Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Rootkit Bypasses Windows Code-Signing Security

Posted by CmdrTaco on from the sign-here-please dept.

Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

2 of 160 comments (clear)

  1. Not a "New" Rootkit by Avohir · · Score: 5, Informative

    This is a new version of a ~2 year old rootkit, also known as TDSS, and the company responsible for this particular parasite is a russian outfit known as Dogma Millions. Eset did a good writeup on the older version here. This newer version is actually even more interesting than the article indicates. It's intelligent enough to send tools like MBRCheck off to look at a backup of the MBR so that they'll erroneously return a "clean" verdict while the system remains infected. The best bet for removal is TDSSKiller by Kaspersky (the company that wrote the blog entry).

    --
    To err is human, to really foul up requires a computer
  2. Re:Acceptable and Proper Slashdot Vocabulary by hairyfeet · · Score: 5, Insightful

    I don't know, that is kinda like arguing you are the tallest midget as BOTH are major levels of stupid.

    As for TFA, as long as Windows is the #1 desktop deployed it will always be a target, but frankly as a PC repairman I can say there is so much low hanging fruit with home users most won't even need this trick. All they have to do is pop up on a website "ZOMG DUDE, You got teh Viruz!! Turn off yur broken AV and run this ZOMG quick!!!" and you'd be surprised how many will do JUST that. I have literally sat beside a user and said "Do NOT open a password protected zip file it IS a virus!" and had them go "My BFF Kim sent this! stop being paranoid!" and watched dumbfounded as they proceeded to do EXACTLY what the instructions said and pwned themselves.

    While I'm sure the malware kits will all add this to make guys like me have to work harder to get rid of it (in actuality it is pretty much nuke and reinstall anymore) to actually infect many home users all you have to do is the above or the ever easy "You need this codec to watch our FREE Lesbian pron!". I swear guys fall for THAT one damned near every time. I actually had to hunt down a decent virus free porn site just to send my "must click teh prons!" users to just to keep them from constantly reinfecting their machines.

    So Linux guys be DAMNED GLAD you don't have those home users and there will hopefully NEVER be a "year of the Linux desktop" because a week later the net will be flooded with "Porn_Codec.sh" and "Happy_Puppy.scr.sh"with helpful instructions on how to run them that the users WILL follow. Stupid is as Stupid Does.

    --
    ACs don't waste your time replying, your posts are never seen by me.