In association with heise online

16 November 2010, 16:31

Rootkit able to bypass kernel protection and driver signing in 64-bit Windows

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Logo The 64-bit version of the Alureon rootkit / bot is able to bypass the special security features included in the 64-bit versions of Windows 7 and Vista and insert itself into the system. The tricks used have been known about in theory for several years, but until recently had not been used by malware in the wild. The 32-bit version of Alureon made headlines early this year, when the installation of a Microsoft patch left many systems unable to boot. The problem was caused by the previously unnoticed presence of the rootkit, which the patch effectively unmasked.

The 64-bit version of Alureon (aka. TDL) deactivates checks for driver signing and, even during the boot process, reroutes specific API calls in order to bypass the kernel's PatchGuard mechanism. Driver signing is intended to ensure that Windows only loads drivers from known vendors. PatchGuard is intended to protect the operating system kernel from being modified by malicious code.

In order to modify Windows, Alureon writes itself to the hard drive's master boot record (MBR), for which it requires administrator privileges. Since it spreads via sites such as pornography and cracking sites, persuading the user to grant the requisite privileges (via UAC) is unlikely to prove a major hurdle.

When writing to the MBR, the rootkit does not utilise the standard Windows API, which could be monitored by protective functions, but instead uses the IOCTL_SCSI_PASS_THROUGH_DIRECT command to access the drive directly. After rebooting, Alureon then utilises an option, intended for testing purposes, to disable driver signature checking. This can be achieved on a running system by using bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS.

Alureon overwrites the original boot options, but only reroutes Windows' own boot routine and loads the actual root driver on being started in memory. It is then able to make further modifications and, for example, add hooks to the Service Descriptor Table (SDT).

Analysis by anti-virus software vendors indicates that a fourth generation of Alureon, which includes measures to impede analysis using debuggers, is already circulating. According to Microsoft, Alureon is the most frequently observed rootkit in Germany. Microsoft Security Essentials (MSE) has included signatures to detect Alureon since August.

It is also possible to detect the rootkit manually. If one or more disks are not displayed when the DOS tool diskpart is used, this may indicate an infection.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit