Jack

Administrator
Verified
Staff member
Rootkit writers have started exploiting a loophole that lets them write malware able to bypass the PatchGuard driver signing protection built into 64-bit versions of Windows, Kaspersky Lab has reported.

A product of the BlackHole Exploit Kit, a hugely successful kit for building malware to hit specific software vulnerabilities, the first element of the attack on a system is straightforward enough, using a downloader to hit the system through two common Java and Adobe Reader software flaws.

On 64-bit Windows systems open to these exploits, this calls a 64-bit rootkit, Rootkit.Win64.Necurs.a., which executes the 'bcdedit.exe -set TESTSIGNING ON command, normally a programming command for trying out drivers during development.

The loophole abused by the malware writers is that this stops Windows' Patchguard from objecting to the unsigned and insecure nature of the driver (in this case a rootkit driver) being loaded.

The power of the technique is double-edged, however. Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it, but this is also a giveaway. Security programs that do not wo"rk correctly could be taken to infer the presence of something unusual.


Read more
 

Spawn

Administrator
Verified
Staff member
Avoid using or installing Adobe Reader and Java on your and clients' computers. Advise about the dangers of using these software(s) if they are absolutely needed and if not updated.
 
D

Deleted member 178

it is why i said a non-virtualized system without a HIPS/BB is less secure. Windows Firewall is not enough anymore ^^
 

jamescv7

Level 85
Verified
Trusted
stormgtr said:
Avoid using or installing Adobe Reader and Java on your and clients' computers. Advise about the dangers of using these software(s) if they are absolutely needed and if not updated.
Adobe Reader can be change by other alternative PDF with can be more secure but Java there is no other alternative to use (as far I know).
 

Spawn

Administrator
Verified
Staff member
umbrapolaris said:
it is why i said a non-virtualized system without a HIPS/BB is less secure. Windows Firewall is not enough anymore ^^
I disagree with your comment.

jamescv7 said:
Adobe Reader can be change by other alternative PDF with can be more secure but Java there is no other alternative to use (as far I know).
There may be no alternate to Java, but if it not needed why have it installed? If you do have it installed, tell everyone to update it and completely remove older versions.
 

Jack

Administrator
Verified
Staff member
The fact that a malware release for the 64bit is a considered a news,can only prove how effective the Patch Guard really is...And even if security developers have some problems when writing certain types of software due to it ,we can safely say that Microsoft manage to increase the security of 64bit OS with this addition.
I'm pretty sure that by now , all the major vendors can detect and remove this Rootkit.Win64.Necurs.a. and that Microsoft will release an update soon which will prevent it from working. :)

Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it
This has been done before but overall not a bad idea.
 

McLovin

Level 73
Verified
Trusted
Malware Hunter
I kind of figured this would happen. That is why people must look into some protection software.
 
Top