Alureion rootkit and x64 OS.

Discussion in 'other anti-malware software' started by linuxforall, Feb 20, 2010.

Thread Status:
Not open for further replies.
  1. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    http://news.softpedia.com/news/Wind...on-Rootkit-Not-by-Security-Patch-135407.shtml

    What is critical to note is that if customers had been running the 64-bit editions of Windows 7 or Windows Vista such an infection could have never happened. This because, starting with 64-bit XP SP1 and Vista, Microsoft introduced a number of mitigations designed to protect the Windows kernel from tampering. Technologies such as Kernel Patch Protection (PatchGuard) and Kernel Mode Code Signing (KMCS) present in 64-bit systems, including Windows 7, stop Alureon infections dead in their tracks.

    Always a good idea to run x64 OS, be it in Windows or Linux.
     
  2. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    'If' is always a great protection and 'if' solves almost all problems...
    IMHO all these people who need a MS update BS to notice an infection would get infected with x64 as well and not notice it.
    So where is the advantage of x64 then?
    Password stealer running instead of rootkit running... or so.

    Cheers
     
  3. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Very few rootkits are out there for x64 MS OS, none of the current AV makers with few exceptions have rootkit scanner for x64, patchguard, implemented early in 2003x64 and XPx64 works well to prevent the rootkits from attacking the kernel.
     
  4. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    I thought rootkits don't work with 64 bit since only signed drivers are allowed to loado_O Unless someone disabled this setting, but by default I this setting is in effect and I've never seen a 64 bit system infected with a rootkit??
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Don't forget there are different types of rookit, userland for example and, protection can be circumvented.
     
  6. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    so if you keep the setting that only allows signed drivers to load, can you still get infected by a rootkit?
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Fully updated x64 Windows with UAC and brain on and you should be safe against kernel mode rootkits.
     
  8. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Actually, no. Patchguard does nothing to prevent rootkit infection or kernel patching. Patchguard is merely a periodic check for such patching, and a crash response once detected. Wikipedia description says the following:

    Patchguard offers no defense against infection by rootkits, but instead cripples systems which it detects as being infected. Great for keeping zombies and bots off the net, don't get me wrong, but in terms of proactive protection, it does nothing.

    Driver signing is far more effective. For the time being.
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    PatchGuard (Kernel Patch Protection) job is to stop the manipulation of kernel, protecting the integrity and reliability of the system but is certainly not perfect.

    Will it prevent every rootkit - no.
     
    Last edited: Feb 22, 2010
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Positive lots of people still believe that Vista and Win7 are rootkit immune. Not surprising really when that's what the media and Microsoft were saying :p
     
  11. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    People are confused for good reason, if I understood MS correctly the driver signing requirement stops rootkits, perhaps I don't understand correctly.

    http://msdn.microsoft.com/en-us/library/aa906338.aspx

    "By default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel-mode driver only if the kernel can verify the driver signature."
     
  12. Dogbiscuit

    Dogbiscuit Guest

    Kernal-mode code signing is not a Windows security boundary, meaning it raises the bar, but the bar can be hurdled. For example, a malware writer could purchase a certificate for $300 and sign his code with it, could also obfuscate the certificate, etc.
     
  13. theblade

    theblade Registered Member

    Joined:
    Feb 12, 2010
    Posts:
    29
    makes things much clearer and those are the types of 'hurdles' I was unaware of, thank you :thumb:
     
Loading...
Thread Status:
Not open for further replies.