Skip to comments.Rootkit writers outfox Windows 64-bit PatchGuard protection
Posted on 05/27/2011 8:22:35 AM PDT by Tribune7
Rootkit writers have started exploiting a loophole that lets them write malware able to bypass the PatchGuard driver signing protection built into 64-bit versions of Windows, Kaspersky Lab has reported.
A product of the BlackHole Exploit Kit, a hugely successful kit for building malware to hit specific software vulnerabilities, the first element of the attack on a system is straightforward enough, using a downloader to hit the system through two common Java and Adobe Reader software flaws.
On 64-bit Windows systems open to these exploits, this calls a 64-bit rootkit, Rootkit.Win64.Necurs.a., which executes the 'bcdedit.exe -set TESTSIGNING ON command, normally a programming command for trying out drivers during development.
The loophole abused by the malware writers is that this stops Windows' Patchguard from objecting to the unsigned and insecure nature of the driver (in this case a rootkit driver) being loaded.
(Excerpt) Read more at itworld.com ...
Since you seem to be in a virii mood today. :-)
JAVA, Adobe, and Flash seem to be the biggest vulnerabilities out there, aside from user ignorance.
You are just mean./snicker
good intel. Glad I’m security aware. But if this was OSX with this attack they’d say it doesn’t count because it requires a 3rd party application to expose it. And a user has to be on the machine and click on something.
See how stupid that sounds?
Only stupid if it wasn’t the truth. Mac users don’t need to click on “something”, they need to click on the installer of the malware.
Mac users do not click on something in Adobe and, “Voilia!” a trojan is installed. I know you get your rocks off an this stuff, but you are still voluntarily ignorant of the facts.
As an aside, Kaspersky reports that the malware also attempts to download Hoax.OSX.Defma.f, a recent and well-publicised fake antivirus program targeting Mac OS X users, which can't run on Windows.
"It appears that the developers of the latest rogue AV program for MacOS are actively distributing it via intermediaries, who don't really understand what it is they are supposed to install on users' computers," said Kaspersky researcher, Vyacheslav Zakorzhevsky, in his blog covering the malware.
This underlines the ominous way that Macs are now seen as just another platform to be targeted where possible using multi-platform malware.
It seems the 64 bit update had to be reinstalled for some reason.
My VIPRE antivirus seems to work pretty well.
What do y’all suggest to insure against this nastiness?
Huh? The installer auto runs. But you’re arguing it’s good to have a trojan install without a user password?
Wow, really? Before it was this is impossible on Macs, now the macbot crowd is claiming the viruses on Mac aren’t as bad as the viruses on Windows because Windows requires a 3rd party exploit and the Mac requires only exploiting Safari an Apple program. Now that is lame.
Oh and 4 years in a row OSX was the first one hacked at a hacking competition (pwn2own). I guess they aren’t secure at all.
On the OSX virus thread you said it doesn’t count because it was reported from an anti-virus software company. Well by that stupid logic this one doesn’t count either since it’s from Kapersky Labs.
I’m quite amused at how many popups I get on boot of my Win7 machines for updates to those very same products almost weekly now. Whereas on my Linux boxes, I don’t get anything popping up (no autostart) and can control my package installs when it’s time.
M$, with all of its warts, is still the most common OS distributor and will continue to be exploited by those who wish to steal from the unwitting. A proper mindset on the web along with a comprehensive knowledge of the programs installed on your machine should help to identify any rogue programs trying to make your life Hell.
Of course, with Linux, I do my dirtiest work and save my Win7 machine solely for gaming.
Nope. It’s not good to have an installer run without a password. Thing is, how many administrator accounts are set up without passwords. Neither situation good and Apple needs to fix the workaround to that.
Either way, the user still has to manually install an app loader and go through the steps of installing it.
The Mac part is, as noted in the article, "an aside" to indicate that black hatters don't necessarily know what they are doing.
When a rootkit inserted via Adobe Reader is developed for OSX then you can start crowing.
BTW, I don't discount the possibility but it hasn't come close to happening yet.
No this article is about 2 things. The title is just about one of those two issues.
Try reading the ENTIRE article. And if you’re going for the it doesn’t count until it happens defense...watch out. Recently Apple got the first malware that didn’t require an admin password to install.
Apple would be wise to start educating their users on security instead of acting like they can ignore it and they will be safe because they are using an apple product.
7, far newer than OSX and despite its vaunted security, has got rootkits.
This has yet to happen to OSX. The worst that involves OSX so far is a socially engineered phishing scheme that involves a user knowingly installing an application, not simply clicking on a pdf file or photo or webgame etc.