Rootkit works on X64 !

Discussion in 'malware problems & news' started by CloneRanger, Aug 21, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    And they said it couldn't happen :p
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    How sad is that
     
  3. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    ;)
    I don't see anyone actually trying it on 64bit yet, only going by theory based on code analysis. :)
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    That's their first mistake. It's still a theory, yes, but as we know just about everything we have now, whether tech or just plain facts, started out as a theory and a "what if". I look at all things this way, if man created it, man can break it.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Firstly it's an assumption, secondly it's technically an exploit if unsigned software can get in.

    I'd love to see some ITW examples of this to prove it's possible, then watch it get patched ;)

    It's worse when you think people pay for it.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Last edited: Aug 24, 2010
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Quick sell your W7 X64 comps before everybody finds out, and the price collapses :p
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    ...ITW
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Ok Microsoft, stopwatch starts now!
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any one knows does EP_X0FF still works for MS?
     
  11. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I am sure this will be the hard time for MS ... Soon we'll gonna see TDL5 (Linux Based) ... :ninja:
     
  12. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    Well, at least there already are TDSS removal tools for x64. There will be other rootkits too though.
     
  13. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    You talking about Kaspersky TDSS remover or Hitman Pro x64 version ?
     
  14. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    I'm not sure about Hitman Pro x64 version, but KL TDSSKiller works on x64 according to their support page.
     
  15. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Hitman Pro x64 is able to detect the presence of the rootkit but is unable to clean it as of yet. The x64 version of TDSSKiller doesn't detect it.
     
  16. Matthijs5nl

    Matthijs5nl Guest

    That will be changed with build 110 which is currently being developed by SurfRight I think (internal BETA).
     
  17. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For those interested in prevention-- from the Prevx blog:

    This implies the same two tried and true methods of loading the dropper:

    1) social engineering, where a user on a porn site is enticed to watch a naughty video which requires installing a codec

    2) remote code execution (drive-by exploit) via a vulnerability exploited when the user is redirected to a malicious site with an exploit kit.

    ----
    rich
     
  19. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    what about prevx?
     
  20. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    110? I'm on Build 111, just came through this afternoon.
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
  22. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,

    I'm not by ANY means saying that I'm happy because of this and I do NOT endorse people who do this but I knew it was just matter of time before someone could come up with something that finally was going to tear down the idea of that X64-bit OSes were unbreakable.

    In this Universe of 4 [ or more ] dimensions NOTHING is unbreakable. NOTHING. period.

    Bad people are always working 24/7/365 on doing their bad deeds. They do not sleep.

    Although I know this last comment is a little bit off-topic [ non-TDSS related] but after all this that has happened now with X64-bit I guess that even SBIE activation will be circumvented soon as Windows/Office activation was in the past.


    Carlos
     
  23. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    How is the malware able to write to the MBR. Doesn't it require special priviliges ?
     
  24. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    UAC/LUA + SRP can protect you very well.
     
  25. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Hey , you beat me . I was just going to post that while reading the first posts :D :thumb:

    Just keep your protections up-to-date and make use of UAC - it is a crime not to use it
     
Loading...
Thread Status:
Not open for further replies.