Rootkit defeats MS Windows 64-bit security features


Rootkit defeats MS Windows 64-bit security features

Warwick Ashford

The latest version of a rootkit targeting Microsoft Windows has begun hitting 64-bit versions of the operating system.

TDL is an advanced rootkit that is not detected by most anti-malware programs, and is used as a backdoor to install and update keyloggers and other types of malware.

Researchers say the TDL version 4 rootkit is able to bypass the enhanced security policy requiring system drivers to be signed in 64-bit versions of Windows.

The policy, called the kernel mode code signing policy, disallows any unauthorised or malicious driver to be loaded.

But, TDL4 is able to bypass this control by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load, according to research published by GFI Software.

The boot option is changed in memory from the code executed by infected master boot record (MBR), wrote Chandra Prakash, technical fellow, GFI Labs.

"The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file."

The rootkit also disables debuggers, which makes reverse engineering this rootkit very difficult, said Prakash.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy