A new version of dangerous rootkit Alureon is back – this time in the shape of a 64 bit edition.
We are always dismayed to hear about new security issues, but this one looks to be particularly nasty as it has been designed to specifically target the ever expanding 64 bit versions of Windows.
Help Net Security have posted information detailing that Alureon is the first rootkit which can infect and hide itself in 64 bit Windows builds. In the past running a 64 bit version of Windows has offered some protection from rootkits and other malware executables as the differing memory spaces mean that a 32 bit rootkit attempting a buffer overflow exploit may find it overwrites the wrong part of the memory and fails to run at all. With this latest ‘release' this safety system no longer works.
Microsoft have incorporated security measures such as Kernel Mode Code Signing which prevents unsigned and unauthorised code from accessing kernel memory – unfortunately in this instance Alureon is continuing to thrive and infect systems across the globe by installing a modified Master Boot Record and immediately causing Windows to restart. When this modified MBR is loaded, the rootkit can load its kernel module without the protections kicking in.
KitGuru says: This build of the Rootkit appears to be a beta build as it is not always successful in replicating and spreading, but it is still classed as a very dangerous exploit.