TDL4 rootkit can be modified to pwn any security product, Bromium researchers discover

[InfoSec News <alerts () infosecnews org>]

http://news.techworld.com/security/3513668/tdl4-rootkit-can-be-modified-pwn-any-security-product-bromium-researchers-discover/

By John E Dunn
Techworld
28 April 2014

Kernel mode rootkits are more viable than has been realised and could be 
used to bypass more or less any security product in existence, researchers 
at Bromium have discovered after conducting a proof-of-concept attack 
using a modified variant of in the infamous TDL4 malware.

Due to be presented in more detail by the firm at this week’s Security 
BSides event in London, the research involved 'tweaking' the TDL4 variant 
that had appeared to take advantage of the Windows kernel privilege zero 
day (CVE-2013-3660), discovered in June last year.

With a new payload, what this created was something lethal enough to 
overcome a variety of security layers the team tested against it such as 
antivirus, sandboxes and intrusion prevention, making it a sort of "Swiss 
Army knife" attack hiding behind ring zero.

"While many were aware of the discovery of the TDL4 rootkit rumoured to be 
using kernel exploit code at the end of last year, few paid it any serious 
attention. And that was a huge error of judgement," said Bromium’s head of 
security, Rahul Kashyap.

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/