Last-minute paper: Alureon: the first 64-bit rootkit presented at Virus Bulletin 2010

by Joe Johnson (Microsoft),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute2.xml

Summary : The AlureonTDSS family of malware has been around for years. Throughout that time, its authors have been continuously
updating the rootkit to evade detection by AV vendors and the monthly release of the Malicious Software Removal Tool. In
July, this had escalated to overwriting the MBR of the infected machine. Ominously, the installer for this version created
an inert file named ldr64. In August, a new version filled in that file, and Alureon became the first 64-bit rootkit in
the wild.
This presentation will cover the most recent evolution of Alureon, focusing on the latest variants that affect 64-bit
machines. It will go into detail on the changes made for the 64-bit version of the malware and the move from infecting
drivers to infecting the MBR. It will also discuss how these changes allow it to disable or bypass the protections
64-bit versions of Windows normally have against untrusted kernel code and modifications such as Patchguard.