot loader level (Bootkit)
A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack".[24] The term bootkit itself was coined by Indian security researchers (Nitin Kumar & Vipin Kumar) who presented it at Blackhat Europe 2007.[25][26] A bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the "Stoned Bootkit"[27] subverts the system by using a compromised boot loader to intercept encryption keys and passwords. Apart from preventing unauthorized physical access to machines (a particular problem for portable machines), a Trusted Platform Module, configured to protect the boot path, is the only known defense against this attack
Rootkit - Wikipedia, the free encyclopedia
My System SpecsSystem Spec
31 Oct 2010   #6

Winbdows 7 ultimate x64 | Ubuntu 12.04 x64 LTS
 
 

That's a not so good news... One of my main reason of running x64 OS was the protection against rootkits and their modified cousin, bootkits... Nevermind, UAC doesn't annoy me much..

Btw (x64) users having some kind of recovery partition or console pre-istalled and not having OS disc should ave their MBR backed up in case they get infected...
My System SpecsSystem Spec
31 Oct 2010   #7

Windows 7 & Windows Vista Ultimate
 
 

Emphasis on the following from the article:

Quote:
However, it's important to note, the infection can only compromise a 64 bit Windows 7 or Vista system, if User Account Control (UAC) is turned OFF or if the user casually approves the malicious action.
My System SpecsSystem Spec
Reply

 Alureon Bootkit Trojan - Crossing the 64 bit Barrier




Thread Tools



Similar help and support threads for2: Alureon Bootkit Trojan - Crossing the 64 bit Barrier
Thread Forum
Solved Trojan Alureon.A Detected After Clean Win7 Install System Security
Solved Alureon.E (virus)trojan System Security
Solved boot:\physicaldrive0\partition3 (type 17) Alureon.E (virus)trojan System Security
New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot Security News
TDL4 bootkit reinstates 64-bit infection capability Security News
Solved Trojan:DOS/Alureon.A System Security
7.3 Ghz AMD barrier broken - Validated PC Custom Builds and Overclocking

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:01 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33