Results 1 to 15 of 15
  1. #1
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  2. #2
    Super Moderator Deadeye81's Avatar
    Join Date
    Dec 2009
    Location
    North Carolina, USA
    Posts
    2,654
    Thanks
    7
    Thanked 113 Times in 97 Posts
    Thanks for the links, Clint. I tried the detection procedure in link 2 and I am happy to report I do not have that ugly 64 bit Alureon rootkit!
    Deadeye81

    "We make a living by what we get, we make a life by what we give." Sir Winston Churchill

  3. #3
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Here is an article on that Alureon 64 bit rootkit:

    First rootkit targeting 64-bit Windows spotted in the wild
    Zeljka Zorz, HNS News Editor
    Posted on 27.08.2010

    Alureon rootkit is back, and has acquired the ability to hijack computers running 64-bit versions of Microsoft Windows, proclaimed Marco Giuliani, security researcher with security company Prevx.

    Alureon (also known as TDL and Tidserv) has garnered a lot of attention back in February when it was discovered that it was behind the system crashes occurring after infected users tried to update their Windows OS.

    It seems that at that point in time, the rootkit was unable bypass the security features that made the 64-bit versions of Windows Vista and 7 more secure than their 32-bit counterparts - namely the Kernel Mode Code Signing and Kernel Patch Protection.

    The Kernel Mode Code Signing does not permit digitally unsigned drivers to access the kernel memory region (and kernel mode rootkits are often not), and the Kernel Patch Protection prevents kernel mode drivers from modifying sensitive areas of the Windows kernel. But, both protection mechanisms can be obviously bypassed by this new version of Alureon, which patches the Master Boot Record in order to intercept Windows startup routines and then loads its driver.

    "The rootkit needs administrative privileges to infect the Master Boot Record. Even then, it still cannot load its own 64 bit compatible driver because of Windows's kernel security. So, the dropper forces Windows to immediately restart. This way, the patched MBR can do the dirty work," says Giuliani.

    Well, Windows restarting "by itself" like that seems to me like a good sign to start worrying.

    Giuliani also points out that this is not the first rootkit to be able to pass those security roadblocks - a bootkit named Whistler has been spotted being offered for sale on various underground markets some time ago - but this is the first time that the use of such a rootkit has been detected in the wild. According to him, the era of x64 rootkits has officially dawned.


    See the full article of other links et al.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  4. #4
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,433
    Thanks
    371
    Thanked 1,456 Times in 1,325 Posts
    Clint,

    Thanks gets a thumbs-up from me.
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  5. #5
    Lounger
    Join Date
    Sep 2010
    Location
    Roxboro, QC
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello Clint.


    >>> Alureon rootkit is back.

    Have you had a look at your BIOS options lately ? Mine, Phoenix, has on the 3rd line menu, again on 3rd line when this menu opens, an option to protect the MBR from any virus. If set to ON, it will open a dialoge and sound an alarm if anything is attempting to modify your MBR.

    Would you know if this is enough to protect against Alureon, has it, Alureon, the capability to circumvent this protection at all ? All my machines, only desktops, are so protected to "ON" regarding this BIOS option. I have not seen it in laptops.

    Have a great day. JP.

  6. #6
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Quote Originally Posted by JA Parrot View Post
    Hello Clint.


    >>> Alureon rootkit is back.

    Have you had a look at your BIOS options lately ? Mine, Phoenix, has on the 3rd line menu, again on 3rd line when this menu opens, an option to protect the MBR from any virus. If set to ON, it will open a dialoge and sound an alarm if anything is attempting to modify your MBR.

    Would you know if this is enough to protect against Alureon, has it, Alureon, the capability to circumvent this protection at all ? All my machines, only desktops, are so protected to "ON" regarding this BIOS option. I have not seen it in laptops.

    Have a great day. JP.
    I have not previously been aware of a bios option. I'll have to look into it.
    Thanks for the info.
    CLiNT
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  7. #7
    Lounger
    Join Date
    Sep 2010
    Location
    Roxboro, QC
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Clint, you made my day . . .

    >>> I have not previously been aware of a bios option. I'll have to look into it.

    Did you and what did you find ? My BIOS is a Phoenix one, dated 2007 on this Acer.

    I have seen this on a lowly P4 too, it has a BIOS option : Boot virus Protection to "Enable". It offers a virus free boot ??? The BIOS is an award Medallion, dated : 05/03/02 as per Everest.

    Are we having fun yet ? Jean.

  8. #8
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Here is another decent article on the topic of Rootkits, it's a tad bit dated, but fundamentally relevant:

    Excerpts from the book titled "Rootkits: Subverting the Windows Kernel" By Greg Hoglund & Jamie Butler.
    Chapter 1 - The Basics of Rootkits: Leave No Trace

    This chapter is excerpted from the book titled "Rootkits: Subverting the Windows Kernel" By Greg Hoglund, Jamie Butler, published by Addison-Wesley Professional. ISBN: 0321294319; Published: Jul 22, 2005; Copyright 2006; Dimensions 7-3/8x9-1/4 ; Pages: 352; Edition: 1st. To see a complete table of contents, please visit: http://www.informit.com/store/product.aspx?isbn=0321294319
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  9. #9
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    Thanks Clint. My laptop is also uninfected. Good to know though.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  10. #10
    Lounger
    Join Date
    Sep 2010
    Location
    Roxboro, QC
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello Clint.

    >>> >>> I have not previously been aware of a bios option. I'll have to look into it.

    This was in regards to a BIOS MBR lock. Did you look into it ?

    Curious mind wants to know. Jean.

  11. #11
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Quote Originally Posted by JA Parrot View Post
    Hello Clint.

    >>> >>> I have not previously been aware of a bios option. I'll have to look into it.

    This was in regards to a BIOS MBR lock. Did you look into it ?

    Curious mind wants to know. Jean.
    I don't appear to have any kind of BIOS MBR protection setting in my BIOS.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  12. #12
    Lounger
    Join Date
    Sep 2010
    Location
    Roxboro, QC
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello Clint.

    >>> I don't appear to have any kind of BIOS MBR protection setting in my BIOS.

    Let me guess, you are on a laptop. I have not seen this in a laptop BIOS whereas I see the HD password protection in all my laptops. Why the differences ? Keeps us awake.

    Search a desktop to see, maybe. Jean.

  13. #13
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Quote Originally Posted by JA Parrot View Post
    Hello Clint.

    >>> I don't appear to have any kind of BIOS MBR protection setting in my BIOS.

    Let me guess, you are on a laptop. I have not seen this in a laptop BIOS whereas I see the HD password protection in all my laptops. Why the differences ? Keeps us awake.

    Search a desktop to see, maybe. Jean.

    Nope, not on my desktop
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  14. #14
    Lounger
    Join Date
    Sep 2010
    Location
    Roxboro, QC
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello, Clint.



    >>> I don't appear to have any kind of BIOS MBR protection setting in my BIOS.

    > Let me guess, you are on a laptop.

    : Nope, not on my desktop

    Very strange ! All my desktops have this in BIOS. On the P4 machine, Del to go into the BIOS -> Boot menu -> Boot Virus Detection = Enabled. (Select Enable to ensure a virus free boot sector ). This is on an AwardBIOS. I am surprised that you do not have this option, this is a prima protection, in my mind.

    Of course, I am not pretending to show you how to handle your BIOS. Jean.

  15. #15
    Lounger
    Join Date
    Sep 2010
    Location
    Roxboro, QC
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Me again, Clint.

    I shut-off the Acer to get into its BIOS and I am on the P4 to report it.

    The Acer, a more recent machine, has a Phoenix - Award BIOS. On its third line, "Advanced BIOS Features", it takes me to the next menu and again on its third line, I find :
    Virus Warning = Enabled. An Enter shows in Item Help pane : Allows you to choose the VIRUS warning feature for IDE Hard Disk boot sector protection. If this is enabled and someone attempts to write data into this area, BIOS will show a warning message on screen and alarm will beep.

    Is this not the cat's wiskers ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •