New 64-bit rootkit bypasses kernel patch protection

[DKT27]

Security specialist Kaspersky has discovered another rootkit with 64-bit Windows support: a variant of the Banker rootkit is targeting the access credentials of online banking customers in Brazil. The malware is injected into systems via a hole in an obsolete version of Java and first disables the Windows User Account Control (UAC) feature so that it can go about its business without being interrupted. It then installs bogus root certificates and modifies the HOSTS file in such a way that victims trying to access the banking web site are redirected to a phishing site operated by the criminals. The injected certificate prevents the browser from issuing an alert when establishing an encrypted connection to the phishing site, and the victim is left unaware. Kaspersky says that the malware also deletes a security plug-in used by various Brazilian banks.

Unusually, the malware installs a custom system driver to uninstall the security plug-in and modify the HOSTS file. On 64-bit Windows systems, this requires some effort because Microsoft's Kernel Patch Protection (PatchGuard) prevents unsigned drivers from being installed. As 64-bit Windows installations still have a relatively small market share, rootkits with 64-bit support are currently still quite rare; a 64-bit version of the Alureon/TDL rootkit was discovered last November.

Similar to Alureon, Banker uses a test mode that is actually intended to enable developers to bypass PatchGuard: the malware uses Microsoft's bcdedit.exe tool to enable the TESTSIGNING option, which makes Windows accept the test certificate for the rootkit's plusdriver64.sys driver. Microsoft originally implemented the Windows TESTSIGNING mode as an option for developers who wish to test their custom drivers on a 64-bit system before the drivers have officially been signed. The option has been part of the 64-bit versions of Windows since Vista.

Unexpected helper: Microsoft's bcdedit.exe tool enables the rootkit to bypass the Kernel Patch Protection feature of 64-bit Windows systems.

View: Original Article

[nsane]

Hahahahaha, no matter many locks you put on the front door, some ass hole will still leave his window open :D

[Peace_Angel]

Hahahahaha, no matter many locks you put on the front door, some ass hole will still leave his window open :D

LOL... Ironically it's windows!

Peace

[johndoe]

Security specialist Kaspersky has discovered another rootkit with 64-bit Windows support: a variant of the Banker rootkit is targeting the access credentials of online banking customers in Brazil. The malware is injected into systems via a hole in an obsolete version of Java and first disables the Windows User Account Control (UAC) feature so that it can go about its business without being interrupted. It then installs bogus root certificates and modifies the HOSTS file in such a way that victims trying to access the banking web site are redirected to a phishing site operated by the criminals. The injected certificate prevents the browser from issuing an alert when establishing an encrypted connection to the phishing site, and the victim is left unaware. Kaspersky says that the malware also deletes a security plug-in used by various Brazilian banks.

Unusually, the malware installs a custom system driver to uninstall the security plug-in and modify the HOSTS file. On 64-bit Windows systems, this requires some effort because Microsoft's Kernel Patch Protection (PatchGuard) prevents unsigned drivers from being installed. As 64-bit Windows installations still have a relatively small market share, rootkits with 64-bit support are currently still quite rare; a 64-bit version of the Alureon/TDL rootkit was discovered last November.

Similar to Alureon, Banker uses a test mode that is actually intended to enable developers to bypass PatchGuard: the malware uses Microsoft's bcdedit.exe tool to enable the TESTSIGNING option, which makes Windows accept the test certificate for the rootkit's plusdriver64.sys driver. Microsoft originally implemented the Windows TESTSIGNING mode as an option for developers who wish to test their custom drivers on a 64-bit system before the drivers have officially been signed. The option has been part of the 64-bit versions of Windows since Vista.

Unexpected helper: Microsoft's bcdedit.exe tool enables the rootkit to bypass the Kernel Patch Protection feature of 64-bit Windows systems.

View: Original Article

sorry to quote the whole thing above but it's necessary to what i have to say. the one good thing it does is disable UAC. always hated that. but on the serious side, could the people working on sandboxie not utilize this (or a similar method) to modify the 64-bit version of sandboxie which has thus far remained uncracked?

[bgood]

well i guess..anyone submit their hacked sandboxie 64 to be digitally signed with a valid certificate or use something like DSEO 1.3b from ngohq.com

or get used to pressing f8 bunches of times..however you want to fly

Cheers!

[Nemesis]

Hahahahaha, no matter many locks you put on the front door, some ass hole will still leave his window open :D

isnt that usually how it works? an object is only as strong as it's weakest point. that weakest point is always going to be the user doing stupid things.

[DKT27]

sorry to quote the whole thing above but it's necessary to what i have to say. the one good thing it does is disable UAC. always hated that. but on the serious side, could the people working on sandboxie not utilize this (or a similar method) to modify the 64-bit version of sandboxie which has thus far remained uncracked?

Yes it was considered. But think what happened when kernel patch protection was disabled, some malware patched the kernel. ;)

[johndoe]

what about the DSEO utility? could it be used by the medicine makers to patch and then sign the 64-bit driver and distribute that instead of the patch itself? it was mentioned here

have the people making medicine tried out the DSEO tool/utility? it was pointed out by bgood in this thread

[DKT27]

what about the DSEO utility? could it be used by the medicine makers to patch and then sign the 64-bit driver and distribute that instead of the patch itself? it was mentioned here

have the people making medicine tried out the DSEO tool/utility? it was pointed out by bgood in this thread

It does the same. Disable kernel patch protection. :)

[johndoe]

but my point is, disable kernel patch protection on one system, patch the driver then use this tool to sign the driver, then distribute that patched driver and not the patch itself. will the driver then work on every PC? this way kernel protection won't have to be disabled on every PC that is using the patched x64 sandboxie.

i'm sorry i don't really know what has or has not been already tried by you guys, just sharing what comes to mind ;)

there are more ideas in this discussion and here

and here

http://samsclass.info/335/proj/PX11_ch5_SigningApps.doc

it's basically a method for self-signing applications but could potentially work for drivers as well!

__________________________________________

there hasn't been any feedback on the above! has everything i posted up there been tried? or is nobody interested in reading or trying? i would like some feedback cuz I've been trying to help with sandboxie x64 even tho i don't use sandboxie myself!

[Jordan de Souza]

So... sandboxie 64 fix coming? =DDD