New Rootkit Bypasses Windows Code-Signing Security

Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

Well, DUH...

[adjuster]

Without "trusted" hardware the user will always be able to override software "protections" designed to prevent arbitrary code execution. This is just another "leapfrog" in this arms race. Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it. Otherwise, I'll take the current situation on personal computers because, at least, I can run arbitrary software. ("Don't turn my PC into an iPhone, bro!")

Re:Well, DUH...

[TemporalBeing]

Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it.

The problem is, 99% of our society cannot properly decide whether software should be trusted or not, and even with more granular controls and proper feedback from the OS a lot of malware will slip through.

I don't think this is an unsolvable problem.

But how that 99% of society wants to use the computer should not ( and cannot necessarily) be dictated by even the 1% as the 1% will not know every edge case for how the 99% wants to use the computer. Thereby, "trusted" computing in that model is 100% flawed, and you then have to build in backdoors - like the register key that can disable requiring a signed driver so developers can test their drivers - so that the 99% can all do what they want/need to on the computer.

Not for -your- security

[Microlith]

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running.

Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code. Those were vicious but by far a minority, and hasn't improved the situation on Windows Vista x64 / Windows 7 in the slightest.

But hey, now Microsoft gets to bill everyone $250 for each driver release!

Re:Not for -your- security

[clodney]

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running.

Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code.

Question for you - what benefit does Microsoft gain from enforcing DRM? They are not the copyright holders of music and movies, so they have no direct loss if pirating of content leads to reduced sales of music and movies.

Seems to me that if MS own self interest is considered they would put their effort into preventing piracy of their own software, and not worry about the DRM systems.

Windows Vista and 7 do indeed include DRM subsystems, but since I can't see how MS self interest is invovled in maintaining them, I think it is likely that these are things that the content holders demanded from them before they would grant MS the necessary licenses to produce players, or enter into partnerships to promote such content.

Either way, seems to me that MS is at most a reluctant partner in such schemes, and don't really care if DRM gets hacked. But driver signing and anti-malware do generate negative customer feedback, so I believe they take those things more seriously.

Infecting the MBR requires admin rights

[gad_zuki!]

or physical access. At that point anything goes. Why bother with screwing with code signing tricks when you can just run whatever code you like.

Re:Infecting the MBR requires admin rights

[BLKMGK]

Nope, I don't think so. If you attempt to load up an unsigned driver on 64bit Win7 or Vista 64 and do not specifically go through the F key function to turn on the mode that disables signed drivers - at every single boot - you will get a nasty text message that HALTS the boot process, shows you the name of the unsigned driver, and shows you the registry key that called it (as I recall, been awhile).

Unsigned drivers on 64bit Windows are NOT the same as the unsigned code box you're talking about. Attempts to load unsigned drivers on the OS that requires it halts the boot process. You can go into a mode to load them - which I think even has visual indicators - or use a test cert - indicators here too I believe - but it's most certainly not the trivial thing to get aorund you've just described, sorry.

Doesn't actually bypass the code signing security

It lives in the mbr and sets a boot flag that lowers the load integrity threshold like users have been doing to run/test utilities that don't pay to get signed.
 

Re:Wow. Master Boot Record infectors.

[sexconker]

Why does everything have to be a kit?
Rootkit. Okay.
Bootkit. I see what you did there.

Would a WoW hack that steals/sells your loot be a lootkit?

Would a viral advertising campaign that gets a bunch of douches to seek out 1930s era fashion for their high school proms be a zoot kit?

Would naughty chimney sweeps toss packages of dirt, grime, and grease down your chimney and call it a soot kit?

Is whatever drug / "treatment" the government uses on every former agent who goes public with stories about aliens called a coot kit?

Are those wooden owls you put out to scare other birds away from your crops a hoot kit?

Is the point of this post completely inconsequential, making the post a moot kit?

Re:Acceptable and Proper Slashdot Vocabulary

[hairyfeet]

I don't know, that is kinda like arguing you are the tallest midget as BOTH are major levels of stupid.

As for TFA, as long as Windows is the #1 desktop deployed it will always be a target, but frankly as a PC repairman I can say there is so much low hanging fruit with home users most won't even need this trick. All they have to do is pop up on a website "ZOMG DUDE, You got teh Viruz!! Turn off yur broken AV and run this ZOMG quick!!!" and you'd be surprised how many will do JUST that. I have literally sat beside a user and said "Do NOT open a password protected zip file it IS a virus!" and had them go "My BFF Kim sent this! stop being paranoid!" and watched dumbfounded as they proceeded to do EXACTLY what the instructions said and pwned themselves.

While I'm sure the malware kits will all add this to make guys like me have to work harder to get rid of it (in actuality it is pretty much nuke and reinstall anymore) to actually infect many home users all you have to do is the above or the ever easy "You need this codec to watch our FREE Lesbian pron!". I swear guys fall for THAT one damned near every time. I actually had to hunt down a decent virus free porn site just to send my "must click teh prons!" users to just to keep them from constantly reinfecting their machines.

So Linux guys be DAMNED GLAD you don't have those home users and there will hopefully NEVER be a "year of the Linux desktop" because a week later the net will be flooded with "Porn_Codec.sh" and "Happy_Puppy.scr.sh"with helpful instructions on how to run them that the users WILL follow. Stupid is as Stupid Does.