http://news.techworld.com/security/3513668/tdl4-rootkit-can-be-modified-pwn-any-security-product-bromium-researchers-discover/
By John E Dunn
Techworld
28 April 2014
Kernel mode rootkits are more viable than has been realised and could be
used to bypass more or less any security product in existence, researchers
at Bromium have discovered after conducting a proof-of-concept attack
using a modified variant of in the infamous TDL4 malware.
Due to be presented in more detail by the firm at this week’s Security
BSides event in London, the research involved 'tweaking' the TDL4 variant
that had appeared to take advantage of the Windows kernel privilege zero
day (CVE-2013-3660), discovered in June last year.
With a new payload, what this created was something lethal enough to
overcome a variety of security layers the team tested against it such as
antivirus, sandboxes and intrusion prevention, making it a sort of "Swiss
Army knife" attack hiding behind ring zero.
"While many were aware of the discovery of the TDL4 rootkit rumoured to be
using kernel exploit code at the end of last year, few paid it any serious
attention. And that was a huge error of judgement," said Bromium’s head of
security, Rahul Kashyap.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
