First x64 ROOTKIT: CIS protect MBR?

Hi all,

don’t known if already posted but CIS protect the MBR??

Because the world first kernel mode rootkit on w7 x64 seems to be here:

http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

Anyone are is aware about a ARK which work on x64? because we may need soon…
I must seach one

A sad day today :frowning:

I have heard hitman pro build 111 x64 can detect it, thx my god :slight_smile:

Wow! That is bad! >:-D :cry:
But hey congrats to the big M for protecting us 64 bit users from rootkits for so long!

lol i agree for MS :slight_smile:

I remember i had many years ago a mobo which protect the MBR with a bios option, that was so great :slight_smile:

now i must mod my bios to do that ;D

Thanks for the information.

How do you have build 111? My hitman is updated and i still have build 109 ???

auto update :wink:

No problem. More people are aware, better is to fight against malware author’s strategy

Also, i have found this ARK:

It work on x64 but i don’t remember of it was good when i test it…

a minute ago when i ran it it was still build 109 without any update and now it auto updated to version 111. so i am protected too. thanks for the info

Same here…

[attachment deleted by admin]

Just a question: CIS 2011 or D+ protect write attempt into MBR sector on x64?

direct disk access prompt is with us since CFP v3.×××…

EDIT:
uh… it seems above statement is useless :-[ :o

Posted by EP_X0FF Okay, dropper works as expected on x64. To bypass direct disk access restriction this dropper operates with \Device\HarddiskX\DrX device and rewrites MBR with IOCTL_SCSI_PASS_THROUGH_DIRECT DeviceIoControl request and after this it do immediately ExitWindowsEx with Reboot flag set.

So no D+ alert when IOCTL_SCSI_PASS_THROUGH_DIRECT DeviceIoControl is used?

also no alert for unwanted reboot? ExitWindowsEx??

IMO this rootkit seems to be under developpement, cause it’s V0.02 and some expert said “he” is not so good protected and work not so well… I have read that a MBR fix may work against…

For now hitman pro detect but it seems it can’t remove this “bootkit TDL3+ x64”

don’t know, sample and testing needed… anyone done so?

Install Truecrypt + full disk encryption, As soon as a rootkit changes your MBR the normal boot sequence won’t work anymore and you know something is wrong if you need to use the TrueCrypt resque disk.

Also rootkits don’t seem to like encrypted disks… :wink:

Thx for tips :wink: now i need a core i7 with AES hardware accelaration :slight_smile:

That said, this rootkit need privilege, so sanbox which drop that will stop normally this tdl3+x64 no?

Also, a unwanted reboot is highly suspicious for everyone (include my wife i hope) so… wait an see

Another paper:

See You

thx my god
Your welcome >:-D :o

X64 bit rootkits have been around for a while. The main thing that protected x64 bit systems was patchguard. Go google “disable patchguard”. You’ll find 3 different readily available ways to disable or bypass patchguard. <–They also been around for a couple of years. Microsoft prohibited companys from disabling or modding the patchguard, so Security companys and other companys that obey the law had to work with it(even though it wasn’t very effective). The only problem is malware writers don’t really care what microsoft says or care about microsoft policy or the law for that matter, so their going to disable or modify the patchguard to how they see fit. Malware writers will take more notice as x64 bit systems get more popular

Lol, you’re making it sound like MS was not allowing security companies to do that with words. In fact they made a blockade that was preventing malware writers AND security developers to mess around kernel.
It’s simply locked out for everyone. No exceptions made, no “backdoors” available.

I have think patchguard v3 was not bypassed by a rootkit before because MS upgrade to v2 and v3 when a methodology to bypass it has been discovered, no??

Also, i feel this “tdl x64” can be very “popular” when (if) it comes to be more more effective :frowning:

200% agree unfortunately (like Androïd OS virus etc)

Finally, i hope MS will improve to v4 maybe on W8. I think patchguard (and others thing) is a good thing for the end user i am, even if security company must change there method? Do you think not that jay2007tech?