Alureon rootkit is back, and has acquired the ability to hijack computers running 64-bit versions of Microsoft Windows, proclaimed Marco Giuliani, security researcher with security company Prevx.
Alureon (also known as TDL and Tidserv) has garnered a lot of attention back in February when it was discovered that it was behind the system crashes occurring after infected users tried to update their Windows OS.
It seems that at that point in time, the rootkit was unable bypass the security features that made the 64-bit versions of Windows Vista and 7 more secure than their 32-bit counterparts – namely the Kernel Mode Code Signing and Kernel Patch Protection.
The Kernel Mode Code Signing does not permit digitally unsigned drivers to access the kernel memory region (and kernel mode rootkits are often not), and the Kernel Patch Protection prevents kernel mode drivers from modifying sensitive areas of the Windows kernel. But, both protection mechanisms can be obviously bypassed by this new version of Alureon, which patches the Master Boot Record in order to intercept Windows startup routines and then loads its driver.
“The rootkit needs administrative privileges to infect the Master Boot Record. Even then, it still cannot load its own 64 bit compatible driver because of Windows’s kernel security. So, the dropper forces Windows to immediately restart. This way, the patched MBR can do the dirty work,” says Giuliani.
Well, Windows restarting “by itself” like that seems to me like a good sign to start worrying.
Giuliani also points out that this is not the first rootkit to be able to pass those security roadblocks – a bootkit named Whistler has been spotted being offered for sale on various underground markets some time ago – but this is the first time that the use of such a rootkit has been detected in the wild. According to him, the era of x64 rootkits has officially dawned.