direct disk access prompt is with us since CFP v3.×××…
uh… it seems above statement is useless :-[ :o
Posted by EP_X0FF
Okay, dropper works as expected on x64. To bypass direct disk access restriction this dropper operates with \Device\HarddiskX\DrX device and rewrites MBR with IOCTL_SCSI_PASS_THROUGH_DIRECT DeviceIoControl request and after this it do immediately ExitWindowsEx with Reboot flag set.
Install Truecrypt + full disk encryption, As soon as a rootkit changes your MBR the normal boot sequence won’t work anymore and you know something is wrong if you need to use the TrueCrypt resque disk.
X64 bit rootkits have been around for a while. The main thing that protected x64 bit systems was patchguard. Go google “disable patchguard”. You’ll find 3 different readily available ways to disable or bypass patchguard. <–They also been around for a couple of years. Microsoft prohibited companys from disabling or modding the patchguard, so Security companys and other companys that obey the law had to work with it(even though it wasn’t very effective). The only problem is malware writers don’t really care what microsoft says or care about microsoft policy or the law for that matter, so their going to disable or modify the patchguard to how they see fit. Malware writers will take more notice as x64 bit systems get more popular
Lol, you’re making it sound like MS was not allowing security companies to do that with words. In fact they made a blockade that was preventing malware writers AND security developers to mess around kernel.
It’s simply locked out for everyone. No exceptions made, no “backdoors” available.
I have think patchguard v3 was not bypassed by a rootkit before because MS upgrade to v2 and v3 when a methodology to bypass it has been discovered, no??
Also, i feel this “tdl x64” can be very “popular” when (if) it comes to be more more effective
200% agree unfortunately (like Androïd OS virus etc)
Finally, i hope MS will improve to v4 maybe on W8. I think patchguard (and others thing) is a good thing for the end user i am, even if security company must change there method? Do you think not that jay2007tech?