Rootkit Targets 64-bit Windows

Security researchers have revealed that a new version of the malware, which infected Windows PCs in February 2009, bypass safeguards designed and developed to restrict rootkits from hijacking machines running 64-bit editions of Windows, as reported by Computerworld on August 27, 2010,.

Prevx and Symantec, the two security firms, have discovered that hackers are actively using the updated rootkit which goes by names such as TDL (currently detected as TDL3 by Prevx), Tidserv (currently detected as Backdoor.Tidserv.L Boot.Tidserv by symantec), and Alureon.

This new variant of Tidserv is harmful for two reasons; first - experts have noticed that Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions.

Second reason - Tidserv is infecting the Master Boot Record (MBR) of the compromised computer, permitting it to gain control before the operating system gets loaded. The main components of Tidserv are stored in unused space at the end of the hard drive in encrypted form. Hence, it becomes more difficult to detect and remove Tidserv once the system gets infected.

The initial attempts to break this Windows security (64-bit Windows) credited to Whistler rootkit, a framework rootkit sold in the black market and capable of infecting both x64 and x86 versions of Microsoft Windows.

The TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection. In order to penetrate into both Driver Signature verification and Kernel Patch Protection, the rootkit fixes the hard drive's master boot record with the objective to intercept Windows startup routines, possess it, and load its driver.

In case of x86 versions of Windows, it is not required to restart the computer at once as it can load the driver when it wants. However, the steps of infection are different in case of on x64 versions.

The rootkit requires administrative rights to compromise the Master Boot Record in x64 version. Yet, it is unable to load own 64 bit compatible driver owing to Windows's kernel security. Hence, the Windows is required to be restarted as forced by the dropper. This way the patched MBR does the poisoning work.

Therefore, the users are suggested by the security firms to keep their definitions updated to assure protection against these threats.

Related article: Rootkits Can Be Detected And Eradicated

» SPAMfighter News - 9/1/2010