Rootkit able to bypass kernel protection and driver signing in 64-bit Windows

and with Germany in the lead of Alureon infections

 

You should read the article again, that's not what it says.

That means of the rootkits found, Alureon is the most prevalent, not that Germany is No.1 in Alureon infections. If you look at this chart, you'll see where the largest number of zombies is most likely located.

Also interesting to note is that you can nip this one in the bud by simply not running as admin.

 

Only with that one though. Running LUA won't save your skin with Carberp, Spyeye et al

 

I am at loss with the synonym of most frequently observed. that chart does not apply to Alureon just but to bot infections in general, as is the article that chart is embedded with.

 

Maybe not, but it's not a good excuse for running as admin either

I had never heard of Carberp before, but found this article. I found this part interesting:

Seems to me that if you had a software restriction policy and no autoruns for users, e.g., kafu.exe, that a reboot would take care of it. Tell me if I'm barking up the right tree.

 

It says that within Germany Alureon is the most frequently observed rootkit, not that Germany is the country with the most observed Alureon infections. In other words, Alureon is the number 1 rootkit infection in Germany, but in other countries it is probably number 2, 3 4 etc.

 

Not wishing to go to further in the Carberp matter, in case it is considered to be off-topic, but in the same article

If nothing has changed...

-Edit-

Interesting... The same article points here http://www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2 and where we can see that among other apps, it also steals credentials from Chrome.

Techrepublic article dates from October 18th, 2010, and Symantec's from Discovered: October 13, 2010; Updated:October 13, 2010 1:56:32 PM

I wonder where the author of that article went to get such info that Chrome was unaffected, besides this one http://www.trustdefender.com/quick-update-to-carberp.html. But this latter dates from 07 October 2010; way earlier than Techrepublic's article. Considering they were aware of Symantec's article stating it also steals from Chrome, I wonder how they wrote it didn't/doesn't.

 

Depends...there no substantial benefit for a Win7 user to run under LUA versus admin with UAC on. What's the difference?...on one you click "yes" to go admin, on the other you enter your admin password. Now I know that's not the full story, but it is most of it. Oh jeez, hope I haven't reignited the admin versus LUA argument!

You're barking up exactly the right tree ...but only if you've forked out for Windows Professional (and upwards) of course.

 

What they are saying is that of the rootkits found on computers in Germany, Alureon is the most common one, not that the country is leading the world in Alureon infections. This reference is probably made because the site Ronjor linked to is the English language version of heise online, which is a popular German tech site, hence the increased interest in what's going on here locally.

Looking at the chart, the US had ten times the amount of bot infections, so one might deduce that the number of Alureon infections is pretty high too.

 

A few months ago someone posted a link to some tests with malware (or POCs, don't remember exactly) that were able to bypass UAC. I use XP and Server 2003 and don't get prompts for a password. I get the obnoxious "bonk" system sound and a popup telling me that it's a no-go, against system policies.

Nothing wrong with firing up the old admin vs. LUA argument, keeps things lively around here.

That's reassuring. I was told that kafu.exe was a bit redundant with LUA + SRP, maybe this is a good use for it, sort of the belt-and-braces approach. I don't do the home versions of anything, mainly because they don't have gpedit.msc.

 

Hi, thanks for the update

I believe it's related to this

https://www.wilderssecurity.com/showthread.php?t=280128

Rootkit TDL 3 (alias TDSS, Alureon)

 

Yes, just keep an eye on 'Rootkit TDL 3 (alias TDSS, Alureon)' for update on TDL3/4 information - seem a lot do

 

Not to get too far off topic, but you could ask any experienced Linux user if they recommend that Linux users run as root and hear what they say. Why should Windows be any different?

More to the point, UAC isn't designed to provide 'airtight' protection when running as Admin (it is not a Windows security boundary like LUA), etc. See Here for Mark Russinovich's take on why standard accounts are more secure.

 

UAC is a not a security solution. It provides some security, though. There's been malware capable of bypassing UAC. This means that if you're running Admin. account with UAC, and UAC gets bypassed... bye-bye.

In a LUA, at least, malware won't be able to make as much damage as they would in an Admin. account. There are exceptions, which won't require Admin. rights to do damage, specially financial one, but that's why a LUA isn't enough either. It sure is better than Admin, but not enough.

 

So the security mechanisms in Windows 7 are not broken (they work as designed), but the rootkit is able to insert itself into the MBR of a 64-bit Windows 7 system and gain control over the system anyway.

And currently, UAC would stop the attack, assuming the user does not grant the requisite privileges (via UAC).

 

This isn't really new, was posted a few months back.

http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html