back to article World's most advanced rootkit penetrates 64-bit Windows

A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well. The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Pint

The reason we give MS a break is because ...

they don't pretend to by a fault free culture unlike a certain California guy we know who is residing, virtually, in his cloud cuckoo land in North Carolina.

Next play is Microsoft's.

The US should locate these guys and give them senior positions in their cyber offensive group.

14
10
Silver badge

You fell for semantics

All Jobs has ever said is that Macs don't have any viruses since OS X. And he hasn't said that in a while. It's the people with vested interests who have extrapolated this to argue that the OS has no security holes.

Apple last released a security update on the 12th, admitting to the need for 100+ security patches. That was the seventh security update this year.

Generally the argument tends to be one side claiming the OS is uncrackable, the other arguing that it's just that nobody can be bothered cracking it. The reality is probably in between. See the fantastic run of 64bit Windows for evidence that mere market share does not determine the number of successful attacks, see the existence of a few bits of known Mac malware, all of them based on social engineering, for evidence that the OS at least isn't a Windows 95 knockover.

13
6
Linux

The reason we give MS a break ?

> The reason we give MS a break is because ... they don't pretend to by a fault free culture

Wha' ???????????????????????????????

4
6
FAIL

21st century vocabulary

"Wha' ???????????????????????????????"

Care to elaborate, kid?

4
2
Headmaster

Surprised

AC may indeed care to elaborate, but in the meantime I would second his surprise at the stated reason for giving Microsoft a break.

Just admitting to ones mistakes, on its own, is worthless. MS products are good, as is their support; that's why they got where they are and why so few have chosen the alternatives*.

*(I have no worthwhile ideas as to who is the closest to perfection).

1
0
Grenade

No surprise

Driver signing was just a scheme to coerce hardware manufacturers to pay micro$oft money. Anybody who thought it was actually a useful security measure is hopelessly naive.

16
7
Silver badge

A MBR virus? You have got to be kidding me ...

... the late '70s called, they want their malware back.

On the other hand, it's quite telling that MS code is still vulnerable to such ...

7
5

Re: A MBR virus?

Yeah I was smiling when I read the article, thinking back to my misspent youth of capturing, walling and analysing various viruses. Back then it was the norm to infect master boot records for floppies, and later the same methods were applied to hard drives.

At least the MBR is a fairly painless thing to disinfect in most cases. May be a few problems for people with multiple operating systems installed, but if someone's technically minded enough to be able to manage the installation of multiple operating systems then they're going to be comeptent enough to resolve an infected MBR :)

2
1
Paris Hilton

@ Tzael

"... if someone's technically minded enough to be able to manage the installation of multiple operating systems then they're going to be comeptent enough to resolve an infected MBR :) ..."

Oh yes, especially while a root-kit is active.

Sure.

3
4
Go

Sure...

Just pop in an appropriate bootable CD and issue the necessary commands.

0
0

This post has been deleted by its author

Badgers

ROM Boot could work...

ROM Boot could work... If the software development model wasn't based on going to market with alpha code then releasing a never ending series of patches to almost get it up to release level just in time for it to be end of lifed in favor of the shiny new alpha release.

In some ways I think the internet has destroyed software quality because it made it too easy for developers to release known buggy or nonfunctional code. How many times have you purchased software, delivered on a CD and had it fail to install, only to be directed to download something different? One of Quickbooks recent releases was like this - they were shipping CDs that didn't work then forcing people to make 600M downloads.

1
0
Coat

Heh. The wheel of Reincarnation keeps turning.

Sure it's a exceptionally sophisticated rootkit, but using the MBR? That's old skool, and there's no skool like the old skool. :D

Mine's the one that has "Damn you kids, get off my lawn" embroidered on the back.

7
0
Gold badge
Alert

The important (and missing) bit.

How the hell does it write to the MBR and does it throw a "Do you want to allow this?" UAC message when this happens? If not, there's your security hole right there. If it does, then we're back to getting the user to say yes to the "please pwn my box" message and no OS is proof against that.

Of course it can bypass driver signing if it has access in the boot process. Rooting the bootloader so you can change the OS boot parameters will give you the keys to the kingdom on just about any OS. That's not a vuln, but how it got that access in the first place might be.

Incidently, what happens if your machine was built by someone with more than two brain cells and has its BIOS MBR write protection on in normal operation.............?

11
0

BIOS MBR write-protection

I haven't used this in years.

I enabled it on a XP machine that had been running fine for months, and it destroyed the MBR on boot.

Recovered the data and did a fresh install, but the MBR protection destroyed it a second time.

Living by the "fool me once" code, I've never bothered again; maybe I should. I assume either XP didn't like it or my BIOS had a fault.

Perhaps I'll ghost my boot drive and give it a shot... I'd say "it can't hurt", but see above.

2
0
FAIL

MBR Virus protection...

An excellent way to trash your hard disk from Win95 onwards. I really have no idea why this option has persisted. The MBR is accesses and altered by the OS from time to time, updates and other things. Fir instance installing the MS Recovery console will mess with it. Something oft done to recover dead systems. Disabling MBR access then toasts the machine in a spectacular manner and requires another 10 minutes screwing with the install CD (Which most people dont have).

1
0
Anonymous Coward

Linux waffle yawn dribble...

go to

www.google.com

click in search box.

Type Linux Rootkit

Hit return or click on the search button.

5
11
Silver badge

Umm...

...no one mentioned Linux.

If one knows the root password (or equivalent) in *any* OS and ons says "Yeah, sure, do what you want to my system Mr. Malware" then that OS install is pretty much pwned.

Having signed/trusted repositories lessens the risk but does not remove it completely, people can add new repps and repos themselves can accidentally host nasties (either through naïvety or actions of a malicious party).

What people need to do, is get out of the habit of downloading "SuperFunHappyTimes" from website X and installing it without thinking first. People also need to be suspicious of installs that ask for elevated privileges, this should not be required for end-user software (and if it is required, then there is something wrong with the OS design).

And now, just to keep you happy "This would never happen on Linux as Linux is much better, users more tech savvy and less likely to install random crap for dodgy websites."

16
0

UAC

"elevated privileges, this should not be required for end-user software (and if it is required, then there is something wrong with the OS design)"

Completely agree.

I think Win7 has a pretty decent balance in this respect - I haven't found many apps that require elevation when they shouldn't. Mass Effect was the last oddity, that springs to mind.

However, I was playing with some USB debuggers the other day, so I had UAC messages every few minutes for install/start/debug/etc., and ended up clicking the accept button without even - this made me pause because I suddenly realised that I had no idea if I'd accepted it for the app I was even using...

I think the UAC screen needs two changes:

1) Drop the stupid fade effect on the rest of the desktop. It adds an annoying black-screen pause while I wait for my (high-spec) PC to display it. Or is this on purpose? Just seems pointless and annoying to me.

2) In contrast to point 1, either have a two-step process (an "I accept" checkbox to enable the "OK" button), or a couple of seconds countdown on the button (a la Firefox's addon confirmation).

The difference is that I can be reading the info on the app requesting elevated privilegs while I wait.

/rant

0
0

This is a title, this is only a title...

----

elevated privileges, this should not be required for end-user software (and if it is required, then there is something wrong with the OS design)

----

Sort of ... it's only legacy apps/games that I've found that require elevated privileges to run on Windows 7. This was a flaw with every previous version of Windows and it's only because Win7 is supporting them that it's continued into 7 - so it's not entirely the fault of the current OS more that it's supporting apps that used this flaw in previous incarnations of Windows. Still, I always get the UAC prompt when it happens.

----

1) Drop the stupid fade effect on the rest of the desktop. It adds an annoying black-screen pause while I wait for my (high-spec) PC to display it. Or is this on purpose? Just seems pointless and annoying to me.

----

You know you can turn it off yourself right?

1
0

use local policies

You can disable the fade effect if you want. it's known as the secure desktop (as takes control, rather than just popping a box)

Just fire up mmc, load the group policy object editor snap in, and go to computer configuration->windows settings->security settings->local policies->security options.

The policy is User account control : switch to secure desktop[...]

Course, there's probably a security implication.

1
0

that's...

The first thing I do when I reinstall Windows. I realised I don't mind UAC. I just hate the fade in effect.

1
0

Insecure desktops can have keystrokes intercepted, etc

The problem with the historical design of Windows is that it's difficult to fully isolate one application from another, in terms of window message and key stroke and mouse interception. Secure desktop manages this.

http://blogs.msdn.com/b/uac/archive/2006/05/03/589561.aspx

1
0
Thumb Up

I didn't know

but I do now. Cheers, all!

Peter Kay raises on interesting point, though.

I'll see if the benefits outweigh the risks.

1
0
Gates Halo

Or you could....

go to User Accounts under Control Panel and adjust the slider in the UAC section to not show fade......

2
0
Silver badge
FAIL

3rd option

"either have a two-step process (an "I accept" checkbox to enable the "OK" button), or a couple of seconds countdown on the button (a la Firefox's addon confirmation)."

do what *nix does and make the user move their hand away from the mouse and enter a password for a privileged user in order to proceed.

Hopefully the fact that the normal clicking frenzy that overcomes Joe Public whenever UAC pops up is interrupted for a moment will provide enough time for the brain to engage and more rational behaviour will ensue.

Fail is for Microsoft for simply training their idiot users to just keep clicking the annoying boxes until they stop.

1
0

You can...

----

do what *nix does and make the user move their hand away from the mouse and enter a password for a privileged user in order to proceed.

----

You can do that as well - set up an admin account with a password but don't use it. Log in on a limited privileges account and whenever UAC requires admin rights you need to enter the admin password... much like *nix.

The only real problem is, again, legacy apps that'll make you enter the admin password every time you boot them up (it's not much of a faff if you're only having to enter the password when there's a software install/upgrade).

You only get the UAC prompt with an "OK" click-box if you're already logged in as an admin; it's a bit like running as a pseudo-admin really since you'll still need to grant access to programs via the UAC prompt on a per-instance basis.

Unlike previous incarnations of Windows - it seems that with Win7 (much like *nix and OSX) the user really is the weakest link - and boy are there some weak links using Windows ;)

0
0

@Goat Jam

You can get UAC to ask for a password, I used to have it setup for this, but as I pay attention to my UAC box I thought it was a bit overkill.

It's not setup by default, though.

1
0
Silver badge
Unhappy

What ever happened to MBR write protection?

Once upon a time, boys and girls, virus writers used to use the Master Boot Record as a common way of infecting systems. In my day, often as a bootable floppy that might be accidentally left in the A: drive. What you run at start-up can trounce almost any protection the OS has (as demonstrated here).

So the motherboards started to have MBR write-protection that you needed to disable if you are updating the OS or partition tables, and that made it a whole lot harder to do.

Then it vanished. Why?

This rootkit is an example of just how hard, if not impossible, it is to have a useful general-purpose computer that can't be hacked by a malicious boot loader. MS' Windows 7 may be the choice target today, but the underlying techniques apply to all OS, even my beloved penguin.

I really wish there was a physical switch to enable/disable such access, then only when it *really* needed to be modified would your 1st stage boot loader be so vulnerable.

1
1

Mainly because it was useless...

I had MBR protection turned on and did several tests changing the MBR, none of them were blocked.

I think BIOS writers realised it was useless and dropped it.

1
0
Gold badge
WTF?

LoadIntegrityCheckPolicy

So MS added protection to 64 bit and then gave it a registry key called 'LoadIntegrityCheckPolicy' that roughly translates as 'IWantMyWindowsInsecureRapeAndPillageMe' and that malware can set to enable loading other malware?

3
3

It's a boot time only parameter

All drivers have to be signed on 64 bit Windows, but if you're doing driver development it's possible to press F8 on each boot and disable the signing requirement. There are options like DSEO to sign individual drivers and remove this restriction.

Until a rootkit can compromise a system with UAC set to its highest level (password on any admin level change) and without the user clicking on something to allow admin privilege, frankly I'm not impressed.

If they've got user level code to hack the MBR, then it's still not hacking the OS, but questions need to be asked about why that's possible.

1
0

which

----

Until a rootkit can compromise a system with UAC set to its highest level (password on any admin level change) and without the user clicking on something to allow admin privilege...

----

Which this one can't :)

1
0

Heh.

So if your machine is already compromised to the point they can change the MBR (which any half decent AV should spot and prevent) then they can run this admittedly very clever bit of code on your machine.

Pisser if you're infected, but easy to prevent.

1
1
Bronze badge

What the?

How the fuck can unprivileged code still write to the MBR? In 2010?

Given this was the attack vector of choice back in the mid 80's, surely it would have occurred to someone to close this by now.

1
0
Headmaster

History...

"Those who don't know history are bound to repeat it..."

I'll stick with my EFI-BIOS system, thank you.

0
0
Linux

Yes they are clever bunnies.

However I would like a clue as to how to detect this, so I can go ahead and install a linux distro instead.

ttfn

1
3

Read

Read the article from Prevx perhaps?

Since this rootkit won't work unless you give it privileges to start with it can still be stopped by properly using UAC - not really any different to *nix - just that you don't get (m)any "if you would like to pwn your system please su this virus" type things on *nix ... and, generally speaking, *nix users aren't clueless enough to su something unwittingly.

4
1
Welcome

No Tit Required

That's almost scary to think about.

Still, it's always the same people in these botnets.

Careful internet browsing, scanning downloads from trusted places and running antivirus should really be taught in school.

Or infected people should be blocked from the internet.

3
1
Alert

Back to the 90s

I remember back when boot-sector viruses were the norm. Over the last 2 decades, this changed to infected EXEs, then email worms, then drive-by malware and then hidden services and rootkits. Over that time traditional antivirus vendors seems to have forgotten about bootsectors and MBRs and focus purely on file-level detection. Whoops. Round we go again. Considering how easily it is to compare the boot-region with a known good example, or indeed a previous backup of the current boot-region, it's damn negligent for the current generation of antivirus applications not to check for this!

I've personally had to clean TDL4 from a few clients' machines in the last few weeks - I have to say it's extremely impressive in its sophistication. Additionally, most of the TDL4 specific removal tools and my favourite ComboFix, which 'clean' the MBR, only replace the first chunk of the MBR and not the whole code, causing Vista, in particular, to go into a 0x0000008E endless loop on boot up. The fix for this seems to be to use 'Testdisk' to write a new MBR, which kills the boot process completely, then using the Vista CD, repair startup option to create a fresh boot-region.

0
0
Anonymous Coward

Avira has rootkit checks in it, even in the Personal version!

As above.

Sysinternals also provide a rootkit scanner.

0
0
Gold badge
Dead Vulture

Nothing to see here

From the linked Prevx blog...

"The dropper is using a non conventional - though well known - way to patch the drive's master boot record. It opens an handle to PhysicalDrive0 and then overwrites the MBR by using SCSI commands."

So if malware is already running with administrative privileges, it can write whatever it likes to your hard-drive and thereafter hide its presence.

Who knew?

6
0
Linux

"Once installed it is undetectable by most antimalware programs."

So which ones is it detectable by?!

Not that I care ;-)

1
1
Silver badge
Boffin

Detectable by ...

A rootkit on the hard disk can be detected by a scanner that is not handicapped by operating from within the compromised O/S. One that boots off a CD or DVD for example. Theoretically, a perfect rootkit cannot be detected from inside by any means once the O/S it infects has booted.

Freeware: get one of the LInux rescue kits such as Trinity Rescue Kit or Recovery is Possible. Shut down windows, boot, update the ClamAV definitions off the net, and scan your hard disk. The commercial AV vendors ought to encourage offline scanning, but maybe it presents problems in how they protect their revenue stream.

1
0
Alert

Those I know of...

Combofix will get it > Vista64, as far as I know it still doesnt like 7

Avast will get it assuming its not been nobbled already. (drive installed in a nother well protected PC)

Bullguard (and thus probobly bitdefender) gets it

Malwarebytes gets it but misses the MBR infection, how bloody useful

SpybotSD misses it totally as does Adaware as of time of writing.

The usual suspects (McCrappe, NotOn) miss it totally

We;ve gone from rarelye seing Alueron to seeing it on a daily basis in the space of two weeks :(

Annon as I'm already in trouble with Symantec

2
0
N2

No surprises

Same old shit (from Microsoft) different day

Yawn.

4
11
WTF?

Oh sodding great..

I got severely foobaa'd by the f****ing driver signing policy recently; left me swearing and staring at the totally wonky hoops you need to jump through to bypass this and get some useful (but unsigned) drivers onto my Win7/64 box.

'At least' I consoled myself 'MS is finally getting really serious about security'.. (but only while they could charge people for signing the drivers).

MuHaHaHaHa face slapped now.

3
0

UAC : waste of space

As far as I can tell UAC is completely useless.

"A program would like to make changes to your computer, do you want to allow it?"

What changes, where, why, etc....

There is a lot of apps that are borked by UAC and need to be "run as administrator" to work properly (like inability to create files even in areas you can create files in without being administrator)

And a lot of apps that require UAC confirmation when really they shouldn't need it.

So you get in the habit of pressing "Yes" because if you don't, you don't get to run 90% of what you want.

Next question, why does the MBR actually affect Windows? Surely you can replace the MBR with something else like lilo or grub and I wouldn't expect that to affect Windows' policy on deciding whether to allow unsigned drivers FFS.

Sounds like an easy fix/preventative would be to install lilo/grub and make sure that you see their boot screen before you get into Windows. If the MBR is changed then you wouldn't see them unless it's really f-ing clever.

3
5

*sighs*

----

There is a lot of apps that are borked by UAC and need to be "run as administrator" to work properly

----

Name 1.

I can only name 1 on my Windows 7 box - it's a game, an MMO that's more than 13 years old and only when running the legacy client.

Granted the UAC prompt isn't the most informative prompt ever - but UAC is a good thing.

1
1
Silver badge
Unhappy

Bang on

' So you get in the habit of pressing "Yes" because if you don't, you don't get to run 90% of what you want. '

There's the money shot! That is the Acheilles heel of of UAC, people get in the habit of clicking Y and that's what kills a pretty good idea.

2
0

Page:

This topic is closed for new posts.

Forums