Kaspersky Lab Exposes Dangerous Rootkit Targeting 64-bit Windows Systems
17 May 2011
Kaspersky Lab, a leading developer of secure content and threat management solutions, announces the detection of multi-purpose rootkits capable of posing a threat to both 32 and 64-bit Windows systems. The key feature of the 64-bit rootkit is that it does not try to bypass the PatchGuard kernel protection system, but uses a special digital signature for software developers instead. The rootkit is distributed via a downloader, which also tries to install other malicious software. Kaspersky Lab's experts found one variant which attempts to download and install so-called Rogue or Fake antivirus software for the Mac OS X operating system, along with other malware. Although this malware would obviously not work in a Windows environment, it indicates the cybercriminals' growing interest in alternative software platforms.
Rootkits are malicious programs that usually exist in the form of drivers and can run at the kernel level of an operating system and load when the system boots. This makes rootkits difficult to detect using standard protection tools. The rootkits in question are propagated via a downloader, which uses a pack of exploits called "BlackHole Exploit Kit". Typically, users' computers are infected by visiting websites containing the downloader. A number of vulnerabilities in common software such as the Java Runtime Environment and Adobe Reader are used to attack the target machine. The downloader is used to infect both 32-bit and 64-bit Windows systems with one of the two corresponding rootkits.
"The 64-bit driver is signed with something called a 'testing digital signature'. If Windows – Vista and higher – were to be booted in 'TESTSIGNING' mode, the applications can launch the drivers signed with such a signature. This is a special trap-door which Microsoft has left for driver developers so they can test their creations. Cybercriminals have also made use of this loophole which allows them to launch their drivers without a legitimate signature;" - explains Alexander Gostev, Chief Security Expert at Kaspersky Lab. – "This is another example of a rootkit which does not need to bypass the PatchGuard protection system included in the latest Windows x64 systems".
Both rootkits have similar functionality. They block users' attempts to install or run popular anti-malware programs and effectively protect themselves by intercepting and monitoring system activity. While the rootkit leaves the PC vulnerable to attacks, the downloader tries to obtain and execute malicious code, including the abovementioned Rogue AV for Mac OS X. This fake antivirus is known as Hoax.OSX.Defma.f and is one of the emerging threats for Mac OS X, which is increasingly being targeted by cybercriminals.
This example shows that malicious software is growing more sophisticated and is starting to include various components that serve individual purposes. These threats may target various versions of operating systems or even different software platforms.
Kaspersky Lab's products are capable of successfully detecting and remediating the Trojan-Downloader.Win32.Necurs.a downloader and its corresponding rootkits Rootkit.Win32.Necurs.a / Rootkit.Win64.Necurs.a.