Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Rootkit Bypasses Windows Code-Signing Security

Posted by CmdrTaco on from the sign-here-please dept.

Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

2 of 160 comments (clear)

  1. Re:Well, DUH... by tompaulco · · Score: 4, Informative

    Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.

    --
    If you are not allowed to question your government then the government has answered your question.
  2. Not a "New" Rootkit by Avohir · · Score: 5, Informative

    This is a new version of a ~2 year old rootkit, also known as TDSS, and the company responsible for this particular parasite is a russian outfit known as Dogma Millions. Eset did a good writeup on the older version here. This newer version is actually even more interesting than the article indicates. It's intelligent enough to send tools like MBRCheck off to look at a backup of the MBR so that they'll erroneously return a "clean" verdict while the system remains infected. The best bet for removal is TDSSKiller by Kaspersky (the company that wrote the blog entry).

    --
    To err is human, to really foul up requires a computer