Remove-Malware.com Forums

by **jamescv7** » Mon Nov 15, 2010 1:21 pm

How the TLD4 rootkit gets around driver signing policy on a 64-bit machine

Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

http://sunbeltblog.blogspot.com/2010/11 ... river.html

**Advertisement**

by **sss20** » Mon Nov 15, 2010 11:09 pm

I'm always shocked when i read this kind of articles...the creators of this rootkit found a really smart way to pass the driver signing policy on a 64-bit machine....
As far as the rootkit itself.....well we all knew that the 64bit won't be a rootkit fortress forever.....

by **Quackimducky** » Tue Nov 16, 2010 4:26 am

Im scared

by **virtu** » Tue Nov 16, 2010 4:53 am

Low chances any of our Windows 64-BIT members will infect themselves with it as long as they continue to use common sense and a security program.

by **gusthebus** » Tue Nov 16, 2010 6:30 am

This isn't good. I hope that they will patch up the driver signing vulnerability

by **Dieselman** » Tue Nov 16, 2010 9:10 am

This is why you need to familarize yourself with every running process on your pc. So you can tell when something is not right. I know that I usually always have 58 processes running. I also look at Autoruns for any changes regularly.

by **GakunGak** » Tue Nov 16, 2010 9:46 am

@Dieselman: Suppose you notice TLD4 process in Task Manager. Will he allow you to kill him via end task? If I understood correctly, process is resident and starts at boot.
Can it be removed in safe mode?

by **Dieselman** » Tue Nov 16, 2010 11:00 am

I dont use Task Manager. I use Process Explorer but until I run into I am not exactly sure.

by **GakunGak** » Tue Nov 16, 2010 12:48 pm

I use this, it can also unload service before ending a task, and also start/stop windows services, try it out:
http://www.tucows.com/preview/516579
Task Killer
Sometimes I can kill a process that I am unable with Task Manager or Process Hacker/Explorer

by **sss20** » Tue Nov 16, 2010 1:05 pm

Dieselman wrote:This is why you need to familarize yourself with every running process on your pc.

And have common sense....don;t run app. that are from an unkwon source or don't have digital sign.
Use a solid security and always be careful when you're browsing..don't go to unkwnon sites.

Remove-Malware.com Forums

TLD4 rootkit

If this topic has helped you then please...

TLD4 rootkit

TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Re: TLD4 rootkit

Who is online