VBootkit Bypasses Vista's Code Signing 210
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
Boot Sector Virus (Score:5, Insightful)
and in a related story... (Score:3, Insightful)
Why is this a story? Physical access (needed to boot from an alternate source) has always been root access.
Re:Cost? (Score:3, Insightful)
Perhaps because Microsoft will patch this and render the boot kit useless in less time that it takes to say "oh my god, my unsigned drivers don't work anymore"?
Re:and in a related story... (Score:1, Insightful)
-AC
Re:Is it just me that thought (Score:5, Insightful)
if you have physical access to the system... (Score:5, Insightful)
easy to miss the point here (Score:5, Insightful)
Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.
Re:Is it just me that thought (Score:2, Insightful)
this is an achievement? (Score:2, Insightful)
Re:Hmmmm... (Score:4, Insightful)
I forsee that this exploit will be less used for traditional attack rootkits, it seems more like a very convenient way to get rid of all the unwanted 'security features' (read: the ones that protect the makers of your content instead of you) of Vista.
But what ... is it good for? (Score:5, Insightful)
What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.
Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.
Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.
That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.
Holy moron, batman. (Score:1, Insightful)
Yes, I know, that having signed drivers is suppose to be a (very) limited improvement in security over XP, but they are lying to you if they tell you that is the real reason that Microsoft is doing it.
This is just another way to crack Microsoft's DRM.
First they were able crack the DRM for individual HD-DVD disks, then Blueray.
Next they have cracked the DRM on _ALL_ HD-DVD and Blueray disks manufactured to date.
Now they cracked the signed drivers sceme for Vista so now you can lie to applications and hardware about having 'protected media path'. You can do things like setup fake drivers and capture audio and video output to a file and rip movies that way. Perfect digital copy.
All sorts of crap like that.
All the 'digital right protections' that Microsoft has spent millions of dollars and 5 years to build into Vista have all been ripped to shreds in only a few months after it's release. Now take that bit of knowledge and then read "A Cost Analysis of Windows Vista Content Protection".
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_
I hope that now people understand what I've and many other people have been saying for years, that enforced DRM is a fucking retarded idea. And it's not bad because I 'beleive that artists shouldn't get paid' or because I am a communist/socialist (I am not) or anything like that.
It's a fucking stupid idea because it's just a realy bad idea.
To date that hasn't been nessicary to do for Linux unless you own a Tivo and they are working on the GPLv3 to 'crack' that.
Re:VM? (Score:3, Insightful)
Of those two possibilities, which do you think MS actually gives a rat's butt about? They don't care if you lose control of your machine. They for darn sure care if they do. That's what makes this a "ha-ha!" moment.
Re:bypassing code using INT 13 (Score:1, Insightful)
Now of course if you're mandating Internet connectivity for your program to run at all and are using obfuscated server-side protection checks, it's "good game" for every single cracker out there. I had this argument many moons ago (we were still on BBSes all day long
No, there isn't. You ain't cracking Blizzard's WoW loggin scheme. Internet + server side check done correctly = Game over cracker. I decided to leave the dark-side the day I realized this. It's way more fun to work on the server-side and to know that pirates have it deep in the arse
Re:Looks like it (Score:3, Insightful)
But the main problem is not an external attack. This hack allows Vista DRM to be cracked. The supposed secure data paths in the OS that are designed to be "hands off" to even the administrator are now at risk. As a BENEFIT, this hack allows drivers to be written that don't need to be signed -- restoring sanity again.
I would welcome "Vista Preboot Kit". Microsoft will have to validate both up and down to combat this. And, I am sure, a patch is coming...