New Rootkit Bypasses Windows Code-Signing Security

Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

Well, DUH...

[adjuster]

Without "trusted" hardware the user will always be able to override software "protections" designed to prevent arbitrary code execution. This is just another "leapfrog" in this arms race. Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it. Otherwise, I'll take the current situation on personal computers because, at least, I can run arbitrary software. ("Don't turn my PC into an iPhone, bro!")

Not for -your- security

[Microlith]

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running.

Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code. Those were vicious but by far a minority, and hasn't improved the situation on Windows Vista x64 / Windows 7 in the slightest.

But hey, now Microsoft gets to bill everyone $250 for each driver release!

Infecting the MBR requires admin rights

[gad_zuki!]

or physical access. At that point anything goes. Why bother with screwing with code signing tricks when you can just run whatever code you like.

Doesn't actually bypass the code signing security

[Anonymous Coward]

It lives in the mbr and sets a boot flag that lowers the load integrity threshold like users have been doing to run/test utilities that don't pay to get signed.
 

Re:Wow. Master Boot Record infectors.

[sexconker]

Why does everything have to be a kit?
Rootkit. Okay.
Bootkit. I see what you did there.

Would a WoW hack that steals/sells your loot be a lootkit?

Would a viral advertising campaign that gets a bunch of douches to seek out 1930s era fashion for their high school proms be a zoot kit?

Would naughty chimney sweeps toss packages of dirt, grime, and grease down your chimney and call it a soot kit?

Is whatever drug / "treatment" the government uses on every former agent who goes public with stories about aliens called a coot kit?

Are those wooden owls you put out to scare other birds away from your crops a hoot kit?

Is the point of this post completely inconsequential, making the post a moot kit?

Re:Well, DUH...

[TemporalBeing]

Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it.

The problem is, 99% of our society cannot properly decide whether software should be trusted or not, and even with more granular controls and proper feedback from the OS a lot of malware will slip through.

I don't think this is an unsolvable problem.

But how that 99% of society wants to use the computer should not ( and cannot necessarily) be dictated by even the 1% as the 1% will not know every edge case for how the 99% wants to use the computer. Thereby, "trusted" computing in that model is 100% flawed, and you then have to build in backdoors - like the register key that can disable requiring a signed driver so developers can test their drivers - so that the 99% can all do what they want/need to on the computer.

Re:Not for -your- security

[clodney]

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running.

Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code.

Question for you - what benefit does Microsoft gain from enforcing DRM? They are not the copyright holders of music and movies, so they have no direct loss if pirating of content leads to reduced sales of music and movies.

Seems to me that if MS own self interest is considered they would put their effort into preventing piracy of their own software, and not worry about the DRM systems.

Windows Vista and 7 do indeed include DRM subsystems, but since I can't see how MS self interest is invovled in maintaining them, I think it is likely that these are things that the content holders demanded from them before they would grant MS the necessary licenses to produce players, or enter into partnerships to promote such content.

Either way, seems to me that MS is at most a reluctant partner in such schemes, and don't really care if DRM gets hacked. But driver signing and anti-malware do generate negative customer feedback, so I believe they take those things more seriously.

Re:Infecting the MBR requires admin rights

[BLKMGK]

Nope, I don't think so. If you attempt to load up an unsigned driver on 64bit Win7 or Vista 64 and do not specifically go through the F key function to turn on the mode that disables signed drivers - at every single boot - you will get a nasty text message that HALTS the boot process, shows you the name of the unsigned driver, and shows you the registry key that called it (as I recall, been awhile).

Unsigned drivers on 64bit Windows are NOT the same as the unsigned code box you're talking about. Attempts to load unsigned drivers on the OS that requires it halts the boot process. You can go into a mode to load them - which I think even has visual indicators - or use a test cert - indicators here too I believe - but it's most certainly not the trivial thing to get aorund you've just described, sorry.

Comment removed

[account_deleted]

Comment removed based on user account deletion