Windows PatchGuard undermined
Once smuggled onto the system, Uroburos gets past the Kernel Patch Protection - also known as PatchGuard - which secures the core of Windows 64 bit operating systems and is designed to prevent changes being made to it. The malware manipulates the kernel and puts it into test mode. The rootkit can embed itself there without hindrance and is accepted as a valid system driver by the operating system.
This test mode is intended for driver developers so they can use unsigned drivers to test them during the development phase. The malware authors use the process to disable driver verifications. In this way Uroburos can be directly smuggled into the core of the operating system as driver and spy on sensitive data there.
The analysis is available in the G DATA SecurityBlog.