Joe Johnson Microsoft
download slides (PDF)
The Alureon\TDSS family of malware has been around for years. Throughout that time, its authors have been continuously updating the rootkit to evade detection by AV vendors and the monthly release of the Malicious Software Removal Tool. In July, this had escalated to overwriting the MBR of the infected machine. Ominously, the installer for this version created an inert file named ldr64. In August, a new version filled in that file, and Alureon became the first 64-bit rootkit in the wild.
This presentation will cover the most recent evolution of Alureon, focusing on the latest variants that affect 64-bit machines. It will go into detail on the changes made for the 64-bit version of the malware and the move from infecting drivers to infecting the MBR. It will also discuss how these changes allow it to disable or bypass the protections 64-bit versions of Windows normally have against untrusted kernel code and modifications such as Patchguard.