New Rootkit Bypasses Windows Code-Signing Security 160
Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."
Re:Well, DUH... (Score:5, Informative)
Re:Wow. Master Boot Record infectors. (Score:3, Informative)
Old sk00l. When was the last MBR infector seen in the wild? 2002? Most of this class are from the DOS era, fercryingoutloud.
From the second paragraph of the fine article (emphasis added):
TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.
Not a "New" Rootkit (Score:5, Informative)
Re:Well, DUH... (Score:3, Informative)
Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.
Um, code signing can be by any trusted authority. You need not pay Microsoft for user code.
Drivers are another story. They need to pass WHQL, but that's no big deal because it's already paid through the licensing fees collected if you want to put a Windows logo on your product certifying it's compatible with Windows. Naturally, if it's going to have the logo on the box, Microsoft wants to make sure your crappy driver doesn't cause problems that will be blamed on Windows.
Installing unsigned drivers in testing mode is a pain in a live environment for the same very good reason you don't want to perform crash testing on a live motorway.
Re:Not a "New" Rootkit (Score:2, Informative)
The MBR isn't the only point of infection. TDSS also patches legitimate system files, resulting in reinfection of the MBR if the infected files on the drive are not taken care of first.
Once and for all... (Score:3, Informative)
Or you can say "viruses" if you feel like speaking English. My €0.02.
P.S.: The only time you get that double i in the nominative plural is when you inflect a second declension masculine noun that ends in -ius, such as "filius."
Re:The driver signing is mainly for DRM (Score:3, Informative)
Vista and 7's driver signing requirement is mainly for DRM purposes.
No, the driver signing requirement is for quality control purposes. 60% of Windows crashes used to be driver-related. Now, Microsoft actually requires a proof of correctness, using their Static Driver Verifier [microsoft.com], before a driver is signed.
You're talking about the Windows Hardware Quality Labs [wikipedia.org] signature, not the kernel-mode driver signing [microsoft.com] requirement in 64-bit Vista and 7. A WHQL signature is not required in order to have a driver load, a kernel-mode driver signature is. Microsoft only does their quality testing with drivers submitted to WHQL; an appropriate VeriSign certificate is enough to get the driver to load, without any quality checking on the part of Microsoft.
It is the kernel-mode driver signing requirement that this rootkit bypasses, not the WHQL signature.
Re:Infecting the MBR requires admin rights (Score:3, Informative)
You are correct. Here are the peerguardian people talking about this. When running 64-bit signing is required. 32-bit it is not.
http://www.raymond.cc/blog/archives/2009/08/24/loading-unsigned-drivers-in-windows-7-and-vista-64-bit-x64/ [raymond.cc]