How To Detect A 64-bit Alureon Rootkit Infection

Alureon, or TDL, TLD3 and Tidserv, is the first rootkit that can infect 64-bit Windows PCs. Before that, only 32-bit systems were affected by rootkits, and many Windows users realized that in February, when Microsoft patch MS10-015 caused infected machines to display a blue screen. It obviously was not Microsoft’s fault back then, which was first assumed by professionals and users alike. It turned out after some research that the TLD3 rootkit was responsible for that behavior.

The developers of the rootkit have improved it considerably since then, and managed to add the capability to infect 64-bit Windows systems. That’s a first, and security vendors are alarmed about that trend.

However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver. While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system. More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.

Many security companies have already added detection of the 64-bit variant to their security applications, Microsoft for instance added signatures to Microsoft Security Essentials in the beginning of August.

Still, Windows 64-bit owners may want to verify for themselves that the rootkit is not installed on their operating system. As the information above suggest, Windows XP and Windows Server 2003 owners will immediately notice that something is wrong, as their operating system will fail to boot. Windows Vista or Windows 7 64-bit users should read on.

There are at least two options to do that, all with tools already included in the operating system:

Open a command prompt, with Windows-R, entering cmd and enter.

Use the command diskpart to open Diskpart in a new command line window.

Enter lis dis in the new prompt, if it remains empty the computer is infected with the rootkit. If the disks display, it is not.

Good

windows 64 bit rootkit detection

Bad

diskpart

The second option to detect the 64-bit rootkit is the following: Launch Disk Management from the Computer Management pane.

If it does not show disks, it means the system is infected with the rootkit. If it shows disks, everything is fine.

Infected System

al64-2

Additional information are available at Technet and Symantec.

How to Remove the Rootkit if the system is infected:

Several programs are able to remove the rootkit and repair the MBR so that the system boots normally after the repair.

Hitman Pro Beta 112 and later can do it for instance.

© Martin for gHacks Technology News, 2010. | Permalink | Add to del.icio.us, digg, facebook, reddit,

Related News:

• Ottawa infection advisory reveals no ‘smoking gun’
• Ottawa states 6,800 exposed to infection risk
• B.C. teen dies from apparent meningitis
• Could new drug cure almost any viral infection? Technology shows promise against common cold, influenza and other ailments, researchers say
• New way to treat common hospital-acquired infection: Novel approach may offer treatment for other bacterial diseases
• B.C. starts email sexual-infection notice service
• Mars Turns To Fans For Sinus Infection Help
• Adalimumab levels detected in cord blood and infants exposed in utero, researchers report
• New compounds show promise against hepatitis C infection
• How different strains of parasite infection affect behavior differently

Details :
Submited at Wednesday, September 1st, 2010 at 1:00 pm on Technologies by samantha
Comment RSS 2.0 - leave a comment - trackback