New Rootkit Bypasses Windows Code-Signing Security

Every day there are new nasties. Can CIS protect against or clean this:

“In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.”

It doesn’t matter what mbr rootkit it is, it still needs a dropper. Comodo does block this, but if you download a fake program of some sort, patch or keygen with tdl4 (tdl++) THEN (Most Importantly) “give it permission” to run. Then it’s GAME OVER because once you realize it and then remove the permissions, it’s too late. The damage has been done.

I break it in even simpler terms for TDL4
Wheither comodo can detect it or not, If using comodo, it going to need permission to run, no matter what :slight_smile:

If using Nortan, it’ll decide for you and will run the rootkit because it doesn’t reconize it and it’s new :-TD

Actually download insight will pop up saying its not trusted, has very few users and it’s a new file. Then give the user options to run, don’t run or delete from computer ;D

download insight will pop up saying its not trusted
That's also another problem it's not built in, and you also have to download it.

but since you wanna badly run it and you think it’s a hot chick video , then you will fail :slight_smile: but with comodo it will automatically sandbox it and boom you are saved :slight_smile: ;D

These new x64 bypasses all seem to use the MBR as their entry point. In order to modify the MBR you need admin privilege. An x64 system ‘out of the box’ has UAC enabled which is enough to stop any program that try to escalate privilege - unless of course you grant it.

Personally, the only application I have that requires escalation is Visual Studio, so I pretty much treat any program that requires privilege escalation very warily.

In summary, you only require good judgement to stop this kind of attack. Good judgement includes leaving UAC enabled.

Which is the reason I have Comodo :stuck_out_tongue:

I’m sure if you have the sandbox set to restricted or untrusted it would stop it. Or if you have block all unknown applications when program is closed that would stop it.