Alureon: The First 64-Bit Windows Rootkit

Driver abject (82bdc3aO) ... 10 RegistepPIugPIayNotif icat ion . øøøøøøøl ... TEST—PC here are no fixed disks to ISKPART>...

17 downloads 489 Views 6MB Size
Something old, something new.

Something old, something new.

Contents of the virtual file system

ldr64 empty!

Phew!

The 64-bit Rootkit

MBR

Ldr16 – int13h hook

Finding kdcom.dll

Other int13h patches

Other int13h patches continued

Other int13h patches continued

Ldr64 fake KD communications DLL

Ldr64 fake KD communications DLL

Ldr64 fake KD communications DLL cont.

No, seriously, how does it load?

http://blogs.technet.com/b/mmpc/archive/2010/08/27/alu reon-evolves-to-64-bit.aspx http://www.microsoft.com/security/portal/Threat/Encyclop edia/Entry.aspx?Name=Trojan%3aDOS%2fAlureon.A http://www.kernelmode.info/forum/viewtopic.php?f=16&t =19

http://www.drweb.com/static/BackDoor.Tdss.565_%28aka% 20TDL3%29_en.pdf