HITB in Dubai this week – some researchers announced a proof of concept ‘bootkit’ for Vista. A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit.
eEye’s ‘Bootroot’ was the first bootkit that I am aware of for Windows and you could load it by booting a machine off of a CD or Floppy or PXE device. Literally that was all it took to get 0wn3d. You walk up to a machine, insert the CD, hit the reset button – wait for the CDROM light to go off and then eject the CD and walk away. The whole attack usually takes less than 30 seconds. Think about how powerful something like that could be in a typical office or cube farm when an employee leaves his machine to go get coffee? Bootroot also patches the MBR on the HDD after loading from the CD’s boot record so that it could persist reboots from the main HDD in the system. When the victim comes back to their PC and sees their PC has been rebooted – they may just think it bluescreened or there was a brief power loss resulting in a reboot.
Well the new ‘VBootkit‘ (and there is some controversy – many believe this work is based heavily on eEye’s bootroot code) for Vista works in essentially the same way – but it doesn’t appear to patch any of the on disk binaries – once it is read from the boot record of the CD or PXE device it goes memory resident and patches up key parts of memory (starting with hooking INT13) throughout the boot process to maintain stealth. It includes some interesting new kernel ‘shellcode’ (as they call it) that periodically (every 30s?) elevates any instance of CMD.EXE that it finds to give it SYSTEM rights by pointing the token member of the EPROCESS block for a given instance of CMD to the token used by the ‘services.exe’ process (I bleieve).
Windows Vista, VBootkit, Bitlocker, TPM