Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Rootkit Bypasses Windows Code-Signing Security

Posted by CmdrTaco on from the sign-here-please dept.

Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

8 of 160 comments (clear)

  1. Re:Well, DUH... by tompaulco · · Score: 4, Informative

    Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.

    --
    If you are not allowed to question your government then the government has answered your question.
  2. Re:Wow. Master Boot Record infectors. by PatPending · · Score: 2, Informative

    Old sk00l. When was the last MBR infector seen in the wild? 2002? Most of this class are from the DOS era, fercryingoutloud.

    From the second paragraph of the fine article (emphasis added):

    TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.

    --
    What one fool can do, another can. (Ancient Simian Proverb)
  3. Not a "New" Rootkit by Avohir · · Score: 5, Informative

    This is a new version of a ~2 year old rootkit, also known as TDSS, and the company responsible for this particular parasite is a russian outfit known as Dogma Millions. Eset did a good writeup on the older version here. This newer version is actually even more interesting than the article indicates. It's intelligent enough to send tools like MBRCheck off to look at a backup of the MBR so that they'll erroneously return a "clean" verdict while the system remains infected. The best bet for removal is TDSSKiller by Kaspersky (the company that wrote the blog entry).

    --
    To err is human, to really foul up requires a computer
    1. Re:Not a "New" Rootkit by iMouse · · Score: 2, Informative

      The MBR isn't the only point of infection. TDSS also patches legitimate system files, resulting in reinfection of the MBR if the infected files on the drive are not taken care of first.

  4. Re:Well, DUH... by Applekid · · Score: 2, Informative

    Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.

    Um, code signing can be by any trusted authority. You need not pay Microsoft for user code.

    Drivers are another story. They need to pass WHQL, but that's no big deal because it's already paid through the licensing fees collected if you want to put a Windows logo on your product certifying it's compatible with Windows. Naturally, if it's going to have the logo on the box, Microsoft wants to make sure your crappy driver doesn't cause problems that will be blamed on Windows.

    Installing unsigned drivers in testing mode is a pain in a live environment for the same very good reason you don't want to perform crash testing on a live motorway.

    --
    More Twoson than Cupertino
  5. Once and for all... by WaroDaBeast · · Score: 2, Informative

    The nominative plural ending for Latin nouns following the second declension is -i, so if virus was a masculine noun, which it is not ("n." means it's neutral), it would then take an i, which would give "viri." But since "virus" is neutral, its plural is "vira," so next time you wanna brag about how well you know Latin — without sounding like a fool —, say that instead.

    Or you can say "viruses" if you feel like speaking English. My €0.02.


    P.S.: The only time you get that double i in the nominative plural is when you inflect a second declension masculine noun that ends in -ius, such as "filius."

    --
    "The body may heal, but the mind is not always so resilient." -- Deus Ex: Human Revolution
  6. Re:The driver signing is mainly for DRM by Myria · · Score: 2, Informative

    Vista and 7's driver signing requirement is mainly for DRM purposes.

    No, the driver signing requirement is for quality control purposes. 60% of Windows crashes used to be driver-related. Now, Microsoft actually requires a proof of correctness, using their Static Driver Verifier, before a driver is signed.

    You're talking about the Windows Hardware Quality Labs signature, not the kernel-mode driver signing requirement in 64-bit Vista and 7. A WHQL signature is not required in order to have a driver load, a kernel-mode driver signature is. Microsoft only does their quality testing with drivers submitted to WHQL; an appropriate VeriSign certificate is enough to get the driver to load, without any quality checking on the part of Microsoft.

    It is the kernel-mode driver signing requirement that this rootkit bypasses, not the WHQL signature.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  7. Re:Infecting the MBR requires admin rights by gad_zuki! · · Score: 2, Informative

    You are correct. Here are the peerguardian people talking about this. When running 64-bit signing is required. 32-bit it is not.

    http://www.raymond.cc/blog/archives/2009/08/24/loading-unsigned-drivers-in-windows-7-and-vista-64-bit-x64/