Microsoft Blocks Vista Rootkit Exploit

Stealth malware researcher Joanna Rutkowska says Microsoft has blocked the attack vector used to slip unsigned drivers past new anti-rootkit policies in Windows Vista.

Microsoft has blocked the attack vector used to slip unsigned drivers past new security policies being implemented in Windows Vista, according to Joanna Rutkowska, the stealth malware researcher who created the exploit.

Rutkowska, who demonstrated the exploit at the Black Hat conference in August, said she tested the attack against Windows Vista RC2 x64 and found that the exploit doesnt work anymore.

"The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights," Rutkowska wrote on her Invisible Things blog.

Rutkowska, a Windows Internals expert at Singapore-based IT security firm COSEINC, however warned that the way the exploit is being blocked could be problematic and cause application compatibility issues.

During her Black Hat presentation, which was attended by then Microsoft security chief Ben Fathi, Rutkowska described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. She also showed how shell code could be executed inside one of the unused drivers, completely defeating a new anti-rootkit policy that only allows digitally signed drivers to load into the Vista kernel.

/zimages/1/28571.gifClick here to read about Rutkowskas "Blue Pill" prototype that creates 100 percent undetectable malware.

Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to "knock the unused driver." The shell code used in the demo successfully disabled signature checking in the rooted machine, rendering the system vulnerable to the loading of unsigned drivers.

During the speech, she recommended three separate solutions, including the one that Microsoft opted to use—blocking raw disk access from usermode. However, Rutkowska insists this solution "is a bad idea."

/zimages/1/28571.gifClick here to read more about the Black Hat demo of a Vista rootkit exploit.

In fact, Rutkowska believes this does not adequately fix the issue because legal, signed drivers can be hijacked by attackers and used to perform the pagefile attack. "The point here is, again, there is no bug in the driver, so there is no reason for revoking a signature of the driver. Even if we discovered that such driver is actually used by some people to conduct the attack," she said.

"[Microsoft] implemented the easiest solution, ignoring the fact that it really doesnt solve the problem," Rutkowska added.

She warned that malicious attackers could develop a disk editor together with a raw-disk-access kernel driver, then sign it and use it to insert code into the Vista kernel.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.