VBootkit Bypasses Vista's Code Signing
An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."
Cost as in the money one has to pay to acquire a copy of Vista, or the cost of developing a Vista-Final-compatible VBootkit?
I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
Virtual Betting on Facebook for non-geeks.
True, but it's a more complex situation than that.
In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this.
My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.
...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?
Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.
Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.
(Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Back in the 1980s Sierra On-Line used to copy protect their adventure games with a copy protection system which involved strangely formatted sectors on the original disk which were impossible to duplicate exactly using standard PC hardware. The loader "sierra.com" used to call a copy-protection program "cpc.com" which loaded data from the disk to decrypt the main program and run it. cpc.com had some of the most obscure, twisty, awful code ever written to prevent debugging and it constantly used different methods to thwart stepping through the program using INT 3 (these were the days before Soft-Ice). But the solution (or "crack") was just dead simple. Just fire up debug, step to the beginning of cpc.com, and copy the vector from INT 3 into the INT 13 vector - then cpc.com stops right at the point where the data from the disk is being loaded, so it can be copied. Despite all the incredibly complex code, cpc.com had to read the data off the disk so there was no way the Sierra programmers could thwart this method. It sounds like the same thing in Vista -- the INT 13 redirection happens before everything else and can't be thwarted.