Rootkit writers have started exploiting a loophole that lets them write malware able to bypass the PatchGuard driver signing protection built into 64-bit versions of Windows, Kaspersky Lab has reported.
A product of the BlackHole Exploit Kit, a hugely successful kit for building malware to hit specific software vulnerabilities, the first element of the attack on a system is straightforward enough, using a downloader to hit the system through two common Java and Adobe Reader software flaws.
On 64-bit Windows systems open to these exploits, this calls a 64-bit rootkit, Rootkit.Win64.Necurs.a., which executes the 'bcdedit.exe -set TESTSIGNING ON command, normally a programming command for trying out drivers during development.
The loophole abused by the malware writers is that this stops Windows' Patchguard from objecting to the unsigned and insecure nature of the driver (in this case a rootkit driver) being loaded.
The power of the technique is double-edged, however. Once loaded, the rootkit is able to block the correct loading of antivirus software that might detect and remove it, but this is also a giveaway. Security programs that do not wo"rk correctly could be taken to infer the presence of something unusual.
Read more