Alureon Bootkit Trojan - Crossing the 64 bit Barrier
By negster22, 17 October 2010
There is a very prevalent rootkit (hidden malicious program) that has been infecting Windows computers for quite some time now. The general name the Microsoft Malware Protection Center has assigned to this for-profit motivated threat family is Alureon.
The primary symptom of infection is browser redirects - this means that your search results will take You to sites other than the ones they should normally resolve to. Security companies and researchers have a variety of names for this malicious program - while Microsoft refers to it as Alureon, some call it TDSS, some call it TDL#x where x represents the # of the variant that's detected. The most advanced and most insidious variant of this infection is called TDL4. However, many if not most malware researchers have resisted calling it TDL4, and still consider it to TDL3, because it's infection cycle has too much in common with its TDL3 predecessor to be labeled as a completely new variant.
Over time, this rookit has progressively gotten more and more crafty and it is now more difficult to detect and remove than it was previously because it began to infect the Master Boot Record (MBR) on an infected computer, making it technically a Bootkit. The MBR code is what enables your computer to boot up when your start it, and if it is corrupted your computer may not boot at all. Because it is so vital to the functioning of a Windows-based computer, Microsoft has provided Windows users with recovery commands that run from the Windows Recovery Environment, to replace the MBR with default Windows code appropriate to the Windows operating system that's installed.
More recently, in early August 2010, a new Alureon TDL variant that displayed the ability to infect Vista and Windows 7 64 bit based computers emerged.
This was a very unsettling but significant development, because very strict security measures that were integrated into 64 bit versions of Vista and Windows 7 (Patchguard and very stringent driver signing requirements) had to be bypassed to allow this to happen!
However, it's important to note, the infection can only compromise a 64 bit Windows 7 or Vista system, if User Account Control (UAC) is turned OFF or if the user casually approves the malicious action. Since UAC is ON by default, a user would either have to intentionally disable it, or approve a questionable action initiated by malware (if it was ON), thereby leaving themselves vulnerable to this type of exploit. When a user's behavior helps usher in a threat in this manner, the infection is said to rely upon "social engineering" techniques to compromise a system! Though this rootkit also infects 32 bit operating systems, it does so without initiating the automatic reboot that's required for it to circumvent the 64 bit operating system kernel safeguards. On 64 bit systems, this random reboot may serve as a small clue that something is amiss.
http://secure-comput...p_your_mbr.html
