A particularly virulent rootkit targeting Windows machines - known as Alureon
- is back, and this time it comes in a 64-bit edition.
With more and more systems coming with 64-bit builds of Windows pre-installed in order to take advantage of 4GB - or more - of RAM, it was only a matter of time before crackers starting coding malware to accommodate the shifting target landscape - and it looks like that day is here.
According to Help Net Security
this latest build of Alureon is the first rootkit in the wild with the ability to successfully infect and hide itself in 64-bit Windows builds.
Running the 64-bit version of Windows has traditionally offered some protection from rootkits and other malware packages, as the differing memory locations mean that a 32-bit rootkit attempting a buffer overflow exploit may find that it overwrites the wrong part of memory and fails to execute - or, in the best case scenario, fails to overflow at all. Sadly, it looks like that small measure of protection is rapidly vanishing.
Despite protections built into the latest versions of Windows - including Kernel Mode Code Signing, which prevents unsigned - and therefore unauthorised - code from accessing kernel memory and Kernel Patch Protection - the latest Alureon build continues to infect systems world-wide, by installing a modified Master Boot Record and immediately causing Windows to restart. When the MBR is loaded, the rootkit can load its kernel module without the protections kicking in.
It looks like the authors are still finding their feet in the world of 64-bit infections, however; PrevX
researcher Marco Giuliani claims that the current version found in the wild appears to be a "beta build,
" as its infection attempts "didn't always fully work
" in internal testing.
Are you surprised that it has taken the ne'er-do-wells this long to develop rootkits for 64-bit Windows, or just saddened that yet more of Microsoft's well-meaning protection systems have been rendered useless? Share your thoughts over in the forums.