Back in May, we posted an article with an update on Win32/Alureon. As the numbers demonstrate, we have been making a positive impact in terms of protecting customers from this family of attacks. Since releasing the Alureon rootkit detection and removal capabilities in MSRT (the Microsoft Malicious Software Removal Tool), there have been over 1,200,000 successful removals of this family from machines.

Variant

Removals

Virus:Win32/Alureon.H

647,590

Virus:Win32/Alureon.G

248,962

Virus:Win32/Alureon.A

208,293

Virus:Win32/Alureon.F

110,006

Virus:Win32/Alureon.B

27,048

 

In terms of detections by operating system, Windows XP continues to be the most common target, chalking up over three quarters of the detections across all platforms. Windows Vista and Windows 7 are relatively unchanged from the May report.

 

 

However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver.  While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system.  More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.
 
Normally, 64-bit Windows has several protections against untrusted modifications to the kernel, including a requirement that all drivers be signed, and PatchGuard, which prevents tampering of certain system structures.  Aside from intercepting the OS boot sequence early in the cycle, the malware also reconfigures the operating system in a visible way to accept loading of unsigned drivers.  Since the method used to do this is a supported extensibility feature of the kernel used by full disk encryption and compression software, it does not actually violate the guarantees PatchGuard provides about system integrity.
 
Blocking and Detection for this Threat
Proactive detection for this threat and the malware that tries to install it has been available since Aug. 6 for customers of Microsoft Security Essentials, Microsoft Forefront Client Security, Forefront Server Security, and the Forefront Threat Management Gateway:

 

Name

Type

Trojan:Win32/Alureon.DX

Installer

Trojan:WinNT/Alureon.L

Driver

Trojan:DOS:Alureon.A

MBR

 If you did not have proactive detection in place, you can (currently) manually check to see if the bootkit is installed.  As a side effect of the bootkit, the Disk Management pane of the Computer Management console will fail to show the system drive altogether:

 

It will also fail to show up in the command line  using diskpart:

 

 

As always, we strongly urge users to run the latest version and updated signatures of an Anti-Malware product such as Microsoft Security Essentials to provide proactive protection against this threat.

 

Jason Conradt, Jeremy Croy, Joe Johnson