Kaspersky Lab has detected multi-purpose rootkits capable of posing a threat to 32-bit and 64-bit Windows systems, along with a variant that targets Mac OS X.
Kaspersky warns that the key feature of the 64-bit rootkit is that rather than trying to bypass the PatchGuard kernel protection system, it uses a special digital signature for software developers. The rootkit is distributed via a downloader, which also tries to install other malicious software.
Open door for a computer hacker
"The 64-bit driver is signed with something called a 'testing digital signature'. If Windows - Vista and higher - were to be booted in 'TESTSIGNING' mode, the applications can launch the drivers signed with such a signature. This is a special trap-door that Microsoft has left for driver developers to test their creations," said Alexander Gostev, chief security expert at Kaspersky Lab.
"Cybercriminals have also made use of this loophole that allows them to launch their drivers without a legitimate signature. This is another example of a rootkit that does not need to bypass the PatchGuard protection system included in the latest Windows x64 systems," he said.
Fake antivirus software targets Mac OS X
Kaspersky Lab's experts found one variant that attempts to download and install so-called Rogue or Fake antivirus software for the Mac OS X operating system, along with other malware.
The rootkits block users' attempts to install or run popular anti-malware programs and effectively protect themselves by intercepting and monitoring system activity. While the rootkit leaves the PC vulnerable to attacks, the downloader tries to obtain and execute malicious code, including the aforementioned Rogue AV for Mac OS X. This fake antivirus, known as Hoax.OSX.Defma.f, is one of the emerging threats for Mac OSX, which is increasingly being targeted by cybercriminals.
- Windows security tools for the busy desktop administrator