Slashdot Mirror
VBootkit Bypasses Vista's Code Signing
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
isn't it ironic that even hackers don't like the high cost of MS software?
FTFA: "The researchers say the only reason they didn't do it on Vista final was cost."
Support NYCountryLawyer RIAA vs People
And here's a video interview of the guys who admit to be responsible.
Are we about to see the dawn of a new day for the Boot Sector Virus?
w2^7me out.
Windows Genuine Rootkit Advantage
Roots for Sure
Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
C'mon folks help me out!
Engineering is the art of compromise.
Of course, it will be one of those that relies on a code of honor:
"This is the Windows Vista Boot Sector Virus kit. Please burn this ISO to a CD and boot your computer with it."
Cost as in the money one has to pay to acquire a copy of Vista, or the cost of developing a Vista-Final-compatible VBootkit?
I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
Virtual Betting on Facebook for non-geeks.
"hacker" uses a boot disk in linux and wipes the root password!!!
Why is this a story? Physical access (needed to boot from an alternate source) has always been root access.
Are we about to see the dawn of a new day for the Boot Sector Virus?
This is a very interesting point. The difficulty ofcourse still remains with getting the virus into the boot sector, but once there it would be no different than your run-of-the-mill xp virus with administrator priveledges. Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
I wonder how this will affect Microsoft's DRM?
Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.
No problem. We just send a flying circus over the BIOS, dump some VX gas on it, then march in with the industrial laser. Then we cut a hole, drop the virus in and, BOOM! Instant instability.
This is assuming, of course, Vista hasn't seduced the leader of the flying circus by this point, at which case the whole plan's shot to hell.
Symantec says Windows is the most secure OS...
A small problem is that the cost of Vista RC2 (was free) but not the development time for the VBootkit. The developers had to start the process somewhere from the initial release to RC2 status. That is a chunk of development work by 2 programmers. Once they have a working copy on RC2; they stopped. To continue; would cost more money to extend their research into the production version of Vista.
I am sure they could get some funding from various organized syndicates to further their development.
COST???? How much are you talking about?
- VBootKit bitch slaps VISTA
- Animated cursor panic/fix
- EMI/Apple DRM shun ropa-dopes WMA
- XBox Elite HD-DVD chokes on popular title
- XBox Elite HDMI only v1.2
- Class action suit for bait/switch 'VISTA Ready' claims
Can't wait to see how the rest of the week plays out....hehehehehSo, it's being hacked because Vista is booted from within some sort of VM? That doesn't sound like too much of a threat to machines. A threat to DRM, maybe.
by your definition #2, a hacker that is concerned about cost of the software qualifies... at least I think so
Support NYCountryLawyer RIAA vs People
...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?
Hi, I'm a Mac...
...and I'm whatever the Russian mob wants me to be.
getting around Windows 'mechanisms' and straight to Linux for years...
Many are seeing this as a security exploit, but it seems to be a workaround to gain usability.
Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.
"The happiness of credulity is a cheap and dangerous quality." -- George Bernard Shaw
...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?
Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.
Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.
(Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
That's nice and all, but couldn't they have done something more fun? Heck, they should have hacked the Vista bootscreen at least. It's so damn boring, it doesn't even have the Vista logo.
I'd have been much more impressed if they replaced it with a picture of Gerard Butler, screaming
THIS... IS... VISTAAAA!!
Now THAT's a boot screen! Bonus points for having a bunch of Hoplites dressed in red, green, blue and yellow armor.
When I first saw 'VBootkit', I first read it as 'VB Rootkit'. Wonder why?
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
Memory altering like this hard to stop.
Most linux boot disk attacks are stuffed against a fully encrypted linux requiring a password to startup. Ie No password not even the linux can boot.
This attack on vista most likely also work even if bit locker was in effect.
1. Only 14 people are running Vista as on date, the rest have upgraded to the old, familiar XP and never looked back.
2. Of these, 10 machines are in Microsoft, without any CD/DVD drives or USB ports - so no external booting is possible.
3. 3 of the 4 remaining machines are with journalists and 'independent' analysts - so they can be 'trusted' to keep shut.
4. Now, HOW are YOU going to protect your Vista against this Bootkit? Yes, YOU! You'll just upgrade to XP as well? That's fine then. Problem solved.
If you keep throwing chairs, one day you'll break windows....
Like Linux has never been hit with a bootkit? If the only way to bust Vista's code-signing is through a bootkit, then Microsoft did something right.
I'm off topic and Stephanie wasn't....is that the best you can do? C'mon...I can take it :)
Nothing against Schneier (I love his cryptogram newsletter), but adding 13 words to a 65 word paragraph without giving any real information or further thoughts isn't really what I consider worth mentioning.
bash$
Many have pointed out that an attack vector that requires the attacked user to jump through a few hoops is none. This is not entirely true, but I'll cover that later.
What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.
Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.
Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.
That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Interpretations of Alanis's Song "Ironic", 1) She didn't know the meaning of the word and the song's examples prove it. 2) She did know the meaning of the word and she consistently came up with examples that weren't ironic. Naming the song ironic would then be quite ironic. There's no real evidence either way. She said in an interview that it's (2) so I guess it's all to do with whether you believe her.
-Docvert converts MSWord to OpenDocument, clean HTML
Next headline:
Security experts find a security breach in Lilo, by physically accessing the machine, a malicious hacker can be root by typing "linux single" at LILO boot !
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
... of why Microsoft at one point wanted "Fritz chips" in the computers running Vista.
;-)
And that was of course also flamed.
It must be hard being Microsoft these days.
Beware: In C++, your friends can see your privates!
Yes, "cost" is a totally bogus claim to make. You install it, and you have by default a month to try it. Then you can use the "rearm trick" to reset that 30 day counter for up to 3 times IIRC -- 120 days per install. And spending 10 minutes reinstalling every 4 months for a test box is not such a big issue IMO. Besides, Vista basic (it doesn't need to be the ultimate version to try this) isn't that expensive (around 100$ IIRC), and already comes bundled with a lot of new (and inexpensive-ish) computers nowadays...
I'm surprised they couldn't find a better excuse instead of saying "it only works on RC2/doesn't work on RTM"... Bollocks I say!
Back in the 1980s Sierra On-Line used to copy protect their adventure games with a copy protection system which involved strangely formatted sectors on the original disk which were impossible to duplicate exactly using standard PC hardware. The loader "sierra.com" used to call a copy-protection program "cpc.com" which loaded data from the disk to decrypt the main program and run it. cpc.com had some of the most obscure, twisty, awful code ever written to prevent debugging and it constantly used different methods to thwart stepping through the program using INT 3 (these were the days before Soft-Ice). But the solution (or "crack") was just dead simple. Just fire up debug, step to the beginning of cpc.com, and copy the vector from INT 3 into the INT 13 vector - then cpc.com stops right at the point where the data from the disk is being loaded, so it can be copied. Despite all the incredibly complex code, cpc.com had to read the data off the disk so there was no way the Sierra programmers could thwart this method. It sounds like the same thing in Vista -- the INT 13 redirection happens before everything else and can't be thwarted.
Wow, so some security experts from India demonstrated that they could own a *RC* version of Vista...
The reason Linux has 'never been hit by a bootkit' is because it's never been nessicary for people to do that in order to work around DRM-related restrictions.
c ost.html
Yes, I know, that having signed drivers is suppose to be a (very) limited improvement in security over XP, but they are lying to you if they tell you that is the real reason that Microsoft is doing it.
This is just another way to crack Microsoft's DRM.
First they were able crack the DRM for individual HD-DVD disks, then Blueray.
Next they have cracked the DRM on _ALL_ HD-DVD and Blueray disks manufactured to date.
Now they cracked the signed drivers sceme for Vista so now you can lie to applications and hardware about having 'protected media path'. You can do things like setup fake drivers and capture audio and video output to a file and rip movies that way. Perfect digital copy.
All sorts of crap like that.
All the 'digital right protections' that Microsoft has spent millions of dollars and 5 years to build into Vista have all been ripped to shreds in only a few months after it's release. Now take that bit of knowledge and then read "A Cost Analysis of Windows Vista Content Protection".
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_
I hope that now people understand what I've and many other people have been saying for years, that enforced DRM is a fucking retarded idea. And it's not bad because I 'beleive that artists shouldn't get paid' or because I am a communist/socialist (I am not) or anything like that.
It's a fucking stupid idea because it's just a realy bad idea.
To date that hasn't been nessicary to do for Linux unless you own a Tivo and they are working on the GPLv3 to 'crack' that.
these "security experts" didnt want to pay for vista, they arnt the type of people who would be on the beta program, so they obviously pirated the RC2 copy, why not do the same for the final? because what they found doesnt work in the final version of vista, so they released all this and tagged it with RC2, just for a pure "look what i did" factor.
portfolio
> I'm sure Vista (and hell, even
> the BIOS) guard the boot sector
> like it's fort knox.
LinuxBIOS ahead.
The cost of toiling over GPL -- lack of money. Somebody, quick, hand them a fiver! Hate to see people beg.
This is how a lot of viruses used to spread. It needs someone to forget to unplug their USB key before booting, but the old ones required you to forget to eject a floppy disk before booting, and still managed to spread a long way.
I am TheRaven on Soylent News
Currently, the most lucrative market for compromised machines is home users machine, because these machine can be bot-netted for spitting spam, or keylogged to steal credit cards, and such. Much more interesting than hax0ring some
And home users are pretty stupid.
How many of them leave their CD inside the reader or their memory key on the usb port ?
And have all modern booting options (CD, USB, network, legacy floppy) turned on by default on the factory settings of the mother board ? And just don't notice it, because the BIOS only loses a couple of seconds to check if the media is bootable, or because the boot code on the install-cd automatically continue with the harddisk if no user intervention.
And how many of them write their compact discs using some pirated copy of Nero or Easy CD, instead of the crap that was bundled with their machine ?
All such a virus would need to do, is patiently wait inside the bootable code of some removable media, until the system gets boot cycled while the media is in. (Just like old-school floppy boot viruses). And to get there there are numerous ways : either inside a compromised burning software that the user pulled from the internet and that will silently create a virus-boot-cd next time he writes an ISO. Or simply by writing on a user-accessible peripheral (either from a compromised virus, or from user-land running malware). Or by sending itself, whenever one of the home computer tries to boot on the network. Or, from a user-land malware, piggy backing the code on a BIOS update (which is feasible. Most moderne motherboard feature huge quantity of memory and use some easily extensible format. Usually most of the BIOS is a LZH archive with several files, each a separate module handling additionnal functionnality. If the emergency code [not even the full BIOS code] is able to scan all removable media for a specific file and reflash a damaged BIOS, writing a BIOS module that find and writes a boot sector won't be that much difficult).
There plenty of ways to compromise a system in such way without resorting to the "please try burning this ISO and booting on it. You'll see a fun animation with kittens" method. Which in turn, as pointed by other
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And this, kids, is why you shouldn't do drugs.
interesting ... i dont see the standard blah abt india in any of the posts ...
Or use Vista Voice Recognition.
If the OS is compromised at the kernel level, I think changing the boot sector should be fairly easy and trivial.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Just because you have physical access to the machine doesn't mean the machine will do your bidding when you fire it up. It will still not run unsigned drivers, it will still not be under your control. Vista rewrote the laws of access, being administrator doesn't mean that you're root.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Nowadays, security guys break the Mac every single day. Every single day, they come out
I D=1&threadID=30419&messageID=565878&start=143
with a total exploit, your machine can be taken over totally. I dare anybody to do that
once a month on the Windows machine."
-- Bill Gates, Newsweek interview, Feb. 3, 2007
[*] - http://talkback.zdnet.com/5208-10533-0.html?forum
boycott slashdot February 10th - 17th check out: altSlashdot.org
Sounds like the moral is that the media companies will end up demanding hardware we will have to hack just to run linux. In the meantime Vista gives us a break to prepare for that because it will be some months before it becomes clear Vista doesn't really protect content and some years for Microsoft and the manufacturers to come up with an even more draconian PC.
The researchers say the only reason they didn't do it on Vista final was cost
These researchers should have been the ones who must have received those free Vista pre-loaded Acer Ferrari laptops.
hurray!
An exploit where you have to have physical access to the machine written by a couple of guys from a country where 40% is a passing grade and they are complaining about not being able to buy a street copy of Vista for 300 Rp. due to price.
Without physical security there is no security.
Do they have the same success if the machine is Bitlockered and they don't have the key?
dude, you have made my day. i am going to use your post in a university presentation.
thank you. i tell you, in the USA the voice of reason is just incrediby rare. you state it well,
the whole "we dictate to you" that is occuring. it is so unbelievably serious, the utter loss of
free choice and intellect. every day i die a thousand deaths, waiting waiting waiting.
Seriously, you want control? Well run something other than Windows (and probably other than OS X because it's really not much better; or it won't be for long).
Considering that the code-signing stuff is the basis of most DRM that will be written for Vista, this virus is a free pass to snoop kernel memory and remove the DRM from any media Vista supports.
I'm guessing more than a few people will be installing this one on purpose.
I'm intrigued by your comments. Do you happen to have a newsletter?
Excuse me, Phillipe? Could you pass the Grey Poupon?
Now, here is another phrase for you to look up:
"Common Usage"
SJW: Someone who has run out of real oppression, and has to fake it.
And 40% is not a good grade at decent schools in India. What do you have to say about the same type of schools and diploma mills in the US, you bigoted racist?
This hack is proving that Microsoft, despite all their hype and BS, is not able to produce a protection scheme that prevents the user from doing whatever he or she wants with her computer.
The beuty of this would be the ability to load unsigned hardware drivers for things like video cards and sound cards; effectely circumventing the DRM mechanisms in Vista.
Basically, this means that in the near future, anyone ripping HD content will be able to use this type of exploit, and the DRM bs will only negatively effect the legitimate users.
Anyone hazard a guess as to what the joke about "windows vista" will be a decade from now?
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
My point was a user who willingly updates his motherboard's BIOS (for some obscure game performance reason or whatever), but unknown to him, some malware running in the background with user privilege, intercepts the new BIOS zip file, while it is loaded, and appends a VBootKit installed in the LZH BIOS image.
When the users subsequently accepts UAC, he thinks he only agrees to update the BIOS, not that some malware manage to inject itself into this BIOS for the ultimate privilege escalation (same also for ISO downloaders, etc.).
But, then again, releasing a pre-compromised BIOS named "L0lz0r's BIOS ver. 13.37 - this BIOS gives me 2 more FPS in Quake 5" would do the trick.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
In case there's any doubt, here's further proof that she's a genius.
'A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such'
.. Re:and in a related story... (Score:5, Distraction)
I would have thought that what is actually does is more important than what it is intended to do. which is to bypass the whole security mechanisms of Windows Vista.
was
davecb5620@gmail.com
'In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise .. My guess is that compromising this particular security mechanism will be hard'
Do you meant that this VBootkit bootable CD doesn't really launch and bypass the whole security mechanisms of Windows Vista.
'VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read'
How exactly does x64 Vista prevent the boot sector being compromised?
was Re:Looks like it (Score:5, Interesting)
davecb5620@gmail.com
"Do you expect me to talk?"
"No, mister Gates! I expect you to die!"
'administrator cannot disable the code-signing requirement .. which is what this article talks about .. it appears that this was a pre-RTM setting which is now ignored'
From what I read of the article(s) talks about the whole protection and security mechanisms of Windows Vista can be circumvented and it also works on Vista Final . There doesn't seem to be a reference to a method of enabling the administrator to run unsigned code.
'Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory'
'was Re:Looks like it (Score:4, spin double plus good)'
davecb5620@gmail.com
where is 3) someone else who didn't know what ironic means wrote the song and gave it to her and she didn't know either
"Common Usage" n. Feeling better about being wrong because so many other people are wrong too.
Words have meanings. When careless ignorance blurs the meaning of those words our ability to communicate is eroded.
Chris Mattern
Love them or hate them, MS has always done an exceptional job of keeping backward compatability. This has meant that people can seemlessly slide into a new OS and keep their old software. Sure not everything has worked 100%, but in general it has been an easy ride.
This has broken with Vista. Much software, even MS sofwtare, does not work with Vista. For example, I need to use the Windows CE platform builder which does not work with Vista. If I also need to use MSOffice 7 or some other Vista-only software then I need to have two computers or carry around two laptops.
Engineering is the art of compromise.
No, that is what is called the evolution of language. Do you think it stays the same?
SJW: Someone who has run out of real oppression, and has to fake it.
No, it doesn't stay the same. Sometimes it gets better. Sometimes it gets worse. It helps to think about which direction it's going in.
Chris Mattern
I wasn't interested in this for security implications. I'm interested so I can finally run some of my unsigned device drivers. XP would just give you a message when installing, but I couldn't install my Audigy sound card in Vista. I also couldn't install random obscure hardware drivers for some of the stuff I have. Mind you, it's not all old and obsolete, some devices just don't include signed drivers and actually list the signed driver dialog as part of the installation process. This is really annoying that Vista absolutely prevented this. Currently, you have to boot in to safe mode to install them, and when you leave safe mode they won't load. Make it non-trivial, fine, but don't make it impossible. Some of us still want to run un-signed code.
Maybe MS should follow MAC's lead and try to crush those who reveal exploit's at a black hat conference...Nah, they'll probably just fix it and move on.