(FakeAV) Win 8 Security System and its Rootkit

Interesting blog by SurfRight (HitmanPro) about the FakeAV Win 8 Security System and its Rootkit:
http://hitmanpro.wordpress.com/2012/08/31/win-8-security-system-and-its-rootkit/

 

Hmmm, i'm pretty sure tons of people will get infected.
Looks pretty legit for inexperienced users.

 

yeah sadly they will, where did this come from? must be a fairly popular file download site

 

Interestingly, the CERT was issued by www.rapidssl.com



which is listed in WhoIs etc as owned by,

I used the online contact form to alert them. Let's see if they respond, & how quickly ?

 

No doubt about it.I just hope there smart enough not to whip out the credit card so fast,but I imagine a lot will go into panic mode and will though.

 

For the dropper the detection is not as bad as for the installed rootkit driver which is mentioned in the blog. ~ VirusTotal Results Removed per Policy ~

Beside that a good behaviour blocker will do the trick, short tests showed no problems for the BBs of EAM and GDATA.

 

"The malware installs a different driver on computers running 64-bit Windows and disables 64-bit kernel-mode driver signing on these machines."

So it bypasses PatchGuard? Wow. Maybe Ilya could find out how for 64-bit DW

 

That's not the preferred way of doing it.

Malware has been able to install drivers in 64bit systems for a long time, so nothing new re: 64bit driver signing and bypassing KPP.