64-bit rootkit spreading
The latest build of the Alureon rootkit is able to infect 64-bit Windows builds - the first to do so.
With more and more systems coming with 64-bit builds of Windows pre-installed in order to take advantage of 4GB - or more - of RAM, it was only a matter of time before crackers starting coding malware to accommodate the shifting target landscape - and it looks like that day is here.
According to Help Net Security this latest build of Alureon is the first rootkit in the wild with the ability to successfully infect and hide itself in 64-bit Windows builds.
Running the 64-bit version of Windows has traditionally offered some protection from rootkits and other malware packages, as the differing memory locations mean that a 32-bit rootkit attempting a buffer overflow exploit may find that it overwrites the wrong part of memory and fails to execute - or, in the best case scenario, fails to overflow at all. Sadly, it looks like that small measure of protection is rapidly vanishing.
Despite protections built into the latest versions of Windows - including Kernel Mode Code Signing, which prevents unsigned - and therefore unauthorised - code from accessing kernel memory and Kernel Patch Protection - the latest Alureon build continues to infect systems world-wide, by installing a modified Master Boot Record and immediately causing Windows to restart. When the MBR is loaded, the rootkit can load its kernel module without the protections kicking in.
It looks like the authors are still finding their feet in the world of 64-bit infections, however; PrevX researcher Marco Giuliani claims that the current version found in the wild appears to be a "beta build," as its infection attempts "didn't always fully work" in internal testing.
Are you surprised that it has taken the ne'er-do-wells this long to develop rootkits for 64-bit Windows, or just saddened that yet more of Microsoft's well-meaning protection systems have been rendered useless? Share your thoughts over in the forums.
Previous Article
25 Comments
Discuss in the forums ReplyBest things to do:
1) Don't download dodgy copies of software.
B) Keep your system up-to-date
iii) Run a decent anti-virus and anti-spyware scanner
IV) Refrain from clicking links that you know you shouldn't
They don't offer complete protection, but that should see you a lot safer than most.
All decent AV/IS products will contain Anti-Rootkit modules.
No seriously, I'd love to meet the guy who killed my computer a while back..
Hyphens are to join two words, commas are to break up sentences. :)
They're dashes. Dashes are used like commas but often to form a differential clause opposite in context or character to the first. In this case though, commas would be more appropriate :)
That's a great idea! I mean, what with the having to rewrite the entirety of Windows every six months, I think you're on to something here!
Seriously though, security is a journey, not a destination, and if Microsoft's 64bit security principles have been useful in preventing rootkits since Vista (beta builds of Vista were available 4 years ago) that's a massive success in my book. Think of all the computers that haven't been rootkitted due to running 64bit Windows.
Aaaarghhh stop bringing back the memories! :'(
he'd just root you again after you beat him up :D
Plus you'd get in trouble for beating up a 10 year old script kiddie most prob :) or someone with advanced autism
Lifted from MS Malware Protection Centre.
Keyword there being CURRENTLY. As soon as this is known to the developers of this crap, then that will probably be "fixed".
Much Appreciated! Thanks;)
I think we will start to see it more and more soon, since we are reaching the hard drive size limitation imposed by the BIOS - you can't boot from a drive bigger than 2 TB (approx) without UEFI.
Surely the answer to that (assuming you want to perpetuate BIOS) is that all computers come with atleast to drives: a small boot drive with enough spare space to allow for service packs, security updates etc and a larger storage drive for everything else.
In fact why not sell windows pre loaded onto an ssd that you can then just swop out with each new os upgrade or of course if the os becomes fataly infected?
Again, Thanks fellas! I don't suppose a system under warranty would cover this crap :? :(Sounds like a plus for the mfg's >:( Hmmm NAH, 'nother crazy conspiracy theory!?