64-bit versions of windows are the latest targets of a new malware, as the rootkit writers have found a loophole that can allow them to write malware, capable of evading the PatchGuard driver signing protection built into 64-bit versions of Windows, a Kaspersky Lab report said.
The new malware is a product of the BlackHole Exploit Kit, yet another successful web exploit kit developed by Russian hackers. According to the Kaspersky report, the malware uses a downloader to hit the system through two common Java and Adobe Reader software flaws.
The new malware calls a 64-bit rootkit, named Rootkit.Win64.Necurs.a. on 64-bit Windows systems. The rootkit then executes the 'bcdedit.exe -set TESTSIGNING ON' command, a programming command for trying out drivers during development, the report said.
After being executed, the command stops Windows' Patchguard from objecting to the unsigned and insecure nature of the driver being loaded.
The Kaspersky report noted that after getting loaded, the rootkit can block the correct loading of antivirus software that might detect and remove it.
What is Windows PatchGuard?
Windows PatchGuard, also known as Kernel Patch Protection (KPP), is a feature of 64-bit editions of Microsoft Windows, including XP, Vista, Windows 7, and Windows Server that prevents malware deflating the operating system.
Patching the kernel means unsupported modification of the central component or kernel of the Windows operating system. Patching the kernel is technically permitted in 32-bit editions of Windows. Therefore, a number of antivirus software developers use kernel patching to develop antivirus and other security services.
However, on computers running 64-bit versions of Windows, this kind of antivirus software will not work. This is the reason for which Kernel Patch Protection has been facing a lot of criticisms.
The new malware also attempts to download a recent fake antivirus program called Hoax.OSX.Defma.f, targeting Mac OS X users, said Kaspersky reports.