Feeds

0wning Vista from the boot

The VBootkit authors speak out

Internet Security Threat Report 2014

Interview Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to bypass Vista's product activation or avoid DRM.

Could you introduce yourselves?

Nitin Kumar: I am a 23-year-old graduate from India. I am passionate about computers. The best part about me is that I never give up something till I give a try to it. I like coding in C and asm. I like Reverse Engineering. In free time I usually pick up something and try to understand that. Vista is new and have many new security features, so we thought of creating something for Vista.

Vipin Kumar: I am a 22-year-old graduate from India. I like analysing OSes (mainly the internals , kernel stuff etc) and testing OS and network security. Our coding stuff includes development of bootkit, vbootkit and numerous shell-codes and lots of Windows stuff.

For money, we also go for vulnerability assessments, security audits, etc. Life is not easy for us, so we struggle/work a lot to have some hardware like many other guys out there. Feel free to contact us if you need us.

What is Vbootkit?

Nitin & Vipin: Vbootkit is much like a door or a shortcut to access vista's kernel.

A bootkit is a rootkit that is able to load from a boot-sectors (master boot record, CD , PXE , floppies etc) and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit. All rootkits install when the OS is running because they use the OS' features to load (and also they use the Administrator privileges to install), but bootkits are different, they use the boot media to attack the OS , and thus survive. Vbootkit is a bootkit specific for Windows Vista.

It's a total in-Ram concept. So, it doesn't touch the hard-disk under any condition and thus leaves no proofs. Just give a reboot to a vbootkit running system, and it vanishes just as it was never here.

What 'features' does it provide to Windows users?

Nitin & Vipin: At the moment, it doesn't really provide features to the users. It's just a Proof-of-Concept, that such an attack vector exists which can be used to circumvent the full security of the OS, without being easily traceable.

At the moment it can do a few things which are:

  • It periodically raises cmd.exe's privilege to SYSTEM after every few seconds.
  • Modify Registry so as to start the telnet server automatically
  • Create a user mode thread and deliver the user mode payloads in context of a system(protected) process (LSASS.EXE, Winlogon.exe etc)

Basically, it can do ANYTHING what the user programs it to do, since vbootkit becomes part of the kernel, it can do anything that Vista's kernel can do.

Does it work on all the versions of Windows Vista?

Nitin & Vipin: Yes, It should work with almost all Vista releases, even localised ones, but it will need a little bit of fine tuning. Most probably, it will support Vista Pack 1, but hey this is only a guess.

Have you released your code online?

Nitin & Vipin: No, we haven't released the code for vbootkit, but we have provided binaries to a few antivirus vendors.

However, you can download previous versions of bootkit (which runs on Windows 2000/XP/2003) from the our site. Even source code is provided.

As far as demos are concerned, readers might be interested in the white paper [PDF], slides from our presentation [PPT], videos showing vbootkit in action [AVI1

- AVI2].

What was the anti-virus vendors' response?

Nitin & Vipin: Nowadays, many anti-virus solutions don't scan for boot stuff. We got no official response. Whether they are gonna implement it once again or not! But they are interested in our binaries...

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.