Channel 9 Forums - Tech Off - Rootkits on x64 Vista: Are they feasible?

Tech Off - Rootkits on x64 Vista: Are they feasible?

TimP — Fri, 14 Mar 2008 09:36:24 GMT

I've noticed my desktop icons seem to be refreshing a lot more than I remember in the past and any suspicious behavior always triggers paranoid malware fears in my mind, but that's beside the point. I was thinking about the rootkit "epidemic" and was wondering if they're still a legitimate risk on x64 Vista.

As far as I understand, rootkits that effectively hide their presence (i.e. not showing up in the process list, registry, file system, etc.) require a kernel mode component to intercept queries for information that could reveal them and return a modified result with themselves omitted.

With x64 Vista closing the door on unsigned kernel drivers, is it still possible to have a truly stealthy rootkit (obviously moot if the rootkit is a signed)?

Have there been any stories of Vista rootkits in the wild?

Tech Off - Rootkits on x64 Vista: Are they feasible?

stevo_ — Fri, 14 Mar 2008 10:26:06 GMT

I wouldn't expect you are infected with a rootkit.. and what the rootkit does, it tries to fool that host OS into believing its talking directly to the hardware, where as its actually talking to the rootkit, which is acting as 'proxy'.

The rootkit then has the ability to 'abuse' whatever data it feels nec coming from the kernel..

Tech Off - Rootkits on x64 Vista: Are they feasible?

figuerres — Fri, 14 Mar 2008 13:35:35 GMT

TimP wrote:

I've noticed my desktop icons seem to be refreshing a lot more than I remember in the past and any suspicious behavior always triggers paranoid malware fears in my mind, but that's beside the point. I was thinking about the rootkit "epidemic" and was wondering if they're still a legitimate risk on x64 Vista.

As far as I understand, rootkits that effectively hide their presence (i.e. not showing up in the process list, registry, file system, etc.) require a kernel mode component to intercept queries for information that could reveal them and return a modified result with themselves omitted.

With x64 Vista closing the door on unsigned kernel drivers, is it still possible to have a truly stealthy rootkit (obviously moot if the rootkit is a signed)?

Have there been any stories of Vista rootkits in the wild?

while I have not been spending time on this subject I will say:

Yes, they are still "possible"

just that the methods used by the cracker will have to be altererd to fit the new OS.

I am not so sure that the "signed driver" bit even has much to do with a rootkit --- other than as a way in the door.

as for your desktop well... find out what you changed recently.