Slashdot Mirror
VBootkit Bypasses Vista's Code Signing
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
Are we about to see the dawn of a new day for the Boot Sector Virus?
w2^7me out.
"hacker" uses a boot disk in linux and wipes the root password!!!
Why is this a story? Physical access (needed to boot from an alternate source) has always been root access.
I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
Perhaps because Microsoft will patch this and render the boot kit useless in less time that it takes to say "oh my god, my unsigned drivers don't work anymore"?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
They probably did--that's probably why they are confident that it would work on there. They just don't want to actually claim success since it was done illegally.
...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?
Many are seeing this as a security exploit, but it seems to be a workaround to gain usability.
Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.
"The happiness of credulity is a cheap and dangerous quality." -- George Bernard Shaw
There's a validity result there though, in addition to what the other two responses said. If it's a hacked copy of Vista, then there's already something to make it do things that it's not supposed to do. I would be more skeptical of this result if it came from a hacked final copy than from RC2.
Like Linux has never been hit with a bootkit? If the only way to bust Vista's code-signing is through a bootkit, then Microsoft did something right.
Umm... blow it to pieces?
I forsee that this exploit will be less used for traditional attack rootkits, it seems more like a very convenient way to get rid of all the unwanted 'security features' (read: the ones that protect the makers of your content instead of you) of Vista.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Many have pointed out that an attack vector that requires the attacked user to jump through a few hoops is none. This is not entirely true, but I'll cover that later.
What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.
Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.
Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.
That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The reason Linux has 'never been hit by a bootkit' is because it's never been nessicary for people to do that in order to work around DRM-related restrictions.
c ost.html
Yes, I know, that having signed drivers is suppose to be a (very) limited improvement in security over XP, but they are lying to you if they tell you that is the real reason that Microsoft is doing it.
This is just another way to crack Microsoft's DRM.
First they were able crack the DRM for individual HD-DVD disks, then Blueray.
Next they have cracked the DRM on _ALL_ HD-DVD and Blueray disks manufactured to date.
Now they cracked the signed drivers sceme for Vista so now you can lie to applications and hardware about having 'protected media path'. You can do things like setup fake drivers and capture audio and video output to a file and rip movies that way. Perfect digital copy.
All sorts of crap like that.
All the 'digital right protections' that Microsoft has spent millions of dollars and 5 years to build into Vista have all been ripped to shreds in only a few months after it's release. Now take that bit of knowledge and then read "A Cost Analysis of Windows Vista Content Protection".
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_
I hope that now people understand what I've and many other people have been saying for years, that enforced DRM is a fucking retarded idea. And it's not bad because I 'beleive that artists shouldn't get paid' or because I am a communist/socialist (I am not) or anything like that.
It's a fucking stupid idea because it's just a realy bad idea.
To date that hasn't been nessicary to do for Linux unless you own a Tivo and they are working on the GPLv3 to 'crack' that.
Of those two possibilities, which do you think MS actually gives a rat's butt about? They don't care if you lose control of your machine. They for darn sure care if they do. That's what makes this a "ha-ha!" moment.
Dewey, what part of this looks like authorities should be involved?
No matter how convoluted and obfuscated your protection is, there is often a weak spot that you can take advantage of.
;) with some cracker who simply wouldn't accept that fact, saying "there will always be a way...".
;)
Now of course if you're mandating Internet connectivity for your program to run at all and are using obfuscated server-side protection checks, it's "good game" for every single cracker out there. I had this argument many moons ago (we were still on BBSes all day long
No, there isn't. You ain't cracking Blizzard's WoW loggin scheme. Internet + server side check done correctly = Game over cracker. I decided to leave the dark-side the day I realized this. It's way more fun to work on the server-side and to know that pirates have it deep in the arse
The attack vector can be any diagnostic utility that has some hardware priviledge. The BIOS (or flash on another I/O card) can be updated to start the attack. (if an attack is desired). Finding a code path that allows direct writing to the hard disk would be another vector (not saying Vista HAS that hole).
:(
But the main problem is not an external attack. This hack allows Vista DRM to be cracked. The supposed secure data paths in the OS that are designed to be "hands off" to even the administrator are now at risk. As a BENEFIT, this hack allows drivers to be written that don't need to be signed -- restoring sanity again.
I would welcome "Vista Preboot Kit". Microsoft will have to validate both up and down to combat this. And, I am sure, a patch is coming...
Just another "Cubible(sic) Joe" 2 17 3061