New Malware Targets 64-Bit Windows

[Jack]

Rootkit writers have started exploiting a loophole that lets them write malware able to bypass the PatchGuard driver signing protection built into 64-bit versions of Windows, Kaspersky Lab has reported.

A product of the BlackHole Exploit Kit, a hugely successful kit for building malware to hit specific software vulnerabilities, the first element of the attack on a system is straightforward enough, using a downloader to hit the system through two common Java and Adobe Reader software flaws.

On 64-bit Windows systems open to these exploits, this calls a 64-bit rootkit, Rootkit.Win64.Necurs.a., which executes the 'bcdedit.exe -set TESTSIGNING ON command, normally a programming command for trying out drivers during development.

The loophole abused by the malware writers is that this stops Windows' Patchguard from objecting to the unsigned and insecure nature of the driver (in this case a rootkit driver) being loaded.

The power of the technique is double-edged, however. Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it, but this is also a giveaway. Security programs that do not wo"rk correctly could be taken to infer the presence of something unusual.


Read more

 

[Vextor]

Oh no. A rootkit successfully working on x64 systems. :-/

 

[jamescv7]

Seems Windows Patchguard are been lately bypassed with new rootkits.

 

[Ink]

Avoid using or installing Adobe Reader and Java on your and clients' computers. Advise about the dangers of using these software(s) if they are absolutely needed and if not updated.

 

[Deleted member 178]

it is why i said a non-virtualized system without a HIPS/BB is less secure. Windows Firewall is not enough anymore ^^

 

[moonshine]

Malware is getting more complicated over time, :s
Good Protection is a must these days.

 

[jamescv7]

Avoid using or installing Adobe Reader and Java on your and clients' computers. Advise about the dangers of using these software(s) if they are absolutely needed and if not updated.

Adobe Reader can be change by other alternative PDF with can be more secure but Java there is no other alternative to use (as far I know).

 

[Ink]

it is why i said a non-virtualized system without a HIPS/BB is less secure. Windows Firewall is not enough anymore ^^

I disagree with your comment.

Adobe Reader can be change by other alternative PDF with can be more secure but Java there is no other alternative to use (as far I know).

There may be no alternate to Java, but if it not needed why have it installed? If you do have it installed, tell everyone to update it and completely remove older versions.

 

[Jack]

The fact that a malware release for the 64bit is a considered a news,can only prove how effective the Patch Guard really is...And even if security developers have some problems when writing certain types of software due to it ,we can safely say that Microsoft manage to increase the security of 64bit OS with this addition.
I'm pretty sure that by now , all the major vendors can detect and remove this Rootkit.Win64.Necurs.a. and that Microsoft will release an update soon which will prevent it from working.

Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it

This has been done before but overall not a bad idea.

 

[McLovin]

I kind of figured this would happen. That is why people must look into some protection software.