14 DAY TRIAL // While Microsoft has been successfully tackling the Alureon rootkit with a variety of security solutions, the authors of the malware have also been hard at work updating the malicious code, in order to enable it to also infect 64-bit (x64) PCs. When it was first detected, Alureon targeted mainly 32-bit (x86) Windows XP computers.
To this day, 32-bit XP remains its main target, however, the rootkit has now evolved in such a manner that it can also compromise the latest iterations of the Windows client, be them x86 or x64.
Less than a month ago, Microsoft came across a new variant of Alureon, capable of infecting the Master Boot Record (MBR) of Windows computers, targeting it instead of infected drivers.
“While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system,” explained Jason Conradt, Jeremy Croy, and Joe Johnson from the Microsoft Malware Protection Center.
“More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable,” Conradt added.
The 64-bit flavor of both Windows Vista and Windows 7 feature mitigations designed to keep the kernel of the two platforms unmodified.
The two operating systems need all drivers to be signed in order to hook into the core of the OS, while also sporting PatchGuard, also known as Kernel Patch Protection, a mechanism designed to prevent third-party code from changing system structures.
“Aside from intercepting the OS boot sequence early in the cycle, the malware also reconfigures the operating system in a visible way to accept loading of unsigned drivers,” Conradt explained.
“Since the method used to do this is a supported extensibility feature of the kernel used by full disk encryption and compression software, it does not actually violate the guarantees PatchGuard provides about system integrity.”
According to the Redmond company, a variety of its security products already feature proactive detection against this threat, including: Microsoft Security Essentials, Microsoft Forefront Client Security, Forefront Server Security, and the Forefront Threat Management Gateway.
Customers can also check to see whether their machines are infected with the new flavor of Alureon.
“As a side effect of the bootkit, the Disk Management pane of the Computer Management console will fail to show the system drive altogether,” Conradt noted. “It will also fail to show up in the command line using DiskPart.”
Microsoft Security Essentials is available for download here.