Last-minute paper: Alureon: the first 64-bit rootkit

Joe Johnson Microsoft

The Alureon\TDSS family of malware has been around for years. Throughout that time, its authors have been continuously updating the rootkit to evade detection by AV vendors and the monthly release of the Malicious Software Removal Tool. In July, this had escalated to overwriting the MBR of the infected machine. Ominously, the installer for this version created an inert file named ldr64. In August, a new version filled in that file, and Alureon became the first 64-bit rootkit in the wild.

This presentation will cover the most recent evolution of Alureon, focusing on the latest variants that affect 64-bit machines. It will go into detail on the changes made for the 64-bit version of the malware and the move from infecting drivers to infecting the MBR. It will also discuss how these changes allow it to disable or bypass the protections 64-bit versions of Windows normally have against untrusted kernel code and modifications such as Patchguard.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

Jobs Recruit Sidebar

VB2014
VB2014 VB2014 will take place 24 - 26 September 2014 at the Westin Seattle hotel, Seattle, WA, USA.

Virus Bulletin currently has 231,339 registered users.