VBootkit Bypasses Vista's Code Signing 210
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
Is it just me that thought (Score:5, Funny)
FTFA: "The researchers say the only reason they didn't do it on Vista final was cost."
Re: (Score:2)
Re:Is it just me that thought (Score:5, Insightful)
Re: (Score:2)
Not that I've read the EULA, mind you. Rather a left-handed DOS attack, isn't it?
Re: (Score:2)
From reading and watching old movies, I got the impression that you were not to accuse people of things unless you could prove it, lest you wreck their reputation, etc.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
I think the goal of this was to show that the DRM protection can be bypassed. If they run stuff at kernel level, unsigned, it means they can "sniff" stuff going to the video card, thus in theory they could rip protected HD content. If I am not mistaken, to run stuff at kernel level requires code signed by MS to prevent HD content ripping.
Re: (Score:2)
Re: (Score:2)
Re:Fuck Alanis Morissette (Score:4, Funny)
Re: (Score:2)
Now, here is another phrase for you to look up:
"Common Usage"
channel9 (Score:3, Interesting)
Boot Sector Virus (Score:5, Insightful)
New branding names (Score:5, Funny)
Roots for Sure
Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
C'mon folks help me out!
Re: (Score:3, Interesting)
I think Vista could come out with "That's not a bug, its a feature .. so that fully virtualized instances of Vista can be modified by third party boot loaders for dynamic reprovisioning".
Actually, since local access to fully virtualized instances is a moot point, it would be (arguably) a feature in that respect.
disk = [ 'phy:/hasta/la/vista/baby,ioemu:hda,w' ]
I'm just wond
Re: (Score:2)
I can't resist
Looks like it (Score:5, Funny)
"This is the Windows Vista Boot Sector Virus kit. Please burn this ISO to a CD and boot your computer with it."
Re: (Score:2)
Dumb? *You* want this virus. (Score:2)
I'm guessing more than a few people will be installing this one on purpose.
Re: (Score:2)
I certainly don't want "this virus". It depends what comes attached to it. If it is used to disable the unwanted parts of the system, then I'm all for it. If it is used to add more spyware to the fold, then I'm not.
It all depends on how it is used.
Re:Looks like it (Score:5, Interesting)
In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this.
My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.
Re: (Score:3, Informative)
My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.
Sooooooo..... What you're saying are that wide-spread exploitations [pcmag.com] of an animated cursor library flaw [slashdot.org] are things of the past? Thank science my Windows PC is safe from administrative privilege granting exploits, because the administrator can't disable things like automatic updates and code signing and junk! Sweet!!
Re:Looks like it (Score:4, Informative)
Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory.
Re: (Score:2)
Most newer computer can boot to USB and if they use the USB memory swap thing, it is likely one will be around. The exploit might not be as hard as though. Especialy if a zip file could check for a USB memory device and then extract portions of code there as well as in the regular place. Then the traditional email saying don't look at this might work.
Re: (Score:2)
Re: (Score:2)
Once you have one hole into the kernel that allows you to run arbitrary code on the kernel level, it's game over. Not only in Vista, same is true for Linux, OSX, heck even Linux with SELinux enabled.
Given Vista's complexity, and MS track record, I wouldn't bet a dime on the kernel staying unbreached for very long.
Re: (Score:2)
Re: (Score:2)
Data Execution Prevention.
Re: (Score:3, Interesting)
That's mainly true if you're running Vista 100% of the time, right? In theory, if a hacker was trying to alter his own copy of Vista rather than create a virus (perhaps to foil DRM), co
Just think about it. (Score:2)
Currently, the most lucrative market for compromised machines is home users machine, because these machine can be bot-netted for spitting spam, or keylogged to steal credit cards, and such. Much more interesting than hax0ring some .gov website to put animated flaming skullz on
Re: (Score:2)
But then again, with how many other things trip UAC, they'll just click "Allow" anyway.
user motivated BIOS reflash (Score:2)
My point was a user who willingly updates his motherboard's BIOS (for some obscure game performance reason or whatever), but unknown to him, some malware running in the background with user privilege, intercepts the new BIOS zip file, while it is loaded, and appends a VBootKit installed in the LZH BIOS image.
When the users subsequently accepts UAC, he thinks he only agrees to update the BIOS, not that some malware manage to inject itself into this BIOS for the u
Re: (Score:2)
That doesn't allow for convenient remote exploits, but it does make it reasonably easy for end users.
Re: (Score:2)
What's to stop you from booting up with a recovery CD, and then using dd to copy a boot sector you prepared earlier over the existing one? Apart from the fact that modifying your own computer isn't such a big deal.
It's not obvious to me right now how anyone could pull that stunt on a third party, but maybe you could persuade someone to in
kernel-level compromise .. (Score:2)
Do you meant that this VBootkit bootable CD doesn't really launch and bypass the whole security mechanisms of Windows Vista.
'VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory [heise-security.co.uk] and in files being read'
How exactly does x64 Vista prevent the boot sector being compromis
Re: (Score:3, Insightful)
But the main problem is not an external attack. This hack allows Vista DRM to be cracked. The supposed secure data paths in the OS that are designed to be "hands off" to even the administrator are now at r
Re: (Score:2)
Well, no shit. If you boost from a custom boot sector before the o/s is even resident in memory, of course it can do anything...
Re: (Score:2)
That's how a lot of boot-sector viruses spread in the old days.
Re: (Score:2)
This exploit doesn't run unless you manually boot from it first.
As another poster said, the significance of this is not so much about virus propogation, but more about enabling the user to manually intervene and circumvent the requirement for code signing (and thereby, in turn perhaps circumvent the DRM security in vista).
Re: (Score:2)
Re:Boot Sector Virus (mod parent up) (Score:2)
This is a very interesting point. The difficulty ofcourse still remains with getting the virus into the boot sector, but once there it would be no different than your run-of-the-mill xp virus with administrator priveledges. Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.
Re:Boot Sector Virus (mod parent up) (Score:5, Funny)
No problem. We just send a flying circus over the BIOS, dump some VX gas on it, then march in with the industrial laser. Then we cut a hole, drop the virus in and, BOOM! Instant instability.
This is assuming, of course, Vista hasn't seduced the leader of the flying circus by this point, at which case the whole plan's shot to hell.
Re: (Score:3, Interesting)
Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.
Does it guard all disks, or just the boot disk? If it guards all disks, then this could make it difficult to create bootable disks in Vista. If it only guards the boot disk, it means the virus could easily write to the boot sector of a flash drive. Anyone who booted a USB-bootable PC with the USB drive attached would not notice anything amiss, but would have the virus running with SYSTEM privileges (and even Administrator can't kill SYSYEM's processes). This computer could then install the boot sector
Cost? (Score:5, Interesting)
I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
Re: (Score:3, Insightful)
Perhaps because Microsoft will patch this and render the boot kit useless in less time that it takes to say "oh my god, my unsigned drivers don't work anymore"?
Re: (Score:2)
Re: (Score:2, Funny)
Cost of OS - $120
Price of extra gig of memory - $80
Look on Ballmer's face when Windows gets rooted - priceless!
Re: (Score:2)
I think although they mentioned cost as the excuse, they might've been scared about something in the EULA of the final version which could possibly make their experiment or publishing it's results a criminal offence.
Incidentally, I'd like Mark Russinovich's detailed response to this, but now he's a full-time MS employee it would probably be useless.
and in a related story... (Score:3, Insightful)
Why is this a story? Physical access (needed to boot from an alternate source) has always been root access.
Re:and in a related story... (Score:5, Informative)
Re:and in a related story... (Score:5, Informative)
a quick search says yes, and the flag can be set as the default behavior as well.
http://www.unofficialvista.com/article/204/instal
Re: (Score:2)
Re:and in a related story... (Score:5, Informative)
Re: (Score:3, Informative)
Start/Programs/Accessories
Right-click "command prompt" and select "run as administrator"
At the command prompt, type bcdedit
Reboot!
In case you want to enable the driver signing requirement again:
bcdedit -deletevalue loadoptions
(Blatantly borrowed from http://www.teamxlink.co.uk/forum/viewtopic.php?t=2 0068&start=2 [teamxlink.co.uk]
Re:and in a related story... (Score:5, Informative)
Re:and in a related story... (Score:4, Interesting)
Sure, this technique could be used to let you modify Vista and patch device drivers and so on, but you'd still be fighting Microsoft and their whole "we'll tell you where to go today" attitude toward operating systems.
On the other hand you could install Linux and maybe experience some temporary discomfort as you get used to the user interface or different applications (openoffice or abiword or scribus instead of MS Word, etc). Maybe you have to give up some games if they won't run emulated. Whatever it costs you in conversion, consider that you've bought your freedom from the domination of Microsoft. You now have a stable, reliable system developed by people whose interests are aligned with your interests, rather than those of the most hated organisations in America.
Linux ... There are no backdoors, no spyware; it's pretty much immune to viruses. It won't "phone home" and
accuse you of piracy, it won't disable itself about licensing issues, or degrade the picture quality.
You can run it on multiple
computers if you want. You can share it with a friend if you want. You can update it from the net,
forever. There will always be new free applications for you to use.
Microsoft Vista ... it's an operating system designed to meet the needs of major corporations:
Microsoft, the RIAA, MPAA. Managing system resources and running applications is a secondary
function; the primary function is to lock you into Microsoft software and extract the maximum
possible amount of money from your wallet. What's good for Microsoft is not necessarily good
for the user; Microsoft's interests do not align with your interests.
There's a Cave Troll chained to a rock in the middle of an Arena. The Cave Troll is hungry and roars continuously. You throw people to the Troll as sacrifices. But the Troll continues to roar; it will never be satisfied. It grows bigger - someday soon it may break its chains and eat us all. Microsoft is the Cave Troll. Are you going to continue to sacrifice people to it? Or are you going to say "enough is enough" and take back your control - take back your dignity?
Re: (Score:2)
I propose a new Internet Law: "Godwin's Law, The Second."
It goes like this, "As a discussion increases in volume, the probability of someone creating an analogy between the subject and RIAA or MPAA increases to 1." And using them as part of your argument should immediately discredit it.
Re: (Score:2)
As far as I know, Microsoft is working with the RIAA and MPAA to limit Vista's capabilities in line with what those organisations demand. Here's what Bruce Schneier said in DRM in Windows Vista [schneier.com] ...
Re: (Score:2)
There are solid ethical and technical reasons to move away from Windows. Not everybody can do that - some businesses are locked-in because they use specific software which is only available on Windows. Dedicated gamers need to run whatever platform their game requires. But for the rest of us, the average user, we have a choice.
The ubuntu people have done a fine job making linux more user-friendly to non-technical people. Now is the time to encourage pe
intended use ? .. (Score:2)
I would have thought that what is actually does is more important than what it is intended to do. which is to bypass the whole security mechanisms [blackhat.com] of Windows Vista.
was
It has been ... 'til Vista (Score:3, Informative)
Hmmmm... (Score:2)
Re:Hmmmm... (Score:4, Insightful)
I forsee that this exploit will be less used for traditional attack rootkits, it seems more like a very convenient way to get rid of all the unwanted 'security features' (read: the ones that protect the makers of your content instead of you) of Vista.
Not a good week and it's only 1/2 over (Score:5, Funny)
- VBootKit bitch slaps VISTA
- Animated cursor panic/fix
- EMI/Apple DRM shun ropa-dopes WMA
- XBox Elite HD-DVD chokes on popular title
- XBox Elite HDMI only v1.2
- Class action suit for bait/switch 'VISTA Ready' claims
Can't wait to see how the rest of the week plays out....hehehehehVM? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Insightful)
Of those two possibilities, which do you think MS actually gives a rat's butt about? They don't care if you lose control of your machine. They for darn sure care if they do. That's what makes this a "ha-ha!" moment.
if you have physical access to the system... (Score:5, Insightful)
Re: (Score:2)
This specific exploit is good only for regaining control over your system (a system which does not let you load unsigned kernel modules).
Abstracted out, it allows any kernel exploit to maintain control of the system by modifying the boot sector of the hard drive. But you still need that initial exploit first.
Dear Mr. Gates: (Score:5, Interesting)
Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.
Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.
(Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)
Hi, I'm a Mac (Score:3, Funny)
Hi, I'm a Mac...
...and I'm whatever the Russian mob wants me to be.
easy to miss the point here (Score:5, Insightful)
Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.
Bah! (Score:2)
I'd have been much more impressed if they replaced it with a picture of Gerard Butler, screaming
THIS... IS... VISTAAAA!!
Now THAT's a boot screen! Bonus points for having a bunch of Hoplites dressed in red, green, blue and yellow armor.
VBootkit? or.. (Score:2)
"Mitigating factors" in Vista (Score:2)
2. Of these, 10 machines are in Microsoft, without any CD/DVD drives or USB ports - so no external booting is possible.
3. 3 of the 4 remaining machines are with journalists and 'independent' analysts - so they can be 'trusted' to keep shut.
4. Now, HOW are YOU going to protect your Vista against this Bootkit? Yes, YOU! You'll just upgrade to XP as well? That's fine then. Problem solved.
this is an achievement? (Score:2, Insightful)
Re: (Score:2)
Schneier blogged the exploit... (Score:2)
But what ... is it good for? (Score:5, Insightful)
What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.
Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.
Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.
That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.
Re: (Score:2)
Installing a rootkit and futzing around with the internals Vista just so that they can "play their cracked games and view their ripped movies" seems like an awful lot of trouble to go to ! Especially since there is *NOTHING* in Vista that prevents you playing your ripped movies or cracked games in the first place. For f***s sake how many
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Only if it's really simple to do, i.e. run setup.exe and you're done. Anything involves installing root kits and god alone knows what else will be way beyond the technical ability of the average user. They'll be quite happy to download content that has the DRM stripped out, but I doubt that many would go to these lengths to get past DRM.
PS. don't get me wrong, I think DRM is a fundamentally bad
Re: (Score:2)
It's not much different from stuffing alternative bootloaders and core systems into your Gamecube or XBox. It's not really trivial, but it's far from requiring detailed and intimate knowledge of the inner workings of your machine. Kits exist that allow fair
Re: (Score:2)
Re: (Score:2)
In case the discussion between him and me is annoying to you, you are invited to stay out of it. Thank you.
Nice demo... (Score:2)
And that was of course also flamed.
It must be hard being Microsoft these days.
Re: (Score:3, Interesting)
I can see why MS wants the Fritz in the hardware. I just can't see why I would.
Basically what this hack does is to offer an attack vector against the machine and the ways it locks me out of features I would like to use. Not an attack vector against the user. Actually, it offers the user a vector against his machine.
Yes, I know what I just said. An attack vector for the user against his machine. It's sad enough when a user has to attack his own machine to actually get it to do what he w
bypassing code using INT 13 (Score:5, Interesting)
Re: (Score:2)
I remember lots of protections in amiga games and applications doing things like testing an oddly formated track on the floppy disk or applying some complicated calculations on the data from a keyfile to check it's authenticity... Before returning true or false to indicate whether the protection check was successful.
Some returned some magic number that was then explicitly compared against it
I wonder if Bill knows (Score:2)
with a total exploit, your machine can be taken over totally. I dare anybody to do that
once a month on the Windows machine."
-- Bill Gates, Newsweek interview, Feb. 3, 2007
[*] - http://talkback.zdnet.com/5208-10533-0.html?forumI D=1&threadID=30419&messageID=565878&start=143 [zdnet.com]
So we should thank Microsoft? (Score:3, Funny)
kudos..free laptops for them (Score:2, Funny)
These researchers should have been the ones who must have received those free Vista pre-loaded Acer Ferrari laptops.
Re: (Score:2)
No he can't. He will need the root password then.
Re: (Score:2)
Re: (Score:2)
And this, kids, is why you shouldn't do drugs.
Re: (Score:2)