Microsoft: Alureon Rootkit Now Targeting 64-Bit PCs
Microsoft's security team noted late last week that variants of the Alureon rootkit are now capable of infecting 64-bit Windows systems.
Microsoft cited success battling the Win32/Alureon rootkit back in May, when it reported that Microsoft's Malicious Software Removal Tool (MSRT) had cleaned 361,069 computers of the malware. To date, this family of malware has been removed from more than 1.2 million machines by the MSRT software, Microsoft's security team announced on Friday.
Most of the infections reported in May were detected in the United States (50 percent), followed by the United Kingdom (less than 10 percent) and Canada (around 2 percent).
Likely most of the machines being attacked were 32-bit PCs, which are more prevalent than 64-bit machines. Security researchers have typically suggested that 64-bit machines are less susceptible to malware because of architectural differences.
However, it seems that the Alureon malware makers are getting ready as users upgrade to 64-bit machines. Microsoft found evidence that those creating variants of the Alureon rootkit are now tailoring it to attack 64-bit PCs.
Windows XP systems, running either 32-bit or 64-bit systems, have been particularly targeted by this rootkit. For instance, Microsoft found that 77 percent of the Alureon attacks were on XP systems. The attack is fairly lethal, too. The new 64-bit rootkit variants are capable of "rendering 64-bit Windows XP and Server 2003 machines unbootable," according to Microsoft's security team.
Windows XP isn't the only target. The new variant can infect "64-bit machines running Windows Vista or higher," according to Microsoft's research.
The 64-bit rootkit succeeds because it exploits a normal process in Windows used for "disk encryption and compression software," according to Microsoft. The newer versions can infect the master boot record and make changes to Windows to get the OS to accept unsigned drivers. A PatchGuard component in Windows that supposedly guards against system tampering does not see the changes being made by the rootkit as a violation, Microsoft explained.
It's not clear how Microsoft plans to respond to this vulnerability, which apparently isn't new. The blog does not indicate a patch to come. Instead, Microsoft claims that Windows users are protected against the Alureon rootkit by various Microsoft security products. The list includes the free Microsoft Security Essentials antimalware solution for consumers, as well as Microsoft's Forefront security products for enterprise users.
Symantec also describes how 64-bit Windows systems can get infected by the Tidserv variant rootkit. Tidserv is another name for the Alureon rootkit, according to Symantec's description, which assigns it a "low risk." The infection process "is nothing new and has been around for years," according to Symantec's blog. The solution is to keep one's computer virus definitions up to date, which Symantec claims is sufficient to ward off the threat.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.