0wning Vista from the boot

Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to bypass Vista's product activation or avoid DRM.

View: The full story
News source: The Reg

Report a problem with article
Previous Story

Google Scratches Google Calendar Maintenance

Next Story

Sky News starts IP broadcasts

25 Comments

Commenting is disabled on this article.

I don't believe that at all. They just said that for legal reasons. That way they have an excuse when it gets released into the wild (and it will), MS won't sue them into oblivion.


That's like the tobacco companies suing the American Medical Assoc for releasing information that tobacco causes cancer.

If a machine can be controlled long before the OS is running it....this isn't a problem with Vista...so much as it is a security issue with an ancient BIOS system.

I agree with soumyasch's comment about having an encrypted MBR or similar so that an OS can determine for itself, if there is a conflict between the original BIOS information and a change, and allow a user to decide if that's where they want to go. Still....with those out there still falling for the "MS has sent you a BIOS update" emails, this is all too easy to exploit.

Heck, I'm still getting chain emails about helping poor burn victims from a local Walmart. (ya know, the ones that MS and AOL track to donate .05¢ for every email)

But they publicized their technique. Now others will come up with their own solution.

As for spreading like a virus, some miscreants may advertise this as a way to bypass Vista DRM restrictions (given the FUD badvista.org has spread, I'm pretttty sure this will be an instant hit). The actual executable may flash the bios with copies of itself. Now it will load on every boot - undetected (it will patch detection mechanisms) - and being kernel mode code, it can do whatever it feels like. People wont even know they are compromised.

Or if it makes its way into some corporate network, it can create a PXE boot server, which can then serve infected bootloaders to remote booting clients which overwrites their bios/efi/mbr.

As for security companies doing boot sector scanning (it will need a kernel mode driver in Vista), once it loads from an external drive or something, it will write itself to the boot sector, while backing up the original code. However when booting the main OS once its loaded into memory, it will stall the loading of an antivirus, replace the boot sector with the backed up version, before the av loads. So the AV will not see a hijacked boot sector. As long as the OS runs, it will lurk in memory. When the system is shutting down, after the av has unloaded, it will write the hijacked mbr back.

OSs should use an encrypted boot loader and swap space!!!

soumyasch said,
But they publicized their technique. Now others will come up with their own solution.

Would you rather they didn't publish and this was uncovered by some black hats (it would have been eventually)? They are doing a service for us by discovering and publishing these nasty holes in Vista.

The actual executable may flash the bios with copies of itself. Now it will load on every boot - undetected (it will patch detection mechanisms) - and being kernel mode code, it can do whatever it feels like. People wont even know they are compromised.

I'm not sure if you've ever flashed BIOS or not, but all BIOSes are not the same, and a "one-size fits all automatic BIOS flash virus" would kill more systems than it infects.

OSs should use an encrypted boot loader and swap space!!!

It also appears that you've never worked with large encrypted files, let alone encrypted swapfiles.

How many tinfoil hats did you make while writing that message?

lbmouse said,

Would you rather they didn't publish and this was uncovered by some black hats (it would have been eventually)? They are doing a service for us by discovering and publishing these nasty holes in Vista.

A hole? It does not exploit any security hole. It works by hijacking the computer even before Vista starts loading, and patching-on-the-fly the OS image as it is being loaded, so that what executes is an already-compromised version of Vista. If any, the fault is with the way the computer boots up, not the OS.

Encrypt the boot sector (SafeBoot or whatever Vista calls it, using TPM) and one attack vector (via the MBR) is nullified.

lbmouse said,

Would you rather they didn't publish and this was uncovered by some black hats (it would have been eventually)? They are doing a service for us by discovering and publishing these nasty holes in Vista.

Except this isn't a nasty hole in Vista. It's just a fact of life of the way your PC BIOS and the boot process is designed.

There's nothing an OS can do to protect your system if the hack is running even BEFORE the OS has booted.

(Although it's much harder to do this if you have a TPM in your PC and Vista Bitlocker enabled.)

If you actually read the article, the idea is that you can circumvent the DRM restrictions by loading your own drivers, and can avoid product activation - this isn't a virus, it's a method for you to 0wn your 0wn computer again...

soumyasch said,
This isnt a virus, true! But it has a potential to be a very troubling one!
Sure...

Step 1 of Virus: "Dear computer user, please burn this .iso file to a CD, and reboot your PC with it so we can install a rootkit. Also, if you could forward this message to your friends, that way they can be infected, too. Or hand them the CD with these instructions. Thank you"

Step 2: Control your army of zombie-bots!

ahhell said,
This really ****es me off.
Those ****ers need to be thrown off a bridge.

uh did you read the article? they did this to show the people who could fix or prevent to help make things to prevent it... do because they are trying to prevent something they **** you off?

neufuse said,

uh did you read the article? they did this to show the people who could fix or prevent to help make things to prevent it... do because they are trying to prevent something they **** you off? :rolleyes:

I don't believe that at all. They just said that for legal reasons. That way they have an excuse when it gets released into the wild (and it will), MS won't sue them into oblivion.

It's not like it's a virus propagating through the Internet. They said one would need physical access to the machine to implement this 'bootkit'. So even if it is released in the wild, even the naive users can not just install it unknowingly.

IMO they are helping the community by finding ways that a system could be compromised. Now the security companies can look at plugging the exploit if possible.

At the moment it can do a few things which are:

It periodically raises cmd.exe's privilege to SYSTEM after every few seconds.
Modify Registry so as to start the telnet server automatically
Create a user mode thread and deliver the user mode payloads in context of a system(protected) process (LSASS.EXE, Winlogon.exe etc)

they must be very proud, why do people want to make a virus

Well, to pull a very interesting quote from the article:

Nitin & Vipin: The beauty of VBootkit lies in the fact that it isn't about someone else controlling your machine. It's about you controlling your own machine, so you can run software of your choosing. Vbootkit gives control back to the user.

Plus they haven't released the code for vbootkit and they've even provided binaries to antivirus companies to study. I'd pretty much call them white hats. So yes, they should be proud. Hackers like these provide valuable services to the industry and consumers.

I think the best thing about this would be to give people the ability to bypass all the crazy DRM features. That is, if you have the need to backup any HD-dvd or bluray videos. If you don't have any drm media then that's really not an issue. I just hope others don't start to use this to mess with systems and infect people. Once it's in your bios, then you're pretty screwed.

GP007 said,
I think the best thing about this would be to give people the ability to bypass all the crazy DRM features. That is, if you have the need to backup any HD-dvd or bluray videos. If you don't have any drm media then that's really not an issue. I just hope others don't start to use this to mess with systems and infect people. Once it's in your bios, then you're pretty screwed.

I don't need to back up HD-DVD or BD, but I'd sure like to be able to use PureVideo with Vista MCE to watch HBO without the Restricted Content flag being caught. Instead, I'm stuck using the poor performing Microsoft MPEG decoder. Joy! If this VBootkit would resolve that, I'd install it in a heartbeat.