Skip to main content

Rootkit Bypasses 64-bit Microsoft Windows 7 Security Features

A new rootkit program has managed to bypass Microsoft security features on the 64-bit version of the Windows 7 operating system.

According to researchers at GFI Software, the latest version of the TLD rootkit, Alureon, attacks 64-bit Windows 7 OS by blowing past a security policy that requires system drivers to be digitally signed before they are installed.

The Microsoft security policy, called the kernel mode code signing policy, had been put in place to prevent malicious drivers from being installed on the system.

However, according to a report published by GFI Software, the rootkit manages to bypass the policy by changing the boot options on Microsoft boot programmes.

Chandra Prakash of GFI Software wrote: “The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file.”