Kaspersky Lab detects new rootkits

Rootkits can attack 32 and 64-bit Windows machines, contain code to attack Mac

Tags: Cyber crimeKaspersky Lab
  • E-Mail
Kaspersky Lab detects new rootkits Kaspersky Lab has detected new rootkits that are able to attack both 32 and 64 bit Windows systems as well as Mac.
By  Georgina Enzer Published  June 5, 2011

Kaspersky Lab has detected multi-purpose rootkits capable of posing a threat to both 32 and 64-bit Windows systems.

Rootkits are malicious programmes that mainly exist in the form of drivers and can run at the kernel level of an operating system and load when the system boots. This makes rootkits difficult to detect using standard protection tools, according to Kaspersky.

The 64-bit rootkit found by the security software company does not try to bypass the PatchGuard kernel protection system, but uses a special digital signature for software developers instead.

The rootkit is distributed via a downloader, which also tries to install other malicious software to a user's computer.

One of the rootkit variants found by Kaspersky's experts attempts to download and install so-called Rogue or Fake antivirus software for the Mac OS X operating system, along with other malware.

This attack, which would not work on Windows devices, demonstrates cybercriminals' growing interest in operating systems other than Windows.

The rootkits are propagated via a downloader, which uses a pack of exploits called "BlackHole Exploit Kit".

A user's computer is infected when visiting websites containing the downloader and a number of vulnerabilities in common software such as the Java Runtime Environment and Adobe Reader are used to attack the target machine.

The downloader can infect both 32-bit and 64-bit Windows systems with one of the two rootkits.

"The 64-bit driver is signed with something called a ‘testing digital signature'. If Windows - Vista and higher - were to be booted in ‘TESTSIGNING' mode, the applications can launch the drivers signed with such a signature. This is a special trap-door which Microsoft has left for driver developers so they can test their creations. Cybercriminals have also made use of this loophole which allows them to launch their drivers without a legitimate signature," said Alexander Gostev, chief security expert at Kaspersky Lab. "This is another example of a rootkit which does not need to bypass the PatchGuard protection system included in the latest Windows x64 systems".

Both rootkits block users' attempts to install or run anti-malware programmes and intercept and monitor system activity to protect them from detection.

The rootkit not only leaves the PC vulnerable to attacks, but the downloader tries to obtain and execute malicious code, including the Rogue AV for Mac OS X.

This fake antivirus is known as Hoax.OSX.Defma.f and is one of the emerging threats for Mac OS X, which is increasingly being targeted by cybercriminals.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code