[ISN] TDL4 rootkit can be modified to pwn any security product, Bromium researchers discover

http://news.techworld.com/security/3513668/tdl4-rootkit-can-be-modified-pwn-any-security-product-bromium-researchers-discover/ By John E Dunn Techworld 28 April 2014 Kernel mode rootkits are more viable than has been realised and could be used to bypass more or less any security product in existence, researchers at Bromium have discovered after conducting a proof-of-concept attack using a modified variant of in the infamous TDL4 malware. Due to be presented in more detail by the firm at this week’s Security BSides event in London, the research involved ‘tweaking’ the TDL4 variant that had appeared to take advantage of the Windows kernel privilege zero day (CVE-2013-3660), discovered in June last year. With a new payload, what this created was something lethal enough to overcome a variety of security layers the team tested against it such as antivirus, sandboxes and intrusion prevention, making it a sort of “Swiss Army knife” attack hiding behind ring zero. “While many were aware of the discovery of the TDL4 rootkit rumoured to be using kernel exploit code at the end of last year, few paid it any serious attention. And that was a huge error of judgement,” said Bromium’s head of security, Rahul Kashyap. […]