rootkits Archives

Winsage

December 20, 2024

Why Windows 11 requires a TPM – and how to get around it

Microsoft introduced a hardware compatibility requirement for Windows 11 in 2021, mandating the Trusted Platform Module (TPM) 2.0 standard. A TPM is a secure cryptoprocessor designed to manage security-related tasks and encryption keys, enhancing system security by encrypting data, generating random numbers, and validating digital signatures. The TPM architecture is defined by the ISO/IEC 11889 standard. TPM can be integrated as a chip on a motherboard or within firmware, with major companies like Intel, AMD, and Qualcomm adopting this technology. TPM 2.0 is essential for Windows security features, working with Secure Boot to ensure only trusted code is executed at startup and facilitating biometric authentication through Windows Hello. It also secures BitLocker keys, making unauthorized data access difficult. Most PCs manufactured from 2016 onwards include TPM 2.0 by default, while older systems may have limited TPM capabilities or adhere to the unsupported TPM 1.2 standard. Users can check their TPM status using the System Information tool. TPM functionality is not exclusive to Windows; it is also utilized in Linux PCs and IoT devices, while Apple devices use a different architecture called Secure Enclave. Windows 10 and 11 automatically initialize the TPM during installation, and users can upgrade to Windows 11 with any version of TPM through a registry modification.

Tech Optimizer

November 12, 2024

Bitdefender vs. Malwarebytes: Which antivirus is best?

Antivirus software protects data and devices from threats like malware, ransomware, and phishing attacks. Bitdefender is preferred over Malwarebytes due to its extensive features and competitive pricing. Specifications: - Bitdefender: - Free version: Yes - Free premium trial: 30 days - Compatibility: Windows, MacOS, Android, iOS, Linux - Malware protection: Yes - Phishing protection: Yes - Scan types: Scheduled, real-time - Customer support: Live chat, email, phone, support pages - Price: Plans starting at [price] per year for one device or [price] per year for three devices - Malwarebytes: - Free version: Yes - Free premium trial: 14 days - Compatibility: Windows, MacOS, Android, iOS - Malware protection: Yes - Phishing protection: Yes - Scan types: Scheduled, real-time - Customer support: AI and live chat, email, support pages - Price: Plans starting at [price] per year Bitdefender Advantages: - Comprehensive protection across devices and browsers. - Extensive threat protection including viruses, malware, ransomware, spyware, rootkits, and adware. - Continuous, real-time scans on Windows. - Privacy firewall and anti-tracking features. - VPN service and data breach protection available. - Competitive pricing compared to Malwarebytes. Malwarebytes Advantages: - Focuses on robust malware protection. - Sufficient for users not needing additional features. - Can supplement existing security features. - Rapid and real-time scanning capabilities. - User-friendly interface with threat quarantining and ad blocking. Alternatives to Bitdefender and Malwarebytes are available in the antivirus market.

Tech Optimizer

October 30, 2024

10 free portable apps you should always keep ready in your USB drive

Having a collection of essential portable applications on a USB drive can be beneficial for troubleshooting, working on different systems, or accessing favorite tools without installation. Here are ten essential free portable apps: 1. ClamWin Antivirus: Scans and removes malware from Windows devices; does not provide real-time protection. 2. Sophos Scan and Clean: Detects sophisticated malware like rootkits and bootkits; updates automatically with each scan. 3. FixWin 11: Offers one-click solutions for common Windows issues, simplifying troubleshooting. 4. ccPortable (CCleaner Portable): Scans and removes junk files to maintain PC performance; includes Health Check and Custom Clean features. 5. Everything Portable: A local search tool that indexes files and folders quickly for easy navigation. 6. GIMP Portable: An open-source photo editing software with various features for image manipulation. 7. Firefox Portable: A portable version of Firefox that retains bookmarks, history, and extensions for seamless browsing. 8. Notepad++ Portable: A code editor with syntax highlighting, code folding, and macro recording for developers. 9. Foxit PDF Reader: A lightweight tool for opening, annotating, and filling out PDF forms. 10. Free Download Manager Classic Portable: A download manager that supports resuming broken downloads and torrent files.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.

Winsage

October 28, 2024

Windows kernel components can be installed to bypass defense systems

Cybersecurity experts have discovered a method that allows cybercriminals to bypass Windows security features, specifically Driver Signature Enforcement (DSE), enabling the installation of rootkits on fully updated systems. Alon Leviev from SafeBreach reported that the exploit involves downgrading specific Windows kernel components, making Windows 11 devices particularly vulnerable. Despite notifying Microsoft, no fix has been implemented, as the company stated the vulnerability does not breach a “security boundary” since administrator access is required for exploitation. Leviev presented this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool called Windows Downdate that can reactivate previously patched vulnerabilities. He demonstrated downgrading components on Windows 11 to bypass DSE and install rootkits that disable security software. A key part of his attack involved replacing the ci.dll file with an unpatched version, which requires a system restart and disguises the action as a routine update. Leviev also showed methods to disable Virtualization-Based Security (VBS) by modifying settings and files. Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, but the timeline for this fix is uncertain due to the need for thorough testing. Leviev advises organizations to remain vigilant against downgrade attacks until a resolution is available.