How To Detect A 64-bit Alureon Rootkit Infection - gHacks Tech News

How To Detect A 64-bit Alureon Rootkit Infection

Alureon, or TDL, TLD3 and Tidserv, is the first rootkit that can infect 64-bit Windows PCs. Before that, only 32-bit systems were affected by rootkits, and many Windows users realized that in February, when Microsoft patch MS10-015 caused infected machines to display a blue screen. It obviously was not Microsoft's fault back then, which was first assumed by professionals and users alike. It turned out after some research that the TLD3 rootkit was responsible for that behavior.

The developers of the rootkit have improved it considerably since then, and managed to add the ability to infect 64-bit Windows systems. That's a first, and security vendors are alarmed about that trend.

However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver. While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system. More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.

Many security companies have already added detection of the 64-bit variant to their security applications, Microsoft for instance added signatures to Microsoft Security Essentials in the beginning of August.

Still, Windows 64-bit owners may want to verify for themselves that the rootkit is not installed on their operating system. As the information above suggest, Windows XP and Windows Server 2003 owners will immediately notice that something is wrong, as their operating system will fail to boot. Windows Vista or Windows 7 64-bit users should read on.

There are at least two options to do that, all with tools already included in the operating system:

Open a command prompt, with Windows-R, entering cmd and enter.

Use the command diskpart to open Diskpart in a new command line window.

Enter lis dis in the new prompt, if it remains empty the computer is infected with the rootkit. If the disks display, it is not.

Good

windows 64 bit rootkit detection
windows 64 bit rootkit detection

Bad

diskpart
diskpart

The second option to detect the 64-bit rootkit is the following: Launch Disk Management from the Computer Management pane.

If it does not show disks, it means the system is infected with the rootkit. If it shows disks, everything is fine.

Infected System

al64-2
al64-2

Additional information are available at Technet and Symantec.

How to Remove the Rootkit if the system is infected:

Several programs are able to remove the rootkit and repair the MBR so that the system boots normally after the repair.

Hitman Pro Beta 112 and later can do it for instance.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Gadou said on September 1, 2010 at 1:54 pm
    Reply

    Hi,

    How do you save / restore a dual boot Linux / Windows 7 ?

    1. Martin said on September 1, 2010 at 3:25 pm
      Reply
  2. Ross said on September 1, 2010 at 8:20 pm
    Reply

    If it’s as easy to detect as that, then it’s not a very good rootkit, is it?

  3. hak01 said on September 2, 2010 at 12:12 am
    Reply

    easy to detect the presence. but very difficult to isolate the infected file. most probably it would be a legitimate system file.

    example: C:\WINDOWS\system32\drivers\afd.sys

  4. Wade said on July 26, 2012 at 5:50 am
    Reply

    completed both test checked good but, I still have a rootkit installed still redirecting my web browser (firefox) :(

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.