New 64-Bit Windows Rootkit Already ‘In The Wild’

After a brief lull, new and improved rootkits are back. The latest iteration of one well-known kit — TDL3 — now enables hackers to compromise 64-bit Windows more easily, according to one security researcher.

According to security research firm Prevx, it’s an important escalation in the continuing spy-versus-spy cold war between researchers and hackers.

While many security administrators may not be familiar with TDL3, TDL and it’s other variants, they may remember it by a different name — the Alureon rootkit — that made the rounds earlier this year.

The problems began when some users who had just downloaded and installed a new Microsoft (NASDAQ: MSFT) security patch complained that it caused their PCs to crash.

It turned out to be a version, or versions, of the Alureon rootkit that was to blame.

Microsoft reissued a modified version of the patch to help identify the rootkit and offered free tech support to remove it.

Rootkits are groups of programs hidden in a computer’s root directory — thus the name — and are typically delivered via a “dropper” program. The rootkit’s purpose is to worm its way into the operating system kernel and quietly take over.

So why this is worrying and important news?

“x64 versions of Windows are considered much more secure than their respective 32-bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel,” Prevx researcher Marco Giuliani wrote in a post to the company blog Thursday.

Giuliani elaborated by pointing to a feature of 64-bit versions of Windows Vista and Windows 7 that tightly controls what drivers are allowed to execute in the operating system kernel through “a very strict digital signature check.”

Without a valid signature, it won’t load.

A second security feature, known as PatchGuard, is designed to keep any driver from making changes to the kernel, he added in his post.

“To bypass both kernel patch protection and driver signature verification, the rootkit is patching the hard drive’s master boot record so that it can intercept Windows’ startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed,” the post said.

What is especially troubling, however, is that the new and improved TDL3 rootkit is already circulating “in the wild,” making it yet another potential security threat that network and PC administrators will need to watch out for and address in the near future.

“Our Prevx community spotted the infecting dropper more than nine days ago and we are now seeing new samples reported every day. This means the infection is spreading on the Web, by using both porn websites and exploit kits,” Giuliani said.

“What is more important is that with this new TDL3 release, a new era is officially dawned: the era of x64 rootkits. How this develops, we’re not sure,” Giuliani added.

Meanwhile, Microsoft said it is aware of the new rootkit.

“Microsoft is investigating the details of a new variant of the Alureon rootkit affecting 64-bit versions of Windows. Microsoft Security Essentials and Forefront protect against infection provided the system was not already infected when these products were installed,” Jerry Bryant, group manager of response communications at Microsoft, said in an e-mail to

Bryant also said that customers that have been infected should either contact their antivirus vendor or call Microsoft’s 1-866-PCSAfety support line.

In addition, the company will be posting an entry to the Microsoft Malware Protection Center (MMPC) blog “shortly,” Bryant added.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.

Stuart J. Johnston
Stuart J. Johnston
Stuart J. Johnston is an eSecurity Planet and Serverwatch contributor.

Top Products

Related articles