Two security researchers open-source code that can be used to take control of versions of the Microsoft Windows 7 x64 operating system. The team decided to release the code despite initial reservations over security.
Security
researchers have made available for download the source code for a "bootkit" that
allows hackers to take control of Microsoft's Windows 7 operating system.
Dubbed
Vbootkit
2.0, the software was first presented by researchers Vipin Kumar and Nitin
Kumar at the Hack In The Box security conference in Dubai
in April. At the conference, the two researchers demonstrated how attackers
could circumvent security features implemented in the kernel and gain
control over Windows 7 (x64).
"It
hooks the basic hard disk reading mechanism, the INT
13h method, then waits for read requests," Vipin Kumar told eWEEK in an
e-mail. "When it finds a known signature, it patches the file in memory
and the process continues till we reach the kernel."
The
attack can be blocked using BitLocker Drive Encryption and the Trusted Platform
Module, and as demonstrated requires physical access to the system.
"If
one has this kind of unrestricted access, one can do many things to compromise
the system," a
Microsoft spokesperson pointed out. "BitLocker, in
addition to data encryption, can also help protect against physical-access
attacks with its secure-boot technology. The feature uses a Trusted Platform
Module (TPM 1.2) to help ensure that a PC running Windows 7 has not been
tampered with while the system was offline."
However,
the BitLocker feature is not slated to be available in all editions of Windows
7, just the Enterprise and Ultimate
versions.
"We
would really like Microsoft to release one single edition with all features
available to all user[s] instead of crippled editions," Kumar wrote.
"Right now BitLocker and TPM are only available in the high-end
versions."
While
it may be possible to modify the code to
launch
an attack remotely, Kumar explained that the level of effort required makes
it unlikely.
"We
are not concerned that someone might modify the code to make it remote-capable
because before he puts this much effort into Vbootkit, he might really have
some easier ways to get the job done than Vbootkit," Kumar wrote.
"Moreover, if that happens ... then it's time for security/anti-virus
companies to put some more hard work [in] and detect Vbootkit at run-time."
Due
to concerns about misuse, the researchers had not made the code widely
available until now. Kumar explained that
malware
developers always find a way to launch attacks, and that there are easier
ways to accomplish the same goal than Vbootkit.
"All
we are trying [to do] is help more people understand the real enemy, malware ... So,
this might trigger up new ideas in [the] security industry to help solve the
problem," Kumar wrote. "We are still using age-old methods ... to
detect malware."
Email
Print
