What Next? A 64-bit Windows Rootkit
To say that rootkits present more risk than any other type of malware is hardly debatable. Estimates saying that one out of every five Windows systems on the Internet are infected with some kind of rootkit or another are not uncommon, and although proof is hard to come by, these estimates are probably not unreasonable. As bad as the rootkit problem has been, we have to some extent been spared because to the best of our knowledge, rootkits for 64-bit operating systems have not been developed–at least until now.
The TDL3 rootkit is viewed by many malware experts as the most sophisticated rootkit to surface in real-world settings. It has fared very well in its efforts to avoid detection and eradication by anti-virus software. Yet previous versions of this rootkit have been limited by several protection mechanisms that Microsoft has built into recent versions of Windows operating systems (e.g., the 64-bit versions of Vista and Windows 7:
1. A very systematic digital signature check keeps rogue drivers out of kernel memory. A driver must be digitally signed if it is to be loaded into kernel memory. Because malicious code is almost never digitally signed, rogue drivers are prevented from getting where they need to be to hook kernel memory processes.
2. Windows Kernel Patch Protection (“PatchGuard”) prevents kernel mode drivers from changing anything within the Windows kernel, including the System Service Descriptor Table (SSDT), Interrupt Descriptor Table (IDT), and the kernel code itself.
3. In Windows systems one must run as the Administrator to be able to install code. Both Vista and Windows 7 do not by default allow users to run as the Administrator.
What is different about the version of TDL3 that targets 64-bit Windows systems is that it gains control very early during the boot sequence–by altering the Master Boot Record (MBR) as the target system is booting so that it can intercept and take ownership of routines that run during boot time and then load its own malicious drivers. This enables the latest version of TDL3 to circumvent the first two of the Windows protection mechanisms described above. But there is still another barrier that this rootkit faces–having the Administrative privileges needed to infect the MBR. Unless the user on the targeted machine throws all caution to the wind and logs on as the Administrator, the 64-bit targeting version of TDL3 cannot do its dire deeds. But it gets around this barrier by causing the targeted host to restart, thereby getting the maliciously altered MBR to be read and loaded before other processes can intervene.
The presence of a rootkit that targets 64-bit Windows OSs is a very significant and frightening development. Other similar rootkits are bound to follow–quickly. Not only will many more Windows systems become infected, but once again the anti-virus vendors will be left standing flatfooted, wondering what to do. Unfortunately, the bad guys keep showing just how far they are ahead of the white hat community, and there appears to be no easy and cheap way to remedy this sad situation.