Rootkit defeats MS Windows 64-bit security features

News

Rootkit defeats MS Windows 64-bit security features

Warwick Ashford

The latest version of a rootkit targeting Microsoft Windows has begun hitting 64-bit versions of the operating system.

TDL is an advanced rootkit that is not detected by most anti-malware programs, and is used as a backdoor to install and update keyloggers and other types of malware.

Researchers say the TDL version 4 rootkit is able to bypass the enhanced security policy requiring system drivers to be signed in 64-bit versions of Windows.

The policy, called the kernel mode code signing policy, disallows any unauthorised or malicious driver to be loaded.

But, TDL4 is able to bypass this control by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load, according to research published by GFI Software.

The boot option is changed in memory from the code executed by infected master boot record (MBR), wrote Chandra Prakash, technical fellow, GFI Labs.

"The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file."

The rootkit also disables debuggers, which makes reverse engineering this rootkit very difficult, said Prakash.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy