The Inquirer-Home

Dual-driver downloader brings Windows and Mac OS X malware

Blocks legitimate anti-virus software drivers
Tue May 17 2011, 12:18

INSECURITY FIRM Kaspersky Lab has revealed the existence of an interesting new downloader with two software drivers, running fake antivirus malware for both PC and Mac systems.

The program first needs to be downloaded using a Blackhole Exploit Kit, which targets flaws in the Java Runtime Environment (JRE) and PDF files. It carries a 32-bit and 64-bit driver, both described as "standard rootkits with rich functionality".

Kaspersky Lab researcher Vyacheslav Zakorzhevsk said that one of the rootkits took advantage of a 'testsigning' mode in Windows Vista and higher, which is supposed to allow developers to test driver creations. Unfortunately, criminals have made use of it to launch drivers without legitimate signatures.

Zakorzhevsk said, "Once the driver is successfully loaded and running on the system, it's difficult to get rid of it. The rootkit blocks the launch of drivers belonging to anti-rootkit and antivirus products."

The C++ created downloader uses the 32-bit or 64-bit driver to launch files from a list of URLs. One of the links is to a fake anti-virus product that targets Mac OS, which oddly, the rootkit tries to run under Windows.

The reseacher added, "It appears that the developers of the latest rogue AV program for MacOS are actively distributing it via intermediaries, who don't really understand what it is they are supposed to install on users' computers."

You just can't find good help any more nowadays. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Internet of Things at Christmas poll

Which smart device are you hoping Santa brings?