Two security researchers released open-source code that can be used to take control of versions of the Microsoft Windows 7 x64 operating system. The team decided to release the code despite initial reservations over security.
Security researchers have made available for download the source code for a "bootkit" that allows hackers to take control of Microsoft's Windows 7 operating system.
Dubbed Vbootkit 2.0, the software was first presented by researchers Vipin Kumar and Nitin Kumar at the Hack In The Box security conference in Dubai in April. At the conference, the two researchers demonstrated how attackers could circumvent security features implemented in the kernel and gain control over Windows 7 (x64).
"It hooks the basic hard disk reading mechanism, the INT 13h method, then waits for read requests," Vipin Kumar told eWEEK in an e-mail. "When it finds a known signature, it patches the file in memory and the process continues till we reach the kernel."
"If one has this kind of unrestricted access, one can do many things to compromise the system," a Microsoft spokesperson pointed out. "BitLocker, in addition to data encryption, can also help protect against physical-access attacks with its secure-boot technology. The feature uses a Trusted Platform Module (TPM 1.2) to help ensure that a PC running Windows 7 has not been tampered with while the system was offline."
The attack can be blocked using BitLocker Drive Encryption and the Trusted Platform Module, and as demonstrated requires physical access to the system.
However, the BitLocker feature is not slated to be available in all editions of Windows 7, just the Enterprise and Ultimate versions.
"We would really like Microsoft to release one single edition with all features available to all user[s] instead of crippled editions," Kumar wrote. "Right now BitLocker and TPM are only available in the high-end versions."
While it may be possible to modify the code to launch an attack remotely, Kumar explained that the level of effort required makes it unlikely.
"We are not concerned that someone might modify the code to make it remote-capable because before he puts this much effort into Vbootkit, he might really have some easier ways to get the job done than Vbootkit," Kumar wrote. "Moreover, if that happens … then it's time for security/anti-virus companies to put some more hard work [in] and detect Vbootkit at run-time."
Due to concerns about misuse, the researchers had not made the code widely available until now. Kumar explained that malware developers always find a way to launch attacks, and that there are easier ways to accomplish the same goal than Vbootkit.
"All we are trying [to do] is help more people understand the real enemy, malware … So, this might trigger up new ideas in [the] security industry to help solve the problem," Kumar wrote. "We are still using age-old methods ... to detect malware."
Great Job Vipin and Nitin, keep up the good work!!
Update: The guys made the AvertLabs notice:
-----Original Message-----From: AVERT_Notice@Avertlabs.com [mailto:AVERT_Notice@Avertlabs.com]
Sent: Friday, May 08, 2009 2:37 PM
To:XXXXXXXXXXXXXX
Subject: Avert Labs Low-Profiled Threat Notice: Vbootkit
Notice
This is a Low-Profiled Threat Notice for Vbootkit
Justification
Vbootkit has been deemed Low-Profiled due to media attention at http://www.eweek.com/c/a/Security/Researchers-Release-Bootkit-Code-Targeting-Windows-7-646515/?kc=rss.
Vbootkit is referred to as "Vbootkit 2.0" in article at eweek.com.
Read About It
Information about Vbootkit is located on VIL at: http://vil.nai.com/vil/content/v_156174.htm
Detection
Vbootkit was first discovered on May 7, 2009 and detection will be added to the 5610 dat files (Release Date: May 9, 2009).
Though we consider this a low threat, An EXTRA.DAT file may be downloaded via the
McAfee AVERT Extra.dat Request Page: https://www.webimmune.net/extra/getextra.aspx
If you suspect you have Vbootkit, please submit a sample to http://www.webimmune.net
Risk Assessment Definition
For further information on the Risk Assessment and Avert Labs Recommended Actions please see: http://www.mcafee.com/us/threat_center/outbreaks/virus_library/risk_assessment.html
For breaking security information from McAfee(r) Avert(r) Labs visit:
McAfee Avert Labs Blog
http://www.avertlabs.com/research/blog
AudioParasitics - The Official PodCast of McAfee Avert Labs
http://podcasts.mcafee.com/audioparasitics
Sign up for McAfee(r) Avert(r) Labs Security Advisories
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx
Posts
