Forgot your password?
typodupeerror
Security Operating Systems Software Windows

VBootkit Bypasses Vista's Code Signing 210

Posted by kdawson
from the breaking-into-your-own-hardware dept.
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
This discussion has been archived. No new comments can be posted.

VBootkit Bypasses Vista's Code Signing

Comments Filter:
  • by zappepcs (820751) on Wednesday April 04, 2007 @12:08AM (#18599225) Journal
    isn't it ironic that even hackers don't like the high cost of MS software?

    FTFA: "The researchers say the only reason they didn't do it on Vista final was cost."
    • by hahiss (696716)
      Just like rain on your wedding day.
  • channel9 (Score:3, Interesting)

    by Anonymous Coward on Wednesday April 04, 2007 @12:09AM (#18599233)
    And here's a video interview [msdn.com] of the guys who admit to be responsible.

  • Boot Sector Virus (Score:5, Insightful)

    by w128jad (643759) on Wednesday April 04, 2007 @12:09AM (#18599237)
    Are we about to see the dawn of a new day for the Boot Sector Virus?
    • by EmbeddedJanitor (597831) on Wednesday April 04, 2007 @12:13AM (#18599265)
      Windows Genuine Rootkit Advantage
      Roots for Sure
      Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
      C'mon folks help me out!
      • Re: (Score:3, Interesting)

        by tinkertim (918832) *

        Windows Genuine Rootkit Advantage
        Roots for Sure
        Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
        C'mon folks help me out!

        I think Vista could come out with "That's not a bug, its a feature .. so that fully virtualized instances of Vista can be modified by third party boot loaders for dynamic reprovisioning".

        Actually, since local access to fully virtualized instances is a moot point, it would be (arguably) a feature in that respect.

        disk = [ 'phy:/hasta/la/vista/baby,ioemu:hda,w' ]

        I'm just wond

    • by Sancho (17056) on Wednesday April 04, 2007 @12:14AM (#18599269) Homepage
      Of course, it will be one of those that relies on a code of honor:

      "This is the Windows Vista Boot Sector Virus kit. Please burn this ISO to a CD and boot your computer with it."
      • Considering just how dumb some people are when it comes to infecting their machines, I wouldn't call that an impossible attack vector...
        • Considering that the code-signing stuff is the basis of most DRM that will be written for Vista, this virus is a free pass to snoop kernel memory and remove the DRM from any media Vista supports.

          I'm guessing more than a few people will be installing this one on purpose.
          • Well, this is one of the moments when it's not the substance that is poison, but its application. This loophole can be used for good or ill, to infect a computer or to cure him from DRM.

            I certainly don't want "this virus". It depends what comes attached to it. If it is used to disable the unwanted parts of the system, then I'm all for it. If it is used to add more spyware to the fold, then I'm not.

            It all depends on how it is used.
    • Are we about to see the dawn of a new day for the Boot Sector Virus?
       
      This is a very interesting point. The difficulty ofcourse still remains with getting the virus into the boot sector, but once there it would be no different than your run-of-the-mill xp virus with administrator priveledges. Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.
      • by Volante3192 (953645) on Wednesday April 04, 2007 @12:23AM (#18599349)
        Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.

        No problem. We just send a flying circus over the BIOS, dump some VX gas on it, then march in with the industrial laser. Then we cut a hole, drop the virus in and, BOOM! Instant instability.

        This is assuming, of course, Vista hasn't seduced the leader of the flying circus by this point, at which case the whole plan's shot to hell.
      • Re: (Score:3, Interesting)

        by TheRaven64 (641858)

        Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.

        Does it guard all disks, or just the boot disk? If it guards all disks, then this could make it difficult to create bootable disks in Vista. If it only guards the boot disk, it means the virus could easily write to the boot sector of a flash drive. Anyone who booted a USB-bootable PC with the USB drive attached would not notice anything amiss, but would have the virus running with SYSTEM privileges (and even Administrator can't kill SYSYEM's processes). This computer could then install the boot sector

  • Cost? (Score:5, Interesting)

    by biocute (936687) on Wednesday April 04, 2007 @12:14AM (#18599271) Homepage
    Cost as in the money one has to pay to acquire a copy of Vista, or the cost of developing a Vista-Final-compatible VBootkit?

    I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
    • Re: (Score:3, Insightful)

      I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

      Perhaps because Microsoft will patch this and render the boot kit useless in less time that it takes to say "oh my god, my unsigned drivers don't work anymore"?
    • I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
      These guys are in India where CS salaries are about one tenth of what they are in the USA, but Vista costs just about the same there as it does in the USA. So, consider how likely it would be for someone to toss $2000-$3000 to an unknown company in the USA with zero chance of getting a return on the money?
    • Re: (Score:2, Funny)

      by Anonymous Coward
      When I first read your remark, I thought you said it cost too much memory to run Vista. That seems to make a lot of sense.

      Cost of OS - $120
      Price of extra gig of memory - $80
      Look on Ballmer's face when Windows gets rooted - priceless!
    • by jkrise (535370)
      I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

      I think although they mentioned cost as the excuse, they might've been scared about something in the EULA of the final version which could possibly make their experiment or publishing it's results a criminal offence.

      Incidentally, I'd like Mark Russinovich's detailed response to this, but now he's a full-time MS employee it would probably be useless.
  • by Ferzerp (83619) on Wednesday April 04, 2007 @12:14AM (#18599275)
    "hacker" uses a boot disk in linux and wipes the root password!!!

    Why is this a story? Physical access (needed to boot from an alternate source) has always been root access.
    • by Sancho (17056) on Wednesday April 04, 2007 @12:20AM (#18599327) Homepage
      It's a story because of Vista's signing requirement for kernel drivers in x64. A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such. It is intended to give control back to the owner of the computer, and as such, physical access is neither an unreasonable requirement, nor an unreasonable expectation.
      • by Ferzerp (83619) on Wednesday April 04, 2007 @12:36AM (#18599467)
        Is there not an F8 boot option to load unsigned drivers?

        a quick search says yes, and the flag can be set as the default behavior as well.

        http://www.unofficialvista.com/article/204/install ing-unsigned-drivers-in-64-bit [unofficialvista.com]
        • by Sancho (17056)
          Ooh, nice. I was aware of the F8 'trick', but I was under the impression that there was no way to permanently disable the checks. Thanks for the tip!
        • by PhrostyMcByte (589271) <phrosty@gmail.com> on Wednesday April 04, 2007 @12:43AM (#18599533) Homepage
          The flag to set default behavior was disabled in RTM and iirc RC2. You can set it, but it has no effect.
          • Re: (Score:3, Informative)

            by J Isaksson (721660)
            This is untested by me since I don't run x64, but here is supposedly the Vista x64 RTM method for permanently disabling the driver signing requirement:

            Start/Programs/Accessories
            Right-click "command prompt" and select "run as administrator"
            At the command prompt, type bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
            Reboot!

            In case you want to enable the driver signing requirement again:
            bcdedit -deletevalue loadoptions

            (Blatantly borrowed from http://www.teamxlink.co.uk/forum/viewtopic.php?t=2 0068&start=2 [teamxlink.co.uk]
        • by Spy Hunter (317220) on Wednesday April 04, 2007 @06:36AM (#18601787) Journal
          Yes, but then Vista knows it's "tainted". It will refuse to run "protected media path" DRM, because it is supposed to protect such DRM against snooping by unsigned code. Memory-sniffing attacks such as those recently deployed on Windows XP against HD-DVD players are supposedly thwarted by Vista's "protected media path". This sounds like a backdoor to load unsigned code into the kernel without it being aware, giving you complete control over your own computer at all times, even when it is running PMP DRM crap.
      • by elronxenu (117773) on Wednesday April 04, 2007 @02:44AM (#18600303) Homepage
        Well, if you want to get back control of your computer, you could uninstall Vista and install Linux.

        Sure, this technique could be used to let you modify Vista and patch device drivers and so on, but you'd still be fighting Microsoft and their whole "we'll tell you where to go today" attitude toward operating systems.

        On the other hand you could install Linux and maybe experience some temporary discomfort as you get used to the user interface or different applications (openoffice or abiword or scribus instead of MS Word, etc). Maybe you have to give up some games if they won't run emulated. Whatever it costs you in conversion, consider that you've bought your freedom from the domination of Microsoft. You now have a stable, reliable system developed by people whose interests are aligned with your interests, rather than those of the most hated organisations in America.

        Linux ... There are no backdoors, no spyware; it's pretty much immune to viruses. It won't "phone home" and accuse you of piracy, it won't disable itself about licensing issues, or degrade the picture quality. You can run it on multiple computers if you want. You can share it with a friend if you want. You can update it from the net, forever. There will always be new free applications for you to use.

        Microsoft Vista ... it's an operating system designed to meet the needs of major corporations: Microsoft, the RIAA, MPAA. Managing system resources and running applications is a secondary function; the primary function is to lock you into Microsoft software and extract the maximum possible amount of money from your wallet. What's good for Microsoft is not necessarily good for the user; Microsoft's interests do not align with your interests.

        There's a Cave Troll chained to a rock in the middle of an Arena. The Cave Troll is hungry and roars continuously. You throw people to the Troll as sacrifices. But the Troll continues to roar; it will never be satisfied. It grows bigger - someday soon it may break its chains and eat us all. Microsoft is the Cave Troll. Are you going to continue to sacrifice people to it? Or are you going to say "enough is enough" and take back your control - take back your dignity?

        • by Anpheus (908711)
          Cave troll indeed!

          I propose a new Internet Law: "Godwin's Law, The Second."

          It goes like this, "As a discussion increases in volume, the probability of someone creating an analogy between the subject and RIAA or MPAA increases to 1." And using them as part of your argument should immediately discredit it.
          • by elronxenu (117773)
            ... Or you could try to discredit my argument using facts and reasoning, which is the far more intelligent approach.

            As far as I know, Microsoft is working with the RIAA and MPAA to limit Vista's capabilities in line with what those organisations demand. Here's what Bruce Schneier said in DRM in Windows Vista [schneier.com] ...

            Microsoft put all those functionality-crippling features into Vista because it wants to own the entertainment industry. This isn't how Microsoft spins it, of course. It maintains that it has no

      • 'A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such'

        I would have thought that what is actually does is more important than what it is intended to do. which is to bypass the whole security mechanisms [blackhat.com] of Windows Vista.

        was .. Re:and in a related story... (Score:5, Distraction)
    • Just because you have physical access to the machine doesn't mean the machine will do your bidding when you fire it up. It will still not run unsigned drivers, it will still not be under your control. Vista rewrote the laws of access, being administrator doesn't mean that you're root.
  • I wonder how this will affect Microsoft's DRM?
    • Re:Hmmmm... (Score:4, Insightful)

      by Opportunist (166417) on Wednesday April 04, 2007 @02:17AM (#18600141)
      Umm... blow it to pieces?

      I forsee that this exploit will be less used for traditional attack rootkits, it seems more like a very convenient way to get rid of all the unwanted 'security features' (read: the ones that protect the makers of your content instead of you) of Vista.
  • by djupedal (584558) on Wednesday April 04, 2007 @12:38AM (#18599483)
    Let's see:
    • VBootKit bitch slaps VISTA
    • Animated cursor panic/fix
    • EMI/Apple DRM shun ropa-dopes WMA
    • XBox Elite HD-DVD chokes on popular title
    • XBox Elite HDMI only v1.2
    • Class action suit for bait/switch 'VISTA Ready' claims
    Can't wait to see how the rest of the week plays out....heheheheh
  • VM? (Score:5, Interesting)

    by mr100percent (57156) on Wednesday April 04, 2007 @12:42AM (#18599519) Homepage Journal
    So, it's being hacked because Vista is booted from within some sort of VM? That doesn't sound like too much of a threat to machines. A threat to DRM, maybe.
    • by Yetihehe (971185)
      So, it's first root/bootkit that actually adds value to windows :/
    • Re: (Score:3, Insightful)

      by Just Some Guy (3352)

      That doesn't sound like too much of a threat to machines. A threat to DRM, maybe.

      Of those two possibilities, which do you think MS actually gives a rat's butt about? They don't care if you lose control of your machine. They for darn sure care if they do. That's what makes this a "ha-ha!" moment.

  • by dioscaido (541037) on Wednesday April 04, 2007 @12:51AM (#18599571)
    ...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?
    • by Sancho (17056)
      Yes, but that's the point :)

      This specific exploit is good only for regaining control over your system (a system which does not let you load unsigned kernel modules).

      Abstracted out, it allows any kernel exploit to maintain control of the system by modifying the boot sector of the hard drive. But you still need that initial exploit first.
    • Dear Mr. Gates: (Score:5, Interesting)

      by Kadin2048 (468275) <slashdot.kadin@xoxFREEBSDy.net minus bsd> on Wednesday April 04, 2007 @01:14AM (#18599701) Homepage Journal
      ...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?

      Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.

      Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.

      (Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)
  • by Anonymous Coward on Wednesday April 04, 2007 @12:51AM (#18599579)

    Hi, I'm a Mac...

    ...and I'm whatever the Russian mob wants me to be.

  • by eerok (1033124) on Wednesday April 04, 2007 @01:04AM (#18599645)
    Many are seeing this as a security exploit, but it seems to be a workaround to gain usability.

    Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.

  • by GFree (853379)
    That's nice and all, but couldn't they have done something more fun? Heck, they should have hacked the Vista bootscreen at least. It's so damn boring, it doesn't even have the Vista logo.

    I'd have been much more impressed if they replaced it with a picture of Gerard Butler, screaming

    THIS... IS... VISTAAAA!!

    Now THAT's a boot screen! Bonus points for having a bunch of Hoplites dressed in red, green, blue and yellow armor.
  • When I first saw 'VBootkit', I first read it as 'VB Rootkit'. Wonder why?

  • 1. Only 14 people are running Vista as on date, the rest have upgraded to the old, familiar XP and never looked back.
    2. Of these, 10 machines are in Microsoft, without any CD/DVD drives or USB ports - so no external booting is possible.
    3. 3 of the 4 remaining machines are with journalists and 'independent' analysts - so they can be 'trusted' to keep shut.
    4. Now, HOW are YOU going to protect your Vista against this Bootkit? Yes, YOU! You'll just upgrade to XP as well? That's fine then. Problem solved.
  • Like Linux has never been hit with a bootkit? If the only way to bust Vista's code-signing is through a bootkit, then Microsoft did something right.
    • by dhasenan (758719)
      With Linux, you generally don't need such techniques. It's rare to be able to alter the boot partition and not have access to the rest of the drive, except with drive encryption. In that case, you can replace the user's kernel with one that will record the drive's password. This still requires physical access to the computer, though.
  • Nothing against Schneier (I love his cryptogram newsletter), but adding 13 words to a 65 word paragraph without giving any real information or further thoughts isn't really what I consider worth mentioning.
  • by Opportunist (166417) on Wednesday April 04, 2007 @02:31AM (#18600241)
    Many have pointed out that an attack vector that requires the attacked user to jump through a few hoops is none. This is not entirely true, but I'll cover that later.

    What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.

    Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.

    Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.

    That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.
    • by NSIM (953498)

      They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that.

      Installing a rootkit and futzing around with the internals Vista just so that they can "play their cracked games and view their ripped movies" seems like an awful lot of trouble to go to ! Especially since there is *NOTHING* in Vista that prevents you playing your ripped movies or cracked games in the first place. For f***s sake how many

      • Can we agree on "handle DRM-protected media like unprotected content" instead of "play their cracked games and view their ripped movies"?
        • by NSIM (953498)

          Can we agree on "handle DRM-protected media like unprotected content" instead of "play their cracked games and view their ripped movies"?
          That would be more technically accurate. Whether it's something the average VISTA user is going to give a damn about is another question. My bet is that the DRM schemes will be cracked for HD-DVD and BluRay and non-DRM ripped copies will be available so I doubt most people will care.
          • That depends entirely on the reaction of the industry. Generally, though, I'd say that a lot of people would prefer a general purpose Anti-DRM key to punctual cures.
            • by NSIM (953498)

              Generally, though, I'd say that a lot of people would prefer a general purpose Anti-DRM key to punctual cures.

              Only if it's really simple to do, i.e. run setup.exe and you're done. Anything involves installing root kits and god alone knows what else will be way beyond the technical ability of the average user. They'll be quite happy to download content that has the DRM stripped out, but I doubt that many would go to these lengths to get past DRM.

              PS. don't get me wrong, I think DRM is a fundamentally bad

              • Don't underestimate the group of people who'd use such kits just because they exist. Because it's "cool" and because your peers look up at you 'cause you "freed" your computer. It will take a fairly good clue how to use those kits, but those people exist.

                It's not much different from stuffing alternative bootloaders and core systems into your Gamecube or XBox. It's not really trivial, but it's far from requiring detailed and intimate knowledge of the inner workings of your machine. Kits exist that allow fair
                • by NSIM (953498)
                  I never said that some people wouldn't do it, I said it would be too much trouble for the vast majority.
  • ... of why Microsoft at one point wanted "Fritz chips" in the computers running Vista.

    And that was of course also flamed. ;-)

    It must be hard being Microsoft these days.
    • Re: (Score:3, Interesting)

      by Opportunist (166417)
      And understandably so.

      I can see why MS wants the Fritz in the hardware. I just can't see why I would.

      Basically what this hack does is to offer an attack vector against the machine and the ways it locks me out of features I would like to use. Not an attack vector against the user. Actually, it offers the user a vector against his machine.

      Yes, I know what I just said. An attack vector for the user against his machine. It's sad enough when a user has to attack his own machine to actually get it to do what he w
  • by cancerward (103910) on Wednesday April 04, 2007 @03:45AM (#18600645) Journal
    Back in the 1980s Sierra On-Line used to copy protect their adventure games with a copy protection system which involved strangely formatted sectors on the original disk which were impossible to duplicate exactly using standard PC hardware. The loader "sierra.com" used to call a copy-protection program "cpc.com" which loaded data from the disk to decrypt the main program and run it. cpc.com had some of the most obscure, twisty, awful code ever written to prevent debugging and it constantly used different methods to thwart stepping through the program using INT 3 (these were the days before Soft-Ice). But the solution (or "crack") was just dead simple. Just fire up debug, step to the beginning of cpc.com, and copy the vector from INT 3 into the INT 13 vector - then cpc.com stops right at the point where the data from the disk is being loaded, so it can be copied. Despite all the incredibly complex code, cpc.com had to read the data off the disk so there was no way the Sierra programmers could thwart this method. It sounds like the same thing in Vista -- the INT 13 redirection happens before everything else and can't be thwarted.
    • by MORB (793798)
      No matter how convoluted and obfuscated your protection is, there is often a weak spot that you can take advantage of.

      I remember lots of protections in amiga games and applications doing things like testing an oddly formated track on the floppy disk or applying some complicated calculations on the data from a keyfile to check it's authenticity... Before returning true or false to indicate whether the protection check was successful.
      Some returned some magic number that was then explicitly compared against it
  • "Nowadays, security guys break the Mac every single day. Every single day, they come out
    with a total exploit, your machine can be taken over totally. I dare anybody to do that
    once a month on the Windows machine."

    -- Bill Gates, Newsweek interview, Feb. 3, 2007

    [*] - http://talkback.zdnet.com/5208-10533-0.html?forumI D=1&threadID=30419&messageID=565878&start=143 [zdnet.com]
  • by smchris (464899) on Wednesday April 04, 2007 @08:09AM (#18602503)
    Sounds like the moral is that the media companies will end up demanding hardware we will have to hack just to run linux. In the meantime Vista gives us a break to prepare for that because it will be some months before it becomes clear Vista doesn't really protect content and some years for Microsoft and the manufacturers to come up with an even more draconian PC.
  • The researchers say the only reason they didn't do it on Vista final was cost

    These researchers should have been the ones who must have received those free Vista pre-loaded Acer Ferrari laptops.

You know that feeling when you're leaning back on a stool and it starts to tip over? Well, that's how I feel all the time. -- Steven Wright

Working...