Rootkit works on X64 !

And they said it couldn't happen

 

How sad is that

 

I don't see anyone actually trying it on 64bit yet, only going by theory based on code analysis.

 

That's their first mistake. It's still a theory, yes, but as we know just about everything we have now, whether tech or just plain facts, started out as a theory and a "what if". I look at all things this way, if man created it, man can break it.

 

Firstly it's an assumption, secondly it's technically an exploit if unsigned software can get in.

I'd love to see some ITW examples of this to prove it's possible, then watch it get patched

It's worse when you think people pay for it.

 

There goes the neighbourhood

 

Quick sell your W7 X64 comps before everybody finds out, and the price collapses

 

...ITW

 

Ok Microsoft, stopwatch starts now!

 

Any one knows does EP_X0FF still works for MS?

 

I am sure this will be the hard time for MS ... Soon we'll gonna see TDL5 (Linux Based) ...

 

Well, at least there already are TDSS removal tools for x64. There will be other rootkits too though.

 

You talking about Kaspersky TDSS remover or Hitman Pro x64 version ?

 

I'm not sure about Hitman Pro x64 version, but KL TDSSKiller works on x64 according to their support page.

 

Hitman Pro x64 is able to detect the presence of the rootkit but is unable to clean it as of yet. The x64 version of TDSSKiller doesn't detect it.

 

That will be changed with build 110 which is currently being developed by SurfRight I think (internal BETA).

 

http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

 

For those interested in prevention-- from the Prevx blog:

This implies the same two tried and true methods of loading the dropper:

1) social engineering, where a user on a porn site is enticed to watch a naughty video which requires installing a codec

2) remote code execution (drive-by exploit) via a vulnerability exploited when the user is redirected to a malicious site with an exploit kit.

----
rich

 

what about prevx?

 

110? I'm on Build 111, just came through this afternoon.

 

I just wrote a little blog post about Hitman Pro detecting the 64-bit TDL3 rootkit infection, along with a video to illustrate.
http://hitmanpro.wordpress.com/2010/08/26/hitman-pro-detects-64-bit-variant-of-tdl3-rootkit/

 

Hello,

I'm not by ANY means saying that I'm happy because of this and I do NOT endorse people who do this but I knew it was just matter of time before someone could come up with something that finally was going to tear down the idea of that X64-bit OSes were unbreakable.

In this Universe of 4 [ or more ] dimensions NOTHING is unbreakable. NOTHING. period.

Bad people are always working 24/7/365 on doing their bad deeds. They do not sleep.

Although I know this last comment is a little bit off-topic [ non-TDSS related] but after all this that has happened now with X64-bit I guess that even SBIE activation will be circumvented soon as Windows/Office activation was in the past.


Carlos

 

How is the malware able to write to the MBR. Doesn't it require special priviliges ?

 

UAC/LUA + SRP can protect you very well.

 

Hey , you beat me . I was just going to post that while reading the first posts

Just keep your protections up-to-date and make use of UAC - it is a crime not to use it