{"id":2995,"date":"2010-11-17T07:09:53","date_gmt":"2010-11-17T07:09:53","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=2995"},"modified":"2015-09-09T19:37:23","modified_gmt":"2015-09-09T11:37:23","slug":"tdl-aka-alureon-rootkit-now-infecting-64-bit-windows-7-platform","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2010\/11\/tdl-aka-alureon-rootkit-now-infecting-64-bit-windows-7-platform\/","title":{"rendered":"TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform"},"content":{"rendered":"<p>As we&#8217;ve come to expect, the malware guys are always at the leading edge of technological development. Now there are <a href=\"https:\/\/www.darknet.org.uk\/tag\/rootkit\/\">rootkits<\/a> infecting 64-Bit versions of Windows, which have been thought of as fairly safe by most parties.<\/p>\n<p>The rootkit in questions is a fairly well known variant (TDL\/Alureon) and has been around for several years, but according to Prevx it&#8217;s been hitting on x64 installs of <a href=\"https:\/\/www.darknet.org.uk\/tag\/windows-7\/\">Windows 7<\/a> since August this year.<\/p>\n<p>It&#8217;s usually an oldskool method to circumvent the Windows security measures, the MBR (Master Boot Record) &#8211; haven&#8217;t seen anyway <a href=\"https:\/\/www.darknet.org.uk\/category\/virustrojanswormsrootkits\/\">malware<\/a> using that for quite some time.<\/p>\n<blockquote><p>A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well.<\/p>\n<p>The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August, according to security firm Prevx.<\/p>\n<p>According to research published on Monday by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS&#8217;s kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit achieves this feat by attaching itself to the master boot record in a hard drive&#8217;s bowels and changing the machine&#8217;s boot options.<\/p><\/blockquote>\n<p><a href=\"https:\/\/www.darknet.org.uk\/tag\/microsoft\/\">Microsoft<\/a> has pumped some pretty advanced protection mechanisms into the latest member of the Windows family, but still you just know it&#8217;s only a matter of time before the bad guys find some way to get around it.<\/p>\n<p>This is an advanced piece of malware though as there are multiple layers of protection in Windows 7 and TDL4 bypasses them all, it even blocks access to debuggers and is undetectable by most AV software.<\/p>\n<p>Whichever way you look at it, that&#8217;s some neat coding.<\/p>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<blockquote><p>\u201cThe boot option is changed in memory from the code executed by infected MBR,\u201d GFI Technical Fellow Chandra Prakash wrote. \u201cThe boot option configures value of a config setting named &#8216;LoadIntegrityCheckPolicy&#8217; that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dl file.\u201d<\/p>\n<p>According to researchers at Prevx, TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected machines. Once installed it is undetectable by most antimalware programs. In keeping with TDL&#8217;s high degree of sophistication, the rootkit uses low-level instructions to disable debuggers, making it hard for white hat hackers to do reconnaissance.<\/p>\n<p>One of the advanced protections Microsoft added to 64-bit versions of Windows was kernel mode code signing policy. Microsoft also added a feature known as PatchGuard, which blocks kernel mode drivers from altering sensitive parts of the Windows kernel. TDL manages to circumvent this protection as well, by altering a machine&#8217;s MBR so that it can intercept Windows startup routines.<\/p><\/blockquote>\n<p><a href=\"https:\/\/www.darknet.org.uk\/tag\/prevx\/\">Prevx<\/a> came out with this research, you can read more about their findings here:<\/p>\n<p><a href=\"http:\/\/www.prevx.com\/blog\/155\/x-TDL-rootkit--follow-up.html\">x64 TDL3 rootkit &#8211; follow up<\/a><\/p>\n<p>There is also an in-depth technical analysis from Microsoft researcher Joe Johnson check <a href=\"http:\/\/www.virusbtn.com\/pdf\/conference_slides\/2010\/Johnson-VB2010.pdf\">here<\/a> [PDF].<\/p>\n<p>Source: <a href=\"http:\/\/www.theregister.co.uk\/2010\/11\/16\/tdl_rootkit_does_64_bit_windows\/\">The Register<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As we&#8217;ve come to expect, the malware guys are always at the leading edge of technological development. Now there are rootkits infecting 64-Bit versions of Windows, which have been thought of as fairly safe by most parties. The rootkit in questions is a fairly well known variant (TDL\/Alureon) and has been around for several years, [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[7,4],"tags":[142,3807,4289,588,221,3672,3678],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/2995"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=2995"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/2995\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=2995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=2995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=2995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}