TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform

Outsmart Malicious Hackers


As we’ve come to expect, the malware guys are always at the leading edge of technological development. Now there are rootkits infecting 64-Bit versions of Windows, which have been thought of as fairly safe by most parties.

The rootkit in questions is a fairly well known variant (TDL/Alureon) and has been around for several years, but according to Prevx it’s been hitting on x64 installs of Windows 7 since August this year.

It’s usually an oldskool method to circumvent the Windows security measures, the MBR (Master Boot Record) – haven’t seen anyway malware using that for quite some time.

A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well.

The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August, according to security firm Prevx.

According to research published on Monday by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit achieves this feat by attaching itself to the master boot record in a hard drive’s bowels and changing the machine’s boot options.

Microsoft has pumped some pretty advanced protection mechanisms into the latest member of the Windows family, but still you just know it’s only a matter of time before the bad guys find some way to get around it.

This is an advanced piece of malware though as there are multiple layers of protection in Windows 7 and TDL4 bypasses them all, it even blocks access to debuggers and is undetectable by most AV software.

Whichever way you look at it, that’s some neat coding.


“The boot option is changed in memory from the code executed by infected MBR,” GFI Technical Fellow Chandra Prakash wrote. “The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dl file.”

According to researchers at Prevx, TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected machines. Once installed it is undetectable by most antimalware programs. In keeping with TDL’s high degree of sophistication, the rootkit uses low-level instructions to disable debuggers, making it hard for white hat hackers to do reconnaissance.

One of the advanced protections Microsoft added to 64-bit versions of Windows was kernel mode code signing policy. Microsoft also added a feature known as PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. TDL manages to circumvent this protection as well, by altering a machine’s MBR so that it can intercept Windows startup routines.

Prevx came out with this research, you can read more about their findings here:

x64 TDL3 rootkit – follow up

There is also an in-depth technical analysis from Microsoft researcher Joe Johnson check here [PDF].

Source: The Register

Posted in: Malware, Windows Hacking

, , , , , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Comments are closed.