DOWNLOAD: Best tool to repair Windows problems & optimize system performance | Best driver update software for your PC
Results 1 to 3 of 3

Thread: Alureon - 64-bit rootkit spreading

  1. #1
    johnny.rotton's Avatar
    johnny.rotton is offline Gold Member
    Join Date
    Jan 2009
    South, UK

    Default Alureon - 64-bit rootkit spreading

    A particularly virulent rootkit targeting Windows machines - known as Alureon - is back, and this time it comes in a 64-bit edition.

    With more and more systems coming with 64-bit builds of Windows pre-installed in order to take advantage of 4GB - or more - of RAM, it was only a matter of time before crackers starting coding malware to accommodate the shifting target landscape - and it looks like that day is here.

    According to Help Net Security this latest build of Alureon is the first rootkit in the wild with the ability to successfully infect and hide itself in 64-bit Windows builds.

    Running the 64-bit version of Windows has traditionally offered some protection from rootkits and other malware packages, as the differing memory locations mean that a 32-bit rootkit attempting a buffer overflow exploit may find that it overwrites the wrong part of memory and fails to execute - or, in the best case scenario, fails to overflow at all. Sadly, it looks like that small measure of protection is rapidly vanishing.

    Despite protections built into the latest versions of Windows - including Kernel Mode Code Signing, which prevents unsigned - and therefore unauthorised - code from accessing kernel memory and Kernel Patch Protection - the latest Alureon build continues to infect systems world-wide, by installing a modified Master Boot Record and immediately causing Windows to restart. When the MBR is loaded, the rootkit can load its kernel module without the protections kicking in.

    It looks like the authors are still finding their feet in the world of 64-bit infections, however; PrevX researcher Marco Giuliani claims that the current version found in the wild appears to be a "beta build," as its infection attempts "didn't always fully work" in internal testing.


  2. #2
    Matrix's Avatar
    Matrix is offline Senior Member
    Join Date
    Jul 2009


    I thought x64 systems were suposed to be much safer :|

  3. #3
    Corrine's Avatar
    Corrine is offline Gold Member
    Join Date
    Jan 2009
    Upstate NY


    64-Bit systems are still much safer.

    Alureon Evolves to 64 Bit:

    Normally, 64-bit Windows has several protections against untrusted modifications to the kernel, including a requirement that all drivers be signed, and PatchGuard, which prevents tampering of certain system structures. Aside from intercepting the OS boot sequence early in the cycle, the malware also reconfigures the operating system in a visible way to accept loading of unsigned drivers. Since the method used to do this is a supported extensibility feature of the kernel used by full disk encryption and compression software, it does not actually violate the guarantees PatchGuard provides about system integrity.
    More at the above-linked article.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22