Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: bill
INSECURITY RESEARCHERS in India have released a proof-of-concept bootkit that can be used by an attacker to gain stealthy control of Windows 7 systems.
The software, called Vbootkit 2.0, was revealed last month at the Hack In The Box computer insecurity conference in Dubai. At the time, developers Vipin Kumar and Nitin Kumar had said they wouldn't publicly release the code lest it be misused.
They've since changed their minds and have released Vbootkit 2.0 under an open sauce licence, according to PC World. They said their reason for releasing the proof-of-concept attack was to encourage security researchers to develop defences against the technique used.
"All we are trying to do is help more people understand the real enemy, malware, so new innovations can occur," Vipin Kumar wrote in an email.
Vbootkit 2.0 can be foiled by using Bitlocker hard drive encryption and a Trusted Platform module, but many Windows 7 capable PCs don't have those features.
Microsoft doesn't consider it a serious threat to Windows 7 because it doesn't enable a remote attack.
However, a malware writer might modify the Vbootkit 2.0 code to turn it into a remote attack tool as has been done with other bootkit software in the past.
Since it might be months before Windows 7 is released by Microsoft, it sounds possible that the Vole's next big thing might hit the streets with malware ready and waiting to greet it.
They've since changed their minds and have released Vbootkit 2.0 under an open sauce licence, according to PC World.
The PC World article referenced is a bit better of a read: Despite Pledge, Researchers Release VBootkit 2.0 Code [pcworld.com]
I guess it's preferable that they're releasing this code during the beta stage. I don't think it would be fair to release code like this for a production OS.
it exploits a design flaw in the operating system, which assumes that the boot process can be trusted and is safe from attack.
I'm not sure how the use of bit locker and a TPM can protect against this (as is mentioned in the article) but I assume that a hash for the bootfiles is stored somewhere to permit validation - this could be done by the bios without encryption if the bios-writers had a mind to do so. Indeed, the initial boot files could be stored in flash memory. Changes could be written to a parallel area and only installed when confirmed by the user after the initial POST routine has completed. But no matter what you do, some people will click "YES" to everything.
Perhaps Windows could perform validation of the boot area, but once it has been infected, it can't be trusted to provide reliable validation anyway.