Another way to bypass the rootkit defenses of 64-bit systems is to exploit privilege escalation vulnerabilities discovered in the Windows kernel itself and the number of such flaws has been on the rise in the past few years, according to data in the McAfee report.
"Researchers are developing targeted tools such as 'double fetch' race conditions to find flaws in kernel code," the McAfee researchers said. "History tells us that once such work happens in the research community, we will soon see its impact in the threat landscape as well."
A new wave of rootkit attacks against 64-bit systems will rely on exploiting the growing number of vulnerabilities in both Microsoft and third-party kernel components, they said.
One particularly nasty class of rootkits called bootkits install malicious code in the system's Master Boot Record, the first 512-byte sector of the hard drive that typically contains the OS boot loader. The MBR code is executed before the OS kernel is initialized, so malicious code stored there can give malware a head start on any security application installed in the OS.
During the first quarter of this year, McAfee identified the highest number of new malware variants with known MBR payloads than in any quarter of the previous two years — almost 900,000. This puts the number of known MBR-infecting malware samples at over 6 million, according to the company's data.
The Secure Boot feature of the Unified Extensible Firmware Interface (UEFI) — the BIOS replacement in newer computers — was designed specifically to prevent the installation of bootkits. It works by checking that the boot code inside the MBR is on a pre-approved whitelist and is digitally signed before executing it.
However, over the past year security researchers have found several vulnerabilities in UEFI implementations used by many computer manufacturers that can be exploited from inside the OS to disable Secure Boot.
Mitre security researcher Corey Kallenberg estimated in May that Secure Boot can be bypassed on about half of the computers that have the feature enabled. He presented some of the methods that can be used to defeat the security mechanism in May at the Hack in the Box security conference in Amsterdam.
Sign up for Computerworld eNewsletters.