Feeds

0wning Vista from the boot

The VBootkit authors speak out

Protecting users from Firesheep and other Sidejacking attacks with SSL

How can an attacker deploy it?

Nitin & Vipin: An attacker doesn't need to install, that's the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting. After Vista boots, you can verify that you are running vbootkit, by checking the privilege of any running cmd.exe, the sample converts all low-privileged cmd.exe process to SYSTEM privileges. It also supports system compromise via PXE booting.

It doesn't need any privileges only physical access to the machine. It can also be installed to a remote system under some conditions (without physical access).

Have you developed a persistent version too?

Nitin & Vipin: It was basically designed to run from CD, Flash drives and portable HDD. However, such versions were not persistent, so if the system rebooted, they were gone. So, during development we also worked on a persistent version, meaning it would attach to MBR of the hard-disk. Attaching means we will copy the original MBR to some-other location, and thus replace the MBR. So, when the System starts now, vbootkit awakes from MBR, it bootstraps itself (since it is larger than 446 bytes), then loads the original MBR and thus normal booting continues.

As far as someone using other boot managers, it has no effect on almost 99% of such systems, because it doesn't replace the original boot process, it only inserts itself into it.

Is it small enough to fit inside BIOS flash memory?

Nitin & Vipin: Definitely, It's just about 1500 bytes in size. It can be reduced further. Todays BIOSes are big in size, therefore, it can easily hide in there.

How does vbootkit work?

Nitin & Vipin: A small summary:

BIOS --> Vbootkit code(from CD,PXE etc.) --> MBR --> NT Boot sector --> Windows Boot manager --> Windows Loader --> Vista Kernel.

Just after vbootkit takes control, it hijacks the interrupt 13, then searches for Signature for Vista OS. After detecting Vista, it starts patching Vista, meanwhile hiding itself (in smaller chunks at different memory locations). The patches includes bypassing several protections such as checksum, digital signature verification etc, and takes steps to keep itself in control, while boot process continues to phase 2.

Phase 2 includes patching vista kernel, so as vbootkit maintains control over the system till the system reboots. Several protection schemes of Vista were analyzed such as the famous PE header checksum (every Windows EXE contains it), the Digital Signature of files.

So, you have vbootkit loaded in Vista's Kernel.

Can your vbootkit be used to avoid the DRM ?

Nitin & Vipin: Yes, the vbootkit can be modified to bypass the DRM stuff. Since the DRM has been implemented in such a way, so as if unsigned drivers are loaded, then DRM will not let you play the content. What vbootkit does is let you load code without the OS knowing that it has been compromised, and thus the vbootkit can be misused to bypass DRM.

What other things can vbootkit be used to do...

Nitin & Vipin: vbootkit can be used to to create the long dead boot sector virus. Even some anti-virus vendors have stopped detecting boot sector viruses. It can revive the viruses.

Just imagine the following scenarios.

Suppose vbootkit is running on a computer and someone plugs-in a USB storage device (vbootkit will copy itself to the boot sector of the new device), now whenever mistakenly the USB devices boots up, it gonna attach to the boot process of new system and thus, it can flow from system to system and the legend continues

Now, just take another interesting scenario. vbootkit is running on a system in a company, it captures all MAC address, and at 00:00, in the silence of the midnight, the vbootkit system starts remote booting, and delivers the vbootkit code as boot code though PXE, so slowly and steadily, the whole organization gets going on vbootkit...

It can also be used to implement backdoors (both local and remote), just an idea. Basically, it can do anything you can imagine (that vista could do).

How can vbootkit be spotted once it is running in a system?

Nitin & Vipin: In the current versions, it shows our signature at OS selection time (Boot menu). Secondly, we have added vbootkit signature into the kernel memory, so a physical dump, or a kernel scan will be able to find it.

How would you modify it if you wanted to make it as "invisible" as possible?

Nitin & Vipin: Removing all the signatures from boot menu and memory locations. Invisibility and detection in rootkits/bootkits is a continuous game of modifying your tools to defeat the other.

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.