New Malware Targets 64-Bit Windows

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Rootkit writers have started exploiting a loophole that lets them write malware able to bypass the PatchGuard driver signing protection built into 64-bit versions of Windows, Kaspersky Lab has reported.

A product of the BlackHole Exploit Kit, a hugely successful kit for building malware to hit specific software vulnerabilities, the first element of the attack on a system is straightforward enough, using a downloader to hit the system through two common Java and Adobe Reader software flaws.

On 64-bit Windows systems open to these exploits, this calls a 64-bit rootkit, Rootkit.Win64.Necurs.a., which executes the 'bcdedit.exe -set TESTSIGNING ON command, normally a programming command for trying out drivers during development.

The loophole abused by the malware writers is that this stops Windows' Patchguard from objecting to the unsigned and insecure nature of the driver (in this case a rootkit driver) being loaded.

The power of the technique is double-edged, however. Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it, but this is also a giveaway. Security programs that do not wo"rk correctly could be taken to infer the presence of something unusual.


Read more
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Seems Windows Patchguard are been lately bypassed with new rootkits.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Avoid using or installing Adobe Reader and Java on your and clients' computers. Advise about the dangers of using these software(s) if they are absolutely needed and if not updated.
 
D

Deleted member 178

it is why i said a non-virtualized system without a HIPS/BB is less secure. Windows Firewall is not enough anymore ^^
 

moonshine

Level 7
Verified
Apr 19, 2011
1,264
Malware is getting more complicated over time, :s
Good Protection is a must these days. :cool:
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
stormgtr said:
Avoid using or installing Adobe Reader and Java on your and clients' computers. Advise about the dangers of using these software(s) if they are absolutely needed and if not updated.

Adobe Reader can be change by other alternative PDF with can be more secure but Java there is no other alternative to use (as far I know).
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
umbrapolaris said:
it is why i said a non-virtualized system without a HIPS/BB is less secure. Windows Firewall is not enough anymore ^^
I disagree with your comment.

jamescv7 said:
Adobe Reader can be change by other alternative PDF with can be more secure but Java there is no other alternative to use (as far I know).
There may be no alternate to Java, but if it not needed why have it installed? If you do have it installed, tell everyone to update it and completely remove older versions.
 

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
The fact that a malware release for the 64bit is a considered a news,can only prove how effective the Patch Guard really is...And even if security developers have some problems when writing certain types of software due to it ,we can safely say that Microsoft manage to increase the security of 64bit OS with this addition.
I'm pretty sure that by now , all the major vendors can detect and remove this Rootkit.Win64.Necurs.a. and that Microsoft will release an update soon which will prevent it from working. :)

Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it
This has been done before but overall not a bad idea.
 

McLovin

Level 76
Verified
Honorary Member
Malware Hunter
Apr 17, 2011
9,222
I kind of figured this would happen. That is why people must look into some protection software.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top