Introduced years ago for 64-bit editions of Windows XP and Windows Server 2003, Microsoft's Kernel Patch Protection, or PatchGuard, is designed to prevent malware attacks that work by modifying essential parts of the Windows kernel. If a rootkit or other malicious program manages to tweak the kernel, PatchGuard deliberately crashes the system. This same feature made life tough for antivirus vendors, as many of them relied on benignly patching the kernel to improve security; they've since adapted. However, a new report from G Data states that a threat called Uroburos can bypass PatchGuard.
Hooking Windows
Rootkits hide their activities by hooking various Windows internal functions. When a program calls on Windows to report the files present in a folder, or the values stored in a Registry key, the request goes first to the rootkit. It in turn calls the actual Windows function, but strips out all references to its own components before passing along the information.
G Data's latest blog post explains how Uroburos gets around PatchGuard. A function with the bulky name KeBugCheckEx deliberately crashes Windows if it detects this kind of kernel hooking activity (or several other suspect activities). So, naturally, Uroburos hooks KeBugCheckEx to hide its other activities.
Full Article
Uroburos Malware Defeats Microsoft's PatchGuard
Userlevel 7
+54
Userlevel 7
Hi Jasper
Thanks for posting...this is scary given the potential ramifications...gulp
Regards, Baldrick
Thanks for posting...this is scary given the potential ramifications...gulp
Regards, Baldrick
Userlevel 7
+62
Yes Jasper you certainly are on top of the security news...thanks
Userlevel 5
This is scary 😞
Userlevel 7
+56
Have no fear Webroot SecureAnywhere is here! :D
Really!
Daniel
http://images.free-extras.com/pics/s/smiley_face-1609.gif
Really!
Daniel
http://images.free-extras.com/pics/s/smiley_face-1609.gif
Userlevel 7
+62
Now I can see why you have a MVP sticker ...funny guy....you should get paid for these graphic icons!
Userlevel 7
+54
Security researchers from from BAE Systems and G-Data recentlyt shared research on a cyber-espionage toolkit called Snake (also referred to as Turla or Uroburos) that was used in attacks against targets in the Ukraine, Lithuania, Great Britain, the United States and other nations.
According to BAE Systems, the malware is the work of a technically sophisticated and well-organized group. However, BAE did not say exactly who is behind the campaign or who might be paying them despite evidence linking these tools to previous breaches connected to Russian threat actors.
While BEA determined there was a connection between the authors of Snake and Agent.BTZ, Kaspersky Lab has dug a little deeper and found some interesting pieces.
As background, Agent.btz was highlighted by the media in late 2008 after it was found being used it was used to infect US military networks.
Full Article
According to BAE Systems, the malware is the work of a technically sophisticated and well-organized group. However, BAE did not say exactly who is behind the campaign or who might be paying them despite evidence linking these tools to previous breaches connected to Russian threat actors.
While BEA determined there was a connection between the authors of Snake and Agent.BTZ, Kaspersky Lab has dug a little deeper and found some interesting pieces.
As background, Agent.btz was highlighted by the media in late 2008 after it was found being used it was used to infect US military networks.
Full Article
Userlevel 7
Thanks for the news!:D
However I must say I'm calm and feel very safe with Webroot on my board ;)
Cheers,
Mike
However I must say I'm calm and feel very safe with Webroot on my board ;)
Cheers,
Mike
Userlevel 7
+6
Can Webroot offer any perspective on their product's susceptibility to a threat that uses these specific methods to root and maintain the root of the OS? I'm specifically interested in explaining how you handle threats that load and then exploit signed, reputable drivers. Also, at which point in this process does your sandboxing and/or journaling end?
I recognize some of these questions delve into the actual architecture of Windows and require understanding of it to interpret an answer. You do not need to do this, and do not need to expand on the subject at all if there isn't anything unusual in your approach, especially when it comes to when your abilities are limited by Microsoft's provided suite of APIs.
I recognize some of these questions delve into the actual architecture of Windows and require understanding of it to interpret an answer. You do not need to do this, and do not need to expand on the subject at all if there isn't anything unusual in your approach, especially when it comes to when your abilities are limited by Microsoft's provided suite of APIs.
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.