Slashdot Mirror

← Back to Stories (view on slashdot.org)

VBootkit Bypasses Vista's Code Signing

Posted by kdawson on from the breaking-into-your-own-hardware dept.

An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."

20 of 210 comments (clear)

  1. Is it just me that thought by zappepcs · · Score: 5, Funny

    isn't it ironic that even hackers don't like the high cost of MS software?

    FTFA: "The researchers say the only reason they didn't do it on Vista final was cost."

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:Is it just me that thought by Sancho · · Score: 5, Insightful

      They probably did--that's probably why they are confident that it would work on there. They just don't want to actually claim success since it was done illegally.

  2. Boot Sector Virus by w128jad · · Score: 5, Insightful

    Are we about to see the dawn of a new day for the Boot Sector Virus?

    --
    w2^7me out.
  3. New branding names by EmbeddedJanitor · · Score: 4, Funny

    Windows Genuine Rootkit Advantage
    Roots for Sure
    Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
    C'mon folks help me out!

    --
    Engineering is the art of compromise.
  4. Looks like it by Sancho · · Score: 5, Funny

    Of course, it will be one of those that relies on a code of honor:

    "This is the Windows Vista Boot Sector Virus kit. Please burn this ISO to a CD and boot your computer with it."

    1. Re:Looks like it by Sancho · · Score: 5, Interesting

      True, but it's a more complex situation than that.

      In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this.

      My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.

  5. Cost? by biocute · · Score: 5, Interesting

    Cost as in the money one has to pay to acquire a copy of Vista, or the cost of developing a Vista-Final-compatible VBootkit?

    I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

    --
    Virtual Betting on Facebook for non-geeks.
  6. Re:and in a related story... by Sancho · · Score: 5, Informative

    It's a story because of Vista's signing requirement for kernel drivers in x64. A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such. It is intended to give control back to the owner of the computer, and as such, physical access is neither an unreasonable requirement, nor an unreasonable expectation.

  7. Re:Boot Sector Virus (mod parent up) by Volante3192 · · Score: 5, Funny

    Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.

    No problem. We just send a flying circus over the BIOS, dump some VX gas on it, then march in with the industrial laser. Then we cut a hole, drop the virus in and, BOOM! Instant instability.

    This is assuming, of course, Vista hasn't seduced the leader of the flying circus by this point, at which case the whole plan's shot to hell.

  8. Re:and in a related story... by Ferzerp · · Score: 5, Informative

    Is there not an F8 boot option to load unsigned drivers?

    a quick search says yes, and the flag can be set as the default behavior as well.

    http://www.unofficialvista.com/article/204/install ing-unsigned-drivers-in-64-bit

  9. Not a good week and it's only 1/2 over by djupedal · · Score: 5, Funny
    Let's see:
    • VBootKit bitch slaps VISTA
    • Animated cursor panic/fix
    • EMI/Apple DRM shun ropa-dopes WMA
    • XBox Elite HD-DVD chokes on popular title
    • XBox Elite HDMI only v1.2
    • Class action suit for bait/switch 'VISTA Ready' claims
    Can't wait to see how the rest of the week plays out....heheheheh
  10. VM? by mr100percent · · Score: 4, Interesting

    So, it's being hacked because Vista is booted from within some sort of VM? That doesn't sound like too much of a threat to machines. A threat to DRM, maybe.

  11. Re:and in a related story... by PhrostyMcByte · · Score: 4, Informative

    The flag to set default behavior was disabled in RTM and iirc RC2. You can set it, but it has no effect.

  12. if you have physical access to the system... by dioscaido · · Score: 4, Insightful

    ...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?

  13. easy to miss the point here by eerok · · Score: 5, Insightful

    Many are seeing this as a security exploit, but it seems to be a workaround to gain usability.

    Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.

    --
    "The happiness of credulity is a cheap and dangerous quality." -- George Bernard Shaw
  14. Dear Mr. Gates: by Kadin2048 · · Score: 5, Interesting

    ...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?

    Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.

    Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.

    (Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  15. But what ... is it good for? by Opportunist · · Score: 5, Insightful

    Many have pointed out that an attack vector that requires the attacked user to jump through a few hoops is none. This is not entirely true, but I'll cover that later.

    What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.

    Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.

    Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.

    That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. Re:Fuck Alanis Morissette by holloway · · Score: 4, Funny

    Interpretations of Alanis's Song "Ironic", 1) She didn't know the meaning of the word and the song's examples prove it. 2) She did know the meaning of the word and she consistently came up with examples that weren't ironic. Naming the song ironic would then be quite ironic. There's no real evidence either way. She said in an interview that it's (2) so I guess it's all to do with whether you believe her.

    --
    -Docvert converts MSWord to OpenDocument, clean HTML
  17. bypassing code using INT 13 by cancerward · · Score: 5, Interesting

    Back in the 1980s Sierra On-Line used to copy protect their adventure games with a copy protection system which involved strangely formatted sectors on the original disk which were impossible to duplicate exactly using standard PC hardware. The loader "sierra.com" used to call a copy-protection program "cpc.com" which loaded data from the disk to decrypt the main program and run it. cpc.com had some of the most obscure, twisty, awful code ever written to prevent debugging and it constantly used different methods to thwart stepping through the program using INT 3 (these were the days before Soft-Ice). But the solution (or "crack") was just dead simple. Just fire up debug, step to the beginning of cpc.com, and copy the vector from INT 3 into the INT 13 vector - then cpc.com stops right at the point where the data from the disk is being loaded, so it can be copied. Despite all the incredibly complex code, cpc.com had to read the data off the disk so there was no way the Sierra programmers could thwart this method. It sounds like the same thing in Vista -- the INT 13 redirection happens before everything else and can't be thwarted.

  18. Re:and in a related story... by Spy+Hunter · · Score: 5, Informative

    Yes, but then Vista knows it's "tainted". It will refuse to run "protected media path" DRM, because it is supposed to protect such DRM against snooping by unsigned code. Memory-sniffing attacks such as those recently deployed on Windows XP against HD-DVD players are supposedly thwarted by Vista's "protected media path". This sounds like a backdoor to load unsigned code into the kernel without it being aware, giving you complete control over your own computer at all times, even when it is running PMP DRM crap.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}