January 20, 2017

New Rootkit Designed to Attack 64-bit Versions of Windows is in the Wild

Until now there hasn’t been a rootkit which explicitly attacks machines running a 64-bit version of Microsoft Windows. But now the TDL3 rootkit has been updated to infect Windows Vista 64 bit and Windows 7 64 bit.

Rootkits are pieces of malware which infect computers and allow hackers to hide an intrusion and yet  maintain privileged access to a computer by circumventing normal authentication and authorization mechanisms.

[ad code=6 align=left]

This is a worrying development as 64-bit versions of Windows were considered much more secure than the 32-bit versions because of the various security features which make it more difficult for malware to get into kernel mode.

The 64-bit versions of Windows use two techniques to keep rootkits out of the kernel. First, drivers aren’t allowed access to kernel memory if they aren’t signed with a digital signature (something which malware applications shouldn’t be). Second, Windows 64 bit uses PatchGuard which blocks every kernel mode driver from altering sensitive areas of the kernel.

The new TDL3 rootkit bypasses both PatchGuard and Driver Signature verification by changing the hard drive’s master boot record and intercepts the Windows startup process allowing it to load its own driver. Once the MBR is infected, the rootkit forces a system reboot which bypasses the need for administration level privileges.

How this will develop is yet to be seen, but we are officially now in the era of 64-bit rootkits. You have been warned!