First x64 ROOTKIT: CIS protect MBR?

http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html

“If MBR patching technique was only one among many infection techniques used by rootkits to infect 32 bit builds of Windows operating systems, it will probably become the most used way to hit 64 bit builds of Windows.”

“it does not actually violate the guarantees PatchGuard provides about system integrity.”

patchguard v3
One well know method was using a common ATI driver to gain code execution in kernel mode and from there load a driver image, bypassing the normal Kernel Mode Code Signing. <---It's a little more then that, but you get the idea. I going to guess microsoft fixed that back in 2007 or 2008.
a methodology to bypass it has been discovered, no??
I also don't think we should be talking on what works, doesn't work, or currently works on here.
In fact they made a blockade that was preventing malware writers AND security developers to mess around kernel.
The blockade does do a good job :). I just think security developers have some limitation on what there aloud to do. Malware writers are free to do or try as they please. There is no limitaion or laws to limit on what they can do. It's just a matter if they can find a way to do it or not.

From what I read on MSDN is that developers need to switch from SSDT Hooking to mini filters to do their job. It seems that the OS provides much more functionality then the average security suite uses, but that there has to be a change of development to get those used…

Hooking is a major security hole and MS could have closed it up a long time ago but the problem is that so many software companies use it, especially security companies that they are forced to keep it. From what I know MSE is the only one that does not use kernel hooking and I personally think that Comodo should start working on that for other releases. It should be doable, and it would provide more security for the end user.

Languy is right Comodo should really work on this!

Comodo should start working on that for other releases. It should be doable, and it would provide more security for the end user.
as long as comodo does a good job of preeventing services like NtUsarConsoleControl from doing bad things. Comodo should be good for right now :)
i hope MS will improve to v4 maybe on W8. I think patchguard (and others thing) is a good thing for the end user i am, even if security company must change there method? Do you think not that jay2007tech
I agree, you got to start somewhere :)

Yes patchguard is good even if it can be improve (of course nothing is unbreakble)…

I have read that, think you this king of method can be used by a malware:

Another question, think you the couple EFI/GPT could more secure against low level treats than the couple BIOS/MBR??

Another question, think you the couple EFI/GPT could more secure against low level treats than the couple BIOS/MBR??
I have no idea what that is, so I can't give you an answer. If you have alot of time on your hands, feel free to put it to the test. :)

lol, i work from 6:00 AM to 7:00PM all days except WE, so no i have so many time :frowning:

I have read on a russian underground forum that the dev team of TDL3+ (millions dogma project) stops the develloppement for work to another project…

So may be the code has been sold to another team that make the portage to x64…

Also, if it’s true, that significate that a new piece of very sophisticated malware can appear in the wild in some month, considering the skills of this malware maker team :frowning: