New malware targets 64-bit Windows and MacOS

A new malware threat targets both Microsoft's Windows and Apple's Mac operating systems, combining a 64-bit rootkit exploiting 64-bit versions of Windows with a rogue antivirus for Mac computers. Kaspersky Lab Expert Vyacheslav Zakorzhevsky said the threat involves a downloader that will download fake antivirus programs, including one for Mac. But Zakorzhevsky said that while the downloader will run under Windows, the fake Mac antivirus it will download will not. He said this may indicate those behind the fake antivirus for Mac are distributing it in all possible ways, without understanding what they are supposed to install on target computers. "Interestingly, one link leads to Hoax.OSX.Defma.f which we recently wrote about. Most importantly, the rootkit tries to run it... under Windows! It appears that the developers of the latest rogue AV program for MacOS are actively distributing it via intermediaries, who don’t really understand what it is they are supposed to install on users’ computers," Zakorzhevsky said in a blog post. Zakorzhevsky said that the malicious program is downloaded and installed using the BlackHole Exploit Kit, and exploits vulnerabilities in Java and Adobe PDF reader software. Both drivers are standard rootkits with rich functionality. One of them is a 32-bit and the other a 64-bit driver. The 64-bit driver is signed with a so-called testing digital signature that exploits Windows Vista and 7 if it is booted in "TESTSIGNING" mode. A "TESTSIGNING" mode allows drivers and applications being developed by software developers to launch in Windows. "Cybercriminals have also made use of this loophole: they execute the command ‘bcdedit.exe –set TESTSIGNING ON’ which allows them to launch their driver without a legitimate signature," he noted. Once the driver is successfully loaded and running on the system, the rootkit blocks the launch of drivers belonging to anti-rootkit and antivirus products. — TJD, GMA News