Rootkit able to bypass kernel protection and driver signing in 64-bit Windows

Discussion in 'malware problems & news' started by ronjor, Nov 16, 2010.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    The H Security
     
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    and with Germany in the lead of Alureon infections
     
  3. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    You should read the article again, that's not what it says.
    That means of the rootkits found, Alureon is the most prevalent, not that Germany is No.1 in Alureon infections. If you look at this chart, you'll see where the largest number of zombies is most likely located.

    Also interesting to note is that you can nip this one in the bud by simply not running as admin. *puppy*
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Only with that one though. Running LUA won't save your skin with Carberp, Spyeye et al :)
     
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    I am at loss with the synonym of most frequently observed. that chart does not apply to Alureon just but to bot infections in general, as is the article that chart is embedded with.
     
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Maybe not, but it's not a good excuse for running as admin either ;)

    I had never heard of Carberp before, but found this article. I found this part interesting:
    Seems to me that if you had a software restriction policy and no autoruns for users, e.g., kafu.exe, that a reboot would take care of it. Tell me if I'm barking up the right tree.
     
  7. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    It says that within Germany Alureon is the most frequently observed rootkit, not that Germany is the country with the most observed Alureon infections. In other words, Alureon is the number 1 rootkit infection in Germany, but in other countries it is probably number 2, 3 4 etc.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not wishing to go to further in the Carberp matter, in case it is considered to be off-topic, but in the same article

    If nothing has changed...

    -Edit-

    Interesting... The same article points here http://www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2 and where we can see that among other apps, it also steals credentials from Chrome.

    Techrepublic article dates from October 18th, 2010, and Symantec's from Discovered: October 13, 2010; Updated:October 13, 2010 1:56:32 PM

    I wonder where the author of that article went to get such info that Chrome was unaffected, besides this one http://www.trustdefender.com/quick-update-to-carberp.html. But this latter dates from 07 October 2010; way earlier than Techrepublic's article. Considering they were aware of Symantec's article stating it also steals from Chrome, I wonder how they wrote it didn't/doesn't. o_O
     
    Last edited: Nov 16, 2010
  9. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Depends...there no substantial benefit for a Win7 user to run under LUA versus admin with UAC on. What's the difference?...on one you click "yes" to go admin, on the other you enter your admin password. Now I know that's not the full story, but it is most of it. Oh jeez, hope I haven't reignited the admin versus LUA argument!


    You're barking up exactly the right tree :) ...but only if you've forked out for Windows Professional (and upwards) of course.
     
  10. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    What they are saying is that of the rootkits found on computers in Germany, Alureon is the most common one, not that the country is leading the world in Alureon infections. This reference is probably made because the site Ronjor linked to is the English language version of heise online, which is a popular German tech site, hence the increased interest in what's going on here locally.

    Looking at the chart, the US had ten times the amount of bot infections, so one might deduce that the number of Alureon infections is pretty high too.
     
  11. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    A few months ago someone posted a link to some tests with malware (or POCs, don't remember exactly) that were able to bypass UAC. I use XP and Server 2003 and don't get prompts for a password. I get the obnoxious "bonk" system sound and a popup telling me that it's a no-go, against system policies.

    Nothing wrong with firing up the old admin vs. LUA argument, keeps things lively around here. :D

    That's reassuring. I was told that kafu.exe was a bit redundant with LUA + SRP, maybe this is a good use for it, sort of the belt-and-braces approach. I don't do the home versions of anything, mainly because they don't have gpedit.msc.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes, just keep an eye on 'Rootkit TDL 3 (alias TDSS, Alureon)' for update on TDL3/4 information - seem a lot do :D
     
  14. Dogbiscuit

    Dogbiscuit Guest

    Not to get too far off topic, but you could ask any experienced Linux user if they recommend that Linux users run as root and hear what they say. Why should Windows be any different?

    More to the point, UAC isn't designed to provide 'airtight' protection when running as Admin (it is not a Windows security boundary like LUA), etc. See Here for Mark Russinovich's take on why standard accounts are more secure.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    UAC is a not a security solution. It provides some security, though. There's been malware capable of bypassing UAC. This means that if you're running Admin. account with UAC, and UAC gets bypassed... bye-bye.

    In a LUA, at least, malware won't be able to make as much damage as they would in an Admin. account. There are exceptions, which won't require Admin. rights to do damage, specially financial one, but that's why a LUA isn't enough either. It sure is better than Admin, but not enough.
     
  16. Dogbiscuit

    Dogbiscuit Guest

    So the security mechanisms in Windows 7 are not broken (they work as designed), but the rootkit is able to insert itself into the MBR of a 64-bit Windows 7 system and gain control over the system anyway.

    And currently, UAC would stop the attack, assuming the user does not grant the requisite privileges (via UAC).
     
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
Loading...
Thread Status:
Not open for further replies.