EP_X0FF wrote:PatchGuard actually is doing what how it is named: guarding from modifying SSDT/SSSDT, IDT's, GDT's, using kernel stacks not allocated by the kernel, modifying or patching code contained within the kernel itself or the HAL or NDIS dll. As in fact TDL3 is much more PatchGuard friendly than most of security software. If assumptions are correct TDL can use bootkit technique to load itself while operation system initialization, so no digital signatures required at all. This is conceptual bypassing of built-in security. The more interesting thing here - how it installs on x64.
This is why intel bought mcafee... I can't think of a better way (?) to protect against this sort of stuff than from a hardware level. And am amazed that it hasn't been done before. Well, not yet even now.
In some bioses you can "protect against viruses". I assume that those machines just won't allow the bootsector to be overwritten without changing that bios setting, correct?
BTW, will drvmon.exe work on x64 systems fully?
"The rootkit needs administrative privileges to infect the Master Boot Record. Even then, it still cannot load its own 64 bit compatible driver because of Windows's kernel security. So, the dropper forces Windows to immediately restart. This way, the patched MBR can do the dirty work," says Giuliani.
System with user running without admin privs won't get infected by this one?