How TDL4 rootkit gets around driver signing policy on 64-bit machine

Corrine

Account closed
Local time
3:58 AM
Messages
2,303
Location
Upstate NY
[
Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.
See how its done at the SunbeltBlog: How the TLD4 rootkit gets around driver signing policy on a 64-bit machine.

Story at The Register: World's most advanced rootkit penetrates 64-bit Windows.
 

My Computer My Computer

At a glance

Windows 7 & Windows Vista Ultimate
OS
Windows 7 & Windows Vista Ultimate
As far as I can remember TDL 3 already did it months ago?

So, it is nothing new and surprising for TDL 4 to have it? That's why I am surprised why security blogs started reporting it again. Or am I missing something new here?

I remember reading these about 2 moths ago?
TDL3 rootkit x64 goes in the wild
x64 TDL3 rootkit - follow up

EDIT: sorry, I see that article at the register already links to them.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x86 SP1
OS
Windows 7 Ultimate x86 SP1
Back
Top