Stoned Bootkit,

Website: http://www.stoned-vienna.com/
Developer: Peter Kleissner

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one's secure!

Demo: http://vimeo.com/32666961

For whom is Stoned Bootkit interesting?

1. Black Hats
2. Law enforcement agencies
3. Microsoft

Why is Stoned something new? Because it is the firts bootkit that..
- attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
- attacks TrueCrypt full volume encryption
- has integrated FAT and NTFS drivers
- has an integrated structure for plugins and boot applications (for future development)

With Stoned Bootkit you can install any software (for example a trojan) on any computer running Windows without knowing any password, even when the hard disk is fully encrypted. Questions from the Black Hat presentation and general questions:

1. Can the BIOS MBR protection prevent the attack?

No, because the BIOS is not called to write the MBR to disk. Windows has its own native hard disk drivers that are directly accessing the hard disk. The MBR protection in the BIOS works only with DOS and Windows 95/98.

2. Can hardware encryption prevent the attack?

Only for physical access. The attack is still possible under a running Windows because the hardware encryption is a layer below. The Stoned software will be stored encrypted by the hardware encryption and decrypted on startup, so it still becomes active on startup.

3. How can Stoned be removed?

In the framework, execute Restore.exe from the 'Executables' directory. Alternatively you can use the Windows Recovery Console (from the installation boot CD) and run 'fixmbr' for Windows XP/2003 and 'bootrec /FixMbr' for Windows Vista. That command overwrites the master boot record with the default one and thus overwrites Stoned.

4. How can Stoned be installed?

There is the Windows infector (Infector.exe in the framework), the Live CD (physical access) and the PDF infector (using an exploit to infect the system when the PDF is viewed) available. See below for more information.

-------------------


VBootkit 2.0

Two Indian security researchers Vipin Kumar and Nitin Kumar have publicly released their Windows 7 exploit code VBootkit 2.0 as open-source under GPL license allowing hackers to exploit Windows 7 kernel undetected without modifying any files on the disk, the whole process takes place in memory exploiting trusted kernel files with hacker's code allowing them to gain control of the user computer without getting detected.




------

Kon-Boot

Website: http://www.piotrbania.com/all/kon-boot/
Website2: http://www.kryptoslogic.com/?area=2&item=2

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Changing MBR is not a real new attack technique and it requires an elevated admin security context execution. Once you have modified the MBR it's easy to catch the truecrypt credentials to use in a subsequent attack. It should not have any effects on a GPT based disk and also it seems not working on a x64 operating system.


Sorry I hadn't seen VbootKit and Kon-Boot parts... My statement above is referred only to Stoned bootkit. Interesting kits, I will do some search about them.

This is where GUID comes to play with EFI in theory. It could probably be exploited though, just in a kind of out of the box different approach.

VBootKit is really impressive. Integrity control when data is in its execution state (thus in RAM) is still the hardest task a security software could do. System memory are always considered as an "high trust" zone since it's very difficult to access it without "alarming" operating system or security software. So, most of the time, data are not controlled for integrity and executed.