Last-minute paper: Alureon: the first 64-bit rootkit

Joe Johnson Microsoft

  download slides (PDF)

The Alureon\TDSS family of malware has been around for years. Throughout that time, its authors have been continuously updating the rootkit to evade detection by AV vendors and the monthly release of the Malicious Software Removal Tool. In July, this had escalated to overwriting the MBR of the infected machine. Ominously, the installer for this version created an inert file named ldr64. In August, a new version filled in that file, and Alureon became the first 64-bit rootkit in the wild.

This presentation will cover the most recent evolution of Alureon, focusing on the latest variants that affect 64-bit machines. It will go into detail on the changes made for the 64-bit version of the malware and the move from infecting drivers to infecting the MBR. It will also discuss how these changes allow it to disable or bypass the protections 64-bit versions of Windows normally have against untrusted kernel code and modifications such as Patchguard.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.