How the TLD4 Rootkit Bypasses Driver Signing on Windows 64-bit

Per the Sunbelt Blog:

Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded [1].

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

Read the rest here

Well, I figured the 64-bit haven would end eventually.  I’m sorta shocked it took this long frankly.  I’ll be scanning the drivers folder on 32 and 64 bit computers from now on (via UBCD4WIN and Dr. Web).

,

14 Responses to How the TLD4 Rootkit Bypasses Driver Signing on Windows 64-bit

  1. scott November 15, 2010 at 8:49 pm #

    This hapened a while ago.

  2. Harry November 15, 2010 at 9:08 pm #

    speaking of rootkits, how do you clean a bios rootkit???

  3. Frank November 16, 2010 at 12:00 am #

    This is great news for my business!

  4. idontlikemalware November 16, 2010 at 3:57 am #

    @Frank, I’m very happy for you. This is a bad news for the average computer users.

  5. malwarekilla November 16, 2010 at 3:32 pm #

    @harry – not sure, I’ve never seen a BIOS rootkit.

  6. Jimmy James November 16, 2010 at 6:59 pm #

    “speaking of rootkits, how do you clean a bios rootkit???”

    You may be lucky and be able to reset it from the CLEAR_CMOS jumpers

  7. john November 16, 2010 at 8:16 pm #

    what program do you guys recommend to repair taskmanager run exe safemode etc after malware infection? i ran a scan with dr web cd and found a couple of rootkits but after i cured them went back into windows and now i can’t do a thing?

  8. malwarekilla November 16, 2010 at 8:30 pm #

    @john – SuperAntiSpyware or Combofix (or both). You can also refer to this:

    http://remove-malware.com/antimalware/post-malware-cleanup/removing-system-restrictions-after-malware/

  9. Christos(ballader1 on YT) November 17, 2010 at 5:45 am #

    Well, Windows 8 will have 128-bit. 64-bit is NOT enough these days

  10. JimBob November 17, 2010 at 4:25 pm #

    128 bit…Not going to happen anytime soon, that’s for sure. At the rate it’s taken for 64-bit to *begin* taking hold, it’ll be another decade for 128-bit.

  11. Phillip November 17, 2010 at 9:16 pm #

    It maybe a stupid question but is it safe to boot and use UBCD4WIN on 64 bit Vista and 7 systems ?

  12. john November 17, 2010 at 10:59 pm #

    thanks malwarekilla

  13. john November 19, 2010 at 3:51 pm #

    is there some time of combofix like program you can use on windows 7?

  14. Shaun Zhang November 20, 2010 at 8:12 am #

    Have you tried Pc tools Alternate Operating System Scanner yet?
    http://www.pctools.com/aoss/

Leave a Reply