Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.
30. Boot Process CPU in Real Mode CPU in Protected Mode Full Kernel Initialization MBR First User-Mode Process BIOS Initialization Boot Loader Early Kernel Initialization Kernel Services BIOS Services Hardware
68. Manually load drv32/drv64“TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
89. BIOS controls boot process, but who controls it?
90.
91. HiddenFsReader as a Forensic Tool Retrieves content of the malware hidden file system. Supported malware: TDL3/TDL3+,TDL4; ZeroAccess (will be added soon) http://eset.ru/tools/TdlFsReader.exe http://www.youtube.com/watch?v=iRpp6vn2DAE