VBootkit Bypasses Vista's Code Signing 210
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
channel9 (Score:3, Interesting)
Cost? (Score:5, Interesting)
I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
Re:Looks like it (Score:5, Interesting)
In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this.
My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.
Small problem (Score:1, Interesting)
I am sure they could get some funding from various organized syndicates to further their development.
VM? (Score:5, Interesting)
Dear Mr. Gates: (Score:5, Interesting)
Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.
Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.
(Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)
Re:Looks like it (Score:3, Interesting)
That's mainly true if you're running Vista 100% of the time, right? In theory, if a hacker was trying to alter his own copy of Vista rather than create a virus (perhaps to foil DRM), could he not create some Linux LiveCD-based tool to do the job? Basically boot to the CD, have it load an OS, run the tool to alter the Boot Sector of the desired HDD, install the code in question and reboot into the newly-neutered Vista?
Or is there some kind of boot sector wizardry performed by Vista that I'm not aware of?
Re:and in a related story... (Score:4, Interesting)
Sure, this technique could be used to let you modify Vista and patch device drivers and so on, but you'd still be fighting Microsoft and their whole "we'll tell you where to go today" attitude toward operating systems.
On the other hand you could install Linux and maybe experience some temporary discomfort as you get used to the user interface or different applications (openoffice or abiword or scribus instead of MS Word, etc). Maybe you have to give up some games if they won't run emulated. Whatever it costs you in conversion, consider that you've bought your freedom from the domination of Microsoft. You now have a stable, reliable system developed by people whose interests are aligned with your interests, rather than those of the most hated organisations in America.
Linux ... There are no backdoors, no spyware; it's pretty much immune to viruses. It won't "phone home" and
accuse you of piracy, it won't disable itself about licensing issues, or degrade the picture quality.
You can run it on multiple
computers if you want. You can share it with a friend if you want. You can update it from the net,
forever. There will always be new free applications for you to use.
Microsoft Vista ... it's an operating system designed to meet the needs of major corporations:
Microsoft, the RIAA, MPAA. Managing system resources and running applications is a secondary
function; the primary function is to lock you into Microsoft software and extract the maximum
possible amount of money from your wallet. What's good for Microsoft is not necessarily good
for the user; Microsoft's interests do not align with your interests.
There's a Cave Troll chained to a rock in the middle of an Arena. The Cave Troll is hungry and roars continuously. You throw people to the Troll as sacrifices. But the Troll continues to roar; it will never be satisfied. It grows bigger - someday soon it may break its chains and eat us all. Microsoft is the Cave Troll. Are you going to continue to sacrifice people to it? Or are you going to say "enough is enough" and take back your control - take back your dignity?
Re:New branding names (Score:3, Interesting)
I think Vista could come out with "That's not a bug, its a feature
Actually, since local access to fully virtualized instances is a moot point, it would be (arguably) a feature in that respect.
disk = [ 'phy:/hasta/la/vista/baby,ioemu:hda,w' ]
I'm just wondering now at what point they'll open source the whole damn mess hoping a community forms around it to fix it. Seems like that's already happening to a degree.
Vista : From the people who brought you edlin.
bypassing code using INT 13 (Score:5, Interesting)
Re:Boot Sector Virus (mod parent up) (Score:3, Interesting)
This is how a lot of viruses used to spread. It needs someone to forget to unplug their USB key before booting, but the old ones required you to forget to eject a floppy disk before booting, and still managed to spread a long way.
Re:Nice demo... (Score:3, Interesting)
I can see why MS wants the Fritz in the hardware. I just can't see why I would.
Basically what this hack does is to offer an attack vector against the machine and the ways it locks me out of features I would like to use. Not an attack vector against the user. Actually, it offers the user a vector against his machine.
Yes, I know what I just said. An attack vector for the user against his machine. It's sad enough when a user has to attack his own machine to actually get it to do what he wants it to do, I wouldn't call that kind of attack evil or undesirable.