Alureion rootkit and x64 OS.

http://news.softpedia.com/news/Wind...on-Rootkit-Not-by-Security-Patch-135407.shtml

What is critical to note is that if customers had been running the 64-bit editions of Windows 7 or Windows Vista such an infection could have never happened. This because, starting with 64-bit XP SP1 and Vista, Microsoft introduced a number of mitigations designed to protect the Windows kernel from tampering. Technologies such as Kernel Patch Protection (PatchGuard) and Kernel Mode Code Signing (KMCS) present in 64-bit systems, including Windows 7, stop Alureon infections dead in their tracks.

Always a good idea to run x64 OS, be it in Windows or Linux.

 

'If' is always a great protection and 'if' solves almost all problems...
IMHO all these people who need a MS update BS to notice an infection would get infected with x64 as well and not notice it.
So where is the advantage of x64 then?
Password stealer running instead of rootkit running... or so.

Cheers

 

Very few rootkits are out there for x64 MS OS, none of the current AV makers with few exceptions have rootkit scanner for x64, patchguard, implemented early in 2003x64 and XPx64 works well to prevent the rootkits from attacking the kernel.

 

I thought rootkits don't work with 64 bit since only signed drivers are allowed to load Unless someone disabled this setting, but by default I this setting is in effect and I've never seen a 64 bit system infected with a rootkit??

 

Don't forget there are different types of rookit, userland for example and, protection can be circumvented.

 

so if you keep the setting that only allows signed drivers to load, can you still get infected by a rootkit?

 

Fully updated x64 Windows with UAC and brain on and you should be safe against kernel mode rootkits.

 

Actually, no. Patchguard does nothing to prevent rootkit infection or kernel patching. Patchguard is merely a periodic check for such patching, and a crash response once detected. Wikipedia description says the following:

Patchguard offers no defense against infection by rootkits, but instead cripples systems which it detects as being infected. Great for keeping zombies and bots off the net, don't get me wrong, but in terms of proactive protection, it does nothing.

Driver signing is far more effective. For the time being.

 

PatchGuard (Kernel Patch Protection) job is to stop the manipulation of kernel, protecting the integrity and reliability of the system but is certainly not perfect.

Will it prevent every rootkit - no.

 

Positive lots of people still believe that Vista and Win7 are rootkit immune. Not surprising really when that's what the media and Microsoft were saying

 

People are confused for good reason, if I understood MS correctly the driver signing requirement stops rootkits, perhaps I don't understand correctly.

http://msdn.microsoft.com/en-us/library/aa906338.aspx

"By default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel-mode driver only if the kernel can verify the driver signature."

 

Kernal-mode code signing is not a Windows security boundary, meaning it raises the bar, but the bar can be hurdled. For example, a malware writer could purchase a certificate for $300 and sign his code with it, could also obfuscate the certificate, etc.

 

makes things much clearer and those are the types of 'hurdles' I was unaware of, thank you