bit-tech.net

64-bit rootkit spreading

64-bit rootkit spreading

The latest build of the Alureon rootkit is able to infect 64-bit Windows builds - the first to do so.

A particularly virulent rootkit targeting Windows machines - known as Alureon - is back, and this time it comes in a 64-bit edition.

With more and more systems coming with 64-bit builds of Windows pre-installed in order to take advantage of 4GB - or more - of RAM, it was only a matter of time before crackers starting coding malware to accommodate the shifting target landscape - and it looks like that day is here.

According to Help Net Security this latest build of Alureon is the first rootkit in the wild with the ability to successfully infect and hide itself in 64-bit Windows builds.

Running the 64-bit version of Windows has traditionally offered some protection from rootkits and other malware packages, as the differing memory locations mean that a 32-bit rootkit attempting a buffer overflow exploit may find that it overwrites the wrong part of memory and fails to execute - or, in the best case scenario, fails to overflow at all. Sadly, it looks like that small measure of protection is rapidly vanishing.

Despite protections built into the latest versions of Windows - including Kernel Mode Code Signing, which prevents unsigned - and therefore unauthorised - code from accessing kernel memory and Kernel Patch Protection - the latest Alureon build continues to infect systems world-wide, by installing a modified Master Boot Record and immediately causing Windows to restart. When the MBR is loaded, the rootkit can load its kernel module without the protections kicking in.

It looks like the authors are still finding their feet in the world of 64-bit infections, however; PrevX researcher Marco Giuliani claims that the current version found in the wild appears to be a "beta build," as its infection attempts "didn't always fully work" in internal testing.

Are you surprised that it has taken the ne'er-do-wells this long to develop rootkits for 64-bit Windows, or just saddened that yet more of Microsoft's well-meaning protection systems have been rendered useless? Share your thoughts over in the forums.

25 Comments

Discuss in the forums Reply
fingerbob69 31st August 2010, 10:57 Quote
Thanks for the warning ...but how do I best protect myself?
Gareth Halfacree 31st August 2010, 11:02 Quote
Quote:
Originally Posted by fingerbob69
Thanks for the warning ...but how do I best protect myself?
Well, I moved to Linux - but I appreciate that's not always an option. ;)

Best things to do:
1) Don't download dodgy copies of software.
B) Keep your system up-to-date
iii) Run a decent anti-virus and anti-spyware scanner
IV) Refrain from clicking links that you know you shouldn't

They don't offer complete protection, but that should see you a lot safer than most.
leveller 31st August 2010, 11:06 Quote
Gareth, do all current antiV pick up root kits? Going back a couple of years there was only a downloadable detector from MS's website.
Neoki 31st August 2010, 11:15 Quote
Leveller,

All decent AV/IS products will contain Anti-Rootkit modules.
Joey9801 31st August 2010, 13:08 Quote
Hurrah for opensuse :)
Unknownsock 31st August 2010, 13:29 Quote
The question being is, why do people write stuff like this?

No seriously, I'd love to meet the guy who killed my computer a while back..
mrbens 31st August 2010, 13:43 Quote
Quote:
of 4GB - or more - of RAM
What's with all the hyphens (-) all over this news article?!

Hyphens are to join two words, commas are to break up sentences. :)
LooseNeutral 31st August 2010, 14:32 Quote
More bad news. I've had to wear out some ears and rear parts about viruses and the like to friends who just won't, or perhaps can't understand. Or, more often don't care that they spread this crap around like a friggin plague! A lot of my Mac friends don't get it either. "Hello, sure your machine is fine but your a CARRIER! What's that... Windows won't work anymore and you don't know what to do? I can't imagine WHY!" I wonder if this will take down a Mac running Boot Camp or the like? So, any idea where they found this wild thing roaming about and why the great protectors (Antivirus devs) haven't raised the red flags yet? SShh! Not so loud :(
borandi 31st August 2010, 14:57 Quote
Quote:
Originally Posted by mrbens
Quote:
of 4GB - or more - of RAM
What's with all the hyphens (-) all over this news article?!

Hyphens are to join two words, commas are to break up sentences. :)

They're dashes. Dashes are used like commas but often to form a differential clause opposite in context or character to the first. In this case though, commas would be more appropriate :)
Gareth Halfacree 31st August 2010, 15:16 Quote
Quote:
Originally Posted by mrbens
What's with all the hyphens (-) all over this news article?! Hyphens are to join two words, commas are to break up sentences. :)
I know, I know, I should be using an Em-dash for asides - but the last time I tried that, it broke non-UTF-8 browsers. :p
bogie170 31st August 2010, 16:56 Quote
So whats the best Alureon Rootkit finder to see if you have been infected?
greigaitken 31st August 2010, 17:13 Quote
Microsoft totally missing a great cash cow here. New OS overy six months so once malware developed for it - just buy the new OS. They wont even have to worry about making pointless incapable secuirity anymore
RichCreedy 31st August 2010, 18:59 Quote
will you buy a new os every 6 months i dont think so
Bakes 31st August 2010, 19:11 Quote
Quote:
Originally Posted by greigaitken
Microsoft totally missing a great cash cow here. New OS overy six months so once malware developed for it - just buy the new OS. They wont even have to worry about making pointless incapable secuirity anymore

That's a great idea! I mean, what with the having to rewrite the entirety of Windows every six months, I think you're on to something here!

Seriously though, security is a journey, not a destination, and if Microsoft's 64bit security principles have been useful in preventing rootkits since Vista (beta builds of Vista were available 4 years ago) that's a massive success in my book. Think of all the computers that haven't been rootkitted due to running 64bit Windows.
veato 31st August 2010, 21:45 Quote
Got it yesterday. Along with the other crap it brought down too! The other stuff went easily but this nasty bugger hung around. Even when every piece of AV I had couldnt find it anymore I was still getting stuff like URL redirtections. Had to perform a full format last night!
Boogle 31st August 2010, 22:33 Quote
Quote:
Originally Posted by LooseNeutral
More bad news. I've had to wear out some ears and rear parts about viruses and the like to friends who just won't, or perhaps can't understand. Or, more often don't care that they spread this crap around like a friggin plague! A lot of my Mac friends don't get it either. "Hello, sure your machine is fine but your a CARRIER! What's that... Windows won't work anymore and you don't know what to do? I can't imagine WHY!" I wonder if this will take down a Mac running Boot Camp or the like? So, any idea where they found this wild thing roaming about and why the great protectors (Antivirus devs) haven't raised the red flags yet? SShh! Not so loud :(

Aaaarghhh stop bringing back the memories! :'(
thehippoz 31st August 2010, 23:19 Quote
Quote:
Originally Posted by Unknownsock
The question being is, why do people write stuff like this?

No seriously, I'd love to meet the guy who killed my computer a while back..

he'd just root you again after you beat him up :D
skybarge 31st August 2010, 23:49 Quote
Quote:
Originally Posted by thehippoz
Quote:
Originally Posted by Unknownsock
The question being is, why do people write stuff like this?

No seriously, I'd love to meet the guy who killed my computer a while back..

he'd just root you again after you beat him up :D

Plus you'd get in trouble for beating up a 10 year old script kiddie most prob :) or someone with advanced autism
Pookeyhead 31st August 2010, 23:54 Quote
If you need to check for this beasty being present....
Quote:
If you did not have proactive detection in place, you can (currently) manually check to see if the bootkit is installed. As a side effect of the bootkit, the Disk Management pane of the Computer Management console will fail to show the system drive altogether:



It will also fail to show up in the command line using diskpart:


Lifted from MS Malware Protection Centre.

Keyword there being CURRENTLY. As soon as this is known to the developers of this crap, then that will probably be "fixed".
LooseNeutral 1st September 2010, 01:19 Quote
Quote:
Originally Posted by Pookeyhead
If you need to check for this beasty being present....




Lifted from MS Malware Protection Centre.

Keyword there being CURRENTLY. As soon as this is known to the developers of this crap, then that will probably be "fixed".

Much Appreciated! Thanks;)
azrael- 1st September 2010, 07:53 Quote
Well, one way around this would be using GPT instead of MBR. The good thing: Windows 7 x64 supports (booting from) it. The bad thing: AFAIR you'd need a motherboard with (U)EFI support as well. The really bad thing: Once (U)EFI takes over from BIOS (if it'll ever happen) it's going to be soooo much easier to write even more nasty malware/root kits.
Taniniver 1st September 2010, 08:45 Quote
Quote:
Originally Posted by azrael-
Once (U)EFI takes over from BIOS (if it'll ever happen)

I think we will start to see it more and more soon, since we are reaching the hard drive size limitation imposed by the BIOS - you can't boot from a drive bigger than 2 TB (approx) without UEFI.
fingerbob69 1st September 2010, 11:36 Quote
I think we will start to see it more and more soon, since we are reaching the hard drive size limitation imposed by the BIOS - you can't boot from a drive bigger than 2 TB (approx) without UEFI.

Surely the answer to that (assuming you want to perpetuate BIOS) is that all computers come with atleast to drives: a small boot drive with enough spare space to allow for service packs, security updates etc and a larger storage drive for everything else.

In fact why not sell windows pre loaded onto an ssd that you can then just swop out with each new os upgrade or of course if the os becomes fataly infected?
HourBeforeDawn 2nd September 2010, 19:32 Quote
the latest version of TDSKiller should take care of this if you get infected.
LooseNeutral 3rd September 2010, 05:14 Quote
Quote:
Originally Posted by HourBeforeDawn
the latest version of TDSKiller should take care of this if you get infected.

Again, Thanks fellas! I don't suppose a system under warranty would cover this crap :? :(Sounds like a plus for the mfg's >:( Hmmm NAH, 'nother crazy conspiracy theory!?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums