How the TLD4 rootkit gets around driver signing policy on a 64-bit machine
(Analysis by Chandra Prakash, Technical Fellow, GFI Labs )
Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded.
The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.
Analysis on the Sunbelt blog.
by certifiedbug on February 18, 2010
in Microsoft
Wednesday, February 17, 2010
The Microsoft Security Response Center (MSRC)
Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit. We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software. The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015.
This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state. These types of infections often leave the machine in such an unstable state that it cannot be reliably tested. This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded. The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine. Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.
Read more
According to security vendor Prevx, which names the rootkit TDL3/TDSS, the malware authors have released a new updated rootkit version compatible with the Microsoft patch. Too bizarre but anyway, MS10-015? TDL3 authors “apologize”
by certifiedbug on January 30, 2007
in News
Attorney General Lawrence Wasden entered into a settlement agreement with SONY BMG Music Entertainment that will allow Idaho consumers to obtain refunds of up to $175 for harm caused to their computers by SONY BMG music CDs. SONY BMG distributed more than 12 million CDs without adequately informing consumers that the CDs contained anti-copying software.
Article and links to submit a claim for reimbursement of repair expenses associated with XCP here
