Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


MS Watches as Vista Gets 0wn3d by Rootkit



 By: Ryan Naraine
2006-08-04
Article Rating:starstarstarstarstar / 2


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Black Hat Briefings: Microsoft security chief Ben Fathi responds to a standing-room-only demo of a new technique used to plant an offensive rootkit in Windows Vista.

LAS VEGAS—Ben Fathi slipped into the darkened, standing-room-only conference room and took a seat on the carpeted floor.

On the Black Hat stage, malware researcher Joanna Rutkowska, of COSEINC, was discussing a new technique that could plant an offensive rootkit in Windows Vista, Microsofts "most secure ever" operating system.

As corporate vice president for Microsofts STU (Security Technology Unit), it is Fathis responsibility to deliver on Vistas security promise, and Rutkowskas claim—complete with live demo—that a key anti-rootkit feature can be easily defeated could be a public relations nightmare.

But Fathi was unperturbed. Almost unnoticed in the crowd, he paid close attention to Rutkowskas slides and didnt even flinch when the room erupted in applause as the demo succeeded in loading unsigned code into Vista Beta 2 kernel (x64), without requiring a reboot.

"This is the reason were here. To see the advancements in research and work closely with these guys [white hat hackers] to figure out whats working and whats not working," Fathi said in an interview with eWEEK immediately after the presentation.

"Weve already fixed that path [of attack] … Its beta software that will have bugs. That [attack scenario] has already been fixed in later builds," Fathi said.

Read more here about Microsofts efforts to harden Vista against attacks by kernel-mode malware.

Resource Library:
Rutkowska, a Windows Internals expert, was one of several stealth malware researchers using Black Hat, the preeminent hacker conference, to discuss advancements in rootkit creation.

During her talk, she described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to only allow digitally signed drivers to load into the kernel.

Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to "knock the unused driver."

The shell code used in the demo successfully disabled signature checking in the rooted machine, rendering the system vulnerable to the loading of unsigned drivers.

Even as she basked in the success of the theoretical attack, Rutkowska offered Microsoft a pat on the back for its decision to block unsigned drivers. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure," she said. "Its just not as secure as advertised."

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Fathi did not say how Microsoft had fixed the issue in later Vista builds, but he received lots of advice and recommendations from Rutkowska.

Rutkowska said Microsoft should consider forbidding raw disk access from user mode, or encrypting pagefile to keep it in kernel non-paged memory. This may cause some performance impact, she said.

Microsoft draws on hacker expertise to test Vistas security. Click here to read more.

A third possible solution is to disable kernel memory paging entirely, Rutkowska said.

"Its very difficult to implement 100 percent efficient kernel in a general purpose operating system," she said, warning that malicious hackers will always find a way around to plant malware on target systems.

Fathi, who is leading a large Microsoft delegation at the hacker conference, agreed that theres no such thing as "100 percent secure software."

"These problems will always be around. If you have a way to get into the kernel, all bets are off. These things arent new. Were glad the researchers are finding these things and letting us know while the software is still in beta," Fathi said.

"Weve fixed this one and well continue to fix them as they come up," he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: MS Watches as Vista Gets 0wn3d by Rootkit
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v89hN;k"mGʑ-9IJ<OzwEB!);ysϾ>V>hvҙqNl BUP(~ sp'I"fcaQr8wOuޛ?$<876fR(%GƎgP+N-w5 E]0eNFNv@\}@^F7K`OSSMuɌYPo8͹6}^~jN .hѱ LIl_P[$ȁ_ Ң%yHcRp?֥qυBg;i}N'H;WN8spySf_ž0IM"d2!J>v\{'od #B=Vya/ w-myLƖM-GW*cOfnڭcŰ A#c9p<4#wJ3u'M jj'ӤRcfxHx#@oXSTVHԢf&ܴ;gj5[gNbױ}ǣ# 3E5_FBS If5;aW ̋-g?LG`B'lǦ" 'mm_j|5n9 8& z5 wj%NXE ?q74Fa9 ;Ef4rؗcY֌,`F-S4uDUZ+NR^(O췢C L{ĩq3{7:\* {q#GAݍƖfm[h[N"ijQPg7A|H;oq\b'H Hw& LT-JR,̓LCaltX{CF0j;|#R/ՋjA=Qdډf1Sd1XI/YPGf9vNmҹvnov.Nosd̲3<jUU* j va ?ޛ:75mݿ iw>v:dO#t>+?_fV'_Z-[_o!"AZ oj'%X+*&r f[Ԗ-Pò˔A' ~~# 6aͩ6wObkx>:ACA4icŦh4/@g&h`CCҏ:LZ w&|hnx c 00w9&z4H۠h&r<kIMmLJ.?6 { G`p&{xk=`DwKXb LGTE}vAC-@Xz][ X.lv66-0 ٥6FHQ m2(%łdhK 4.gP)AH =k 99] ޑvR.%rP.=!ԑtLR..΍gr)eb -d[b~Il eV&vϺoZLboD6], S m3-]ug{T*jRO'4ML&nfz{@ZgӅiK0:ik`1Ґ(ea9O=sE h? OuO 35{00q}@K2iMsӆg$rTDhL˄rf6d\2'45Kıa|dN['p7?>{@M\n|8$4<3rGֶL/j@~.&](LuΩJJ&k&HX3j-yspm 6M7)\#P{`CLE2a3?%ӇfS/0}̙S3BZsOsR|$g:[XknmEI8Ga]ik#\<7Bɶ/Zaa5EQ^ZKHD@CR)Ե aY^`(ytMΆТ=i*ccG9 |?U.*r-}d2jeV9,Wf (MwC~;[0P.m^/Vޙu<|쑁iiێC \,<<fRqgӠMae ޤPLM>kQ@/ı``{st9pJ.k9wM^]//]9d!@0m"CqiNR} Ĵ^oZmio#2RzXO%}\(*JLeSl ԑq,Yri L*gXM>QȚ$a(JuѧIϴ%&zI4*$No+F#OWQ§^hLaE 570M;cLKo;99Ԣލ G`3\xkm`x䃋 ,*`ز|˘7 iX/I3$#v*'L)`Ճ3\PSlf3 "9&Զ w[qo8Z?ߙcynR)brdLǖ8+ѱ,Xr*-Mޝ쯫F'F `3(0fӦRxsѿe=UN᧔ZЁQ}/5u|X\.``!>v#0Hoa7X[ RkE}v{/Z>4F@2<"c8fS>tZ{PDK%n6 7}&no=Ǐl[,<9ygn2m$8z.0JL;%9-$ۃ3Jnfۤs:n&2006e-0P>O\QrW,09|փu8݆`,s508 LBw)lj•0A^ r6g6~&ziM0b`7=3';(4OQ*X9 6>bz]Wm"{'"#ə^[j x,~Zz9pY(*"5 Z i3FɁ㚺/k Osq:?0jyJY0kT JhU m{\ cg=]/$.RQv+ր i+TTV ?3pa-X,Ԕʉ3H)(Gܩ?^nȍ:0fIz?D|)@U%UHU,UU\Hz, :.7xџ1XD+(++i-^2yi mD[ 4wʨK^-,sK"hʌg _|s[rn)tyĆ5Qh-Bwej `2W4$ΞcVqDb?рh)k03f YVW$ԚkEI=NM=)h˃Qa?CuRԣ{{[C4}3݀,L)3G1ȔɹT)j b[-W+c"=0G\0R>+#{H"p?lVz슓d9#R@BRNbx<'b{H ' aV*37o~.RȓccI`q`w0kb5ǟM1yãCgV8|} E D@;n#߱?% ?S-E8gMX1BNJŻR?vËcRT6yj(zOxȀy5_au[\t.QQVv?kq O,}U^;8&nRzGQ^ٷgP K)rF16fd+](ao[vt0lgahy+ 8$ap 8ͻYOꝐUGJ:7_{fܨZwW, D#B]vZ7ȧ-Bk7d4) 3yI]aDH݂()MsÙWB9I.Dz=d_Ug0YTtd+`C 9 ²Y oH2|(_ b { r H)'4m):\b/H46B R`2"W(BSiDOg49ߴ8Sjw E'/JNAN [JӷoHW蘧KwOtEt_([hLuasV;HGdԾ, ?!i^K/pǻoE p1ASB9kթ-xOӎO|BXqTwJd:$=zbeQfIlxRB'T-˓$/+IYO)Uqhd*꒐~*~ j&'ءآґֻ\v'8{Hp>+P{wXd`\`ql)Za""|)Nr a=k]`e>#§{yRb}b%&h8W߅m^<~xZr)tgxkiWE^KJ^vn£Gky~`Ѵ'NxĆ#*9BG,BY?Y ./#vG6}`>w&?זdN-j `ֳsDϝ́(|@3``:<|jnMM%&;*6 GgayF<.Ə%⇆3LQLv\u9ܐէarځcAI5hs5ׅO>4dkT /GyZWAs(dk.}u8?Iq(>H턟VVyc1ZSϏ$٘ΧBEW5lko,+"sᔤ\D'㣓)?8bo:=0d&qkNζ==4zo=إᏦ5<_+~ GLwUvD%J{8deQJ7=w*q-@k%e*qQ#{"F%G o14N-*zj6?l53ǜ'K<]vW9wBf#AVާA+6,eM^T uPř|l'Ca%}o"1q* U9>;l,<< 8e@Wzn󿛓GcȰa9`e 4^02u=`j!qST/2>oGѰ׼AZ ~#]3X Tċ{ή@i=n*x$yJ ?aP1ŀR9&LM\}dvt1m;`"IW{V %͗>~IhKhHt8'zl'ހHDd A4JC{=MZ?!c76_WBM*^'ϼetőjثIM#b+ o V FBX,;ɘF\(bG_ٟ R\/@"✢ hٵ5屙8AC:[d=D)HjaW)=c)eј,Lnxm҅&'{4,)t#^,` % ,f)`#D[b S'2'As:O껲\uRdmXR6j y~>J+ m]  U6Aweʋ3b:]JaWC}4]s=-`#⃃d?os>;7gs@G`U}v`$u@rl `d V':`uLHտ-v םk־lHu[r 2f#}====_CX=Jz Gf+j[J]jRWYn(f?arO>yu:YXEin~#۹. S 5X} Y\yjok!% k2TK @H&-|c4dj9Ҝ`FKm)9/2.o[+`&# XG QFYЕ^z`"  ²e w *H}@F.l;;R@ +96|@UhAE"*H" +~#(vqT_k$2ǟ"tb|鿫s˸@]&8X/#zBޛ! ?Zv`~4/%T[,NW'X]b%Vߚ mWEHqo[?!MmiѸ}.~,X?Vr@7kd"sϙK7txT^o$qZ׎k~k{J (#<Uc^dqnLma|"A,_;g@b: 1ZkձPo t(6w|kBm^b"ewヂ;6m @bǤq4:AokA=>om/R|Bvs}e/^ \{8fyz`>ԙ}cEEKظ$ X~{F3yTi>bs$[RR֣3pg1sCNgKp @ߠR&^x7?]f gkq$=~N\ģ{6tΨZG2 l+x%[_2u\Ͳb%⛽HEŗqu6Y-USژtk"]oT{mvXï^9B$$fFRrk5[A6௺as^%iĕ$8&wlQqD3e/H s$Xí 5] 1 :!&HSjνc PYu_Kݩ_~Qmsℶ`'_ۯeY￑$yc1f^A,C&&pvP]?zUcb~ڱcSaWׁn(/{*6c]G?LQH,B~VxrLv^BLk-cB4$p{#OͷǍA9PAgt~'D)D:c)D)D/{ _(oCu&/\xωDL9"? KB)PG!x݃@~2xS›OaR͏M:'Vk;HN~Jt܅;@eߵfx -RRZ ʉmO5Ax1GUMqbcM[ukp#BYŪ B(lF݈8*6,dAˢǃZ-' (UNs+nI({ôLK]Y a C^( #y%1W{c8gc0m<xX2xO)Htw^vI'Nr92-n&~iXc>H'&t=jhD ŤJd kh^XωZ,Jvnvn!_S UVRCVrF7<*WuAW\1ꓱ~bG0/RVIa>(-zpҸF,)qay )V>Vw>B2<*tW#W|#4bI,-F! XPp³UpT)j5qNd>MdRLґu o`< z战̥7a?= 0M8# zoE6Iz# ,Ő,?ZEDW# `xB(f.?s; zx d!/kM ֒5q'9,T@!'vѻ 2C"q]V_ֽ?c7L>l  P-r9G}8;ѹ}s5( EIݽ`?Ø {VZ"_^R1@Qm>ɹf0`M;vBE< ,i mangMdۈX 9P"`")ôukfĄ9 e %:=┏~1JO+\- B@e=Dq掙xy<}k@R]α*@;`g*#DĩAbJ zI8FWR-,L3 uD"(Wx.Pu>ݓ0]_'g`r[fp͒w\j::rtԨ Gb8+M5?3X,ȏ Klݜ(8Z1I(tCK/HzszqkFdnzPX׻3Se:MPbޅR-'I]+Q !2,=Vr$kwy|WfE3{8~JOz%rEeW0`A#'92ag44\A%_Ч6#&LF`9暭OCZ!ۿ"-¶6-J-e۟ןλW3&{0cq/楶L]$,C r~u8s3ȵ,9% ewf8lgz$G(%^ٍ/!b~0`b0Sjo:M;_LǗ%K#CE@f0l 1mύ\f&7bQwй Ik&5/m];^fB7P~(Cy?9} 4hw2Ϡl{9<>2^~5/˻\(u3UF9\ ^~ /3leOe,@^}{@^}z.=^^e?f_@EFߠo=(e^eU\]e_O?CA35u\C7?73ACa ^C}Y >>foʁo3ڿh6s$eCPʐ5.NpN3˹i+/WAa uuQ^ }V)@yJ ,c3\)d{)[?;vBX\Jzp+z=k */d5j8VӮ ;/6h}o0W*m"ycoR= A)I. 3l?V\[[,Oнۺ{'ϊ'NW4Cﹲ+d^ WsMV}ӉzZ=Ś/JYy<q sjžȾ6wkv%|,y|e8Ntw17 }^f>? Vt{rMtKnyɻr%> |#rӚܴO䶊v<2k[Ս/#B Afп~%sS$iN^Zqz`AMw= !ڋy>Y2h(d4|s&pN!3J8?0 fZ gKq`FPKt-o{4"q`jHL iK*V*r;@+A"ðGD(&0#*+P#}a`J^.U&zG l]{J̾jCO3CX)x}̺l[ %<{jm!+X ڼx[T;i @)8?,(sd-#X5S'M^ŽV/'"hxx! " n'QVLZDA[I 6O^8Vv̸U_a aށ0a| ^{l x Qh/I'kS `8wO 챧g'4WBMx[.TùLHd v"ѩy4F=_8 "s HaCk2CjQwh}tdX eoM"m,?hPMQl0X$=Cf KǓ,h :BQZ`-ă7 ~='IDπiMMf@gU(VxRBZ9=ļKÏl[~ gRǞ,`//2^;' π 8>eC;gI2T~gN=*P=eZQϺ} ~"85Yz#Io=Gmg_VeńK!z>^I;.~m' ]*K@%Gb9G8]! MAE~!OG ϻyH)tIw`_P f1| j?;7mTeLc(ŬBCd=)O?n'[nMG\[<>biЀΧ^p祈TU|J6A1^<3&{z΃E)xu!A]=vw[?/'R`pE7:QTD +Q)Ybd뜙9 3/&M@NEqDgPv;yDt[=<=v?scg_2ҷU>vį-_ڗ+zYL1e~}=3ӲG(q{*,@3qt3B;7o^z5&Ps::hӆG0ޏYwPQl@xS as=6c;pszԷ QmQ+xa_9~m`PcwOp`2;uy;8KIF epCik6Ia0&E㨤t`C v_Ή~ph{?҈>A wVǰ/YF!& 7O80Ux|-h\}{M_^;/9LgѸ9"D+"{]2*A-V75wSF \L%h72bo _KO{ |>":ø03Vt*N`7XysB(WC^~:!# ֎*`.g'qAN>!2D!6xNxCYşwuMU[ _P- NI`){׭v{."^s/ >A|Ѿy6gn_ oM4ZQw^㛼VtƢI:6pzR/jŝ.=xc;a+b(1vlS2Ɗ4K_ijV46!v07Nw6̈́ В^&Ůvbe%