VBootkit Bypasses Vista's Code Signing

An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."

channel9

[Anonymous Coward]

And here's a video interview [msdn.com] of the guys who admit to be responsible.

Cost?

[biocute]

Cost as in the money one has to pay to acquire a copy of Vista, or the cost of developing a Vista-Final-compatible VBootkit?

I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

Re:Looks like it

[Sancho]

True, but it's a more complex situation than that.

In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this.

My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.

Small problem

[Anonymous Coward]

A small problem is that the cost of Vista RC2 (was free) but not the development time for the VBootkit. The developers had to start the process somewhere from the initial release to RC2 status. That is a chunk of development work by 2 programmers. Once they have a working copy on RC2; they stopped. To continue; would cost more money to extend their research into the production version of Vista.

I am sure they could get some funding from various organized syndicates to further their development.

VM?

[mr100percent]

So, it's being hacked because Vista is booted from within some sort of VM? That doesn't sound like too much of a threat to machines. A threat to DRM, maybe.

Dear Mr. Gates:

[Kadin2048]

...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?

Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.

Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.

(Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)

Re:Looks like it

[brogdon]

"In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this."

That's mainly true if you're running Vista 100% of the time, right? In theory, if a hacker was trying to alter his own copy of Vista rather than create a virus (perhaps to foil DRM), could he not create some Linux LiveCD-based tool to do the job? Basically boot to the CD, have it load an OS, run the tool to alter the Boot Sector of the desired HDD, install the code in question and reboot into the newly-neutered Vista?

Or is there some kind of boot sector wizardry performed by Vista that I'm not aware of?

Re:and in a related story...

[elronxenu]

Well, if you want to get back control of your computer, you could uninstall Vista and install Linux.

Sure, this technique could be used to let you modify Vista and patch device drivers and so on, but you'd still be fighting Microsoft and their whole "we'll tell you where to go today" attitude toward operating systems.

On the other hand you could install Linux and maybe experience some temporary discomfort as you get used to the user interface or different applications (openoffice or abiword or scribus instead of MS Word, etc). Maybe you have to give up some games if they won't run emulated. Whatever it costs you in conversion, consider that you've bought your freedom from the domination of Microsoft. You now have a stable, reliable system developed by people whose interests are aligned with your interests, rather than those of the most hated organisations in America.

Linux ... There are no backdoors, no spyware; it's pretty much immune to viruses. It won't "phone home" and accuse you of piracy, it won't disable itself about licensing issues, or degrade the picture quality. You can run it on multiple computers if you want. You can share it with a friend if you want. You can update it from the net, forever. There will always be new free applications for you to use.

Microsoft Vista ... it's an operating system designed to meet the needs of major corporations: Microsoft, the RIAA, MPAA. Managing system resources and running applications is a secondary function; the primary function is to lock you into Microsoft software and extract the maximum possible amount of money from your wallet. What's good for Microsoft is not necessarily good for the user; Microsoft's interests do not align with your interests.

There's a Cave Troll chained to a rock in the middle of an Arena. The Cave Troll is hungry and roars continuously. You throw people to the Troll as sacrifices. But the Troll continues to roar; it will never be satisfied. It grows bigger - someday soon it may break its chains and eat us all. Microsoft is the Cave Troll. Are you going to continue to sacrifice people to it? Or are you going to say "enough is enough" and take back your control - take back your dignity?

Re:New branding names

[tinkertim]

Windows Genuine Rootkit Advantage
Roots for Sure
Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
C'mon folks help me out!

I think Vista could come out with "That's not a bug, its a feature .. so that fully virtualized instances of Vista can be modified by third party boot loaders for dynamic reprovisioning".

Actually, since local access to fully virtualized instances is a moot point, it would be (arguably) a feature in that respect.

disk = [ 'phy:/hasta/la/vista/baby,ioemu:hda,w' ]

I'm just wondering now at what point they'll open source the whole damn mess hoping a community forms around it to fix it. Seems like that's already happening to a degree.

Vista : From the people who brought you edlin.

bypassing code using INT 13

[cancerward]

Back in the 1980s Sierra On-Line used to copy protect their adventure games with a copy protection system which involved strangely formatted sectors on the original disk which were impossible to duplicate exactly using standard PC hardware. The loader "sierra.com" used to call a copy-protection program "cpc.com" which loaded data from the disk to decrypt the main program and run it. cpc.com had some of the most obscure, twisty, awful code ever written to prevent debugging and it constantly used different methods to thwart stepping through the program using INT 3 (these were the days before Soft-Ice). But the solution (or "crack") was just dead simple. Just fire up debug, step to the beginning of cpc.com, and copy the vector from INT 3 into the INT 13 vector - then cpc.com stops right at the point where the data from the disk is being loaded, so it can be copied. Despite all the incredibly complex code, cpc.com had to read the data off the disk so there was no way the Sierra programmers could thwart this method. It sounds like the same thing in Vista -- the INT 13 redirection happens before everything else and can't be thwarted.

Re:Boot Sector Virus (mod parent up)

[TheRaven64]

Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.

Does it guard all disks, or just the boot disk? If it guards all disks, then this could make it difficult to create bootable disks in Vista. If it only guards the boot disk, it means the virus could easily write to the boot sector of a flash drive. Anyone who booted a USB-bootable PC with the USB drive attached would not notice anything amiss, but would have the virus running with SYSTEM privileges (and even Administrator can't kill SYSYEM's processes). This computer could then install the boot sector virus on every single disk it came into contact with.

This is how a lot of viruses used to spread. It needs someone to forget to unplug their USB key before booting, but the old ones required you to forget to eject a floppy disk before booting, and still managed to spread a long way.

Re:Nice demo...

[Opportunist]

And understandably so.

I can see why MS wants the Fritz in the hardware. I just can't see why I would.

Basically what this hack does is to offer an attack vector against the machine and the ways it locks me out of features I would like to use. Not an attack vector against the user. Actually, it offers the user a vector against his machine.

Yes, I know what I just said. An attack vector for the user against his machine. It's sad enough when a user has to attack his own machine to actually get it to do what he wants it to do, I wouldn't call that kind of attack evil or undesirable.