MS Watches as Vista Gets 0wn3d by Rootkit

Black Hat Briefings: Microsoft security chief Ben Fathi responds to a standing-room-only demo of a new technique used to plant an offensive rootkit in Windows Vista.

LAS VEGAS—Ben Fathi slipped into the darkened, standing-room-only conference room and took a seat on the carpeted floor.

On the Black Hat stage, malware researcher Joanna Rutkowska, of COSEINC, was discussing a new technique that could plant an offensive rootkit in Windows Vista, Microsofts "most secure ever" operating system.

As corporate vice president for Microsofts STU (Security Technology Unit), it is Fathis responsibility to deliver on Vistas security promise, and Rutkowskas claim—complete with live demo—that a key anti-rootkit feature can be easily defeated could be a public relations nightmare.

But Fathi was unperturbed. Almost unnoticed in the crowd, he paid close attention to Rutkowskas slides and didnt even flinch when the room erupted in applause as the demo succeeded in loading unsigned code into Vista Beta 2 kernel (x64), without requiring a reboot.

"This is the reason were here. To see the advancements in research and work closely with these guys [white hat hackers] to figure out whats working and whats not working," Fathi said in an interview with eWEEK immediately after the presentation.

"Weve already fixed that path [of attack] … Its beta software that will have bugs. That [attack scenario] has already been fixed in later builds," Fathi said.

/zimages/1/28571.gifRead more here about Microsofts efforts to harden Vista against attacks by kernel-mode malware.

Rutkowska, a Windows Internals expert, was one of several stealth malware researchers using Black Hat, the preeminent hacker conference, to discuss advancements in rootkit creation.

During her talk, she described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to only allow digitally signed drivers to load into the kernel.

Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to "knock the unused driver."


The shell code used in the demo successfully disabled signature checking in the rooted machine, rendering the system vulnerable to the loading of unsigned drivers.

Even as she basked in the success of the theoretical attack, Rutkowska offered Microsoft a pat on the back for its decision to block unsigned drivers. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure," she said. "Its just not as secure as advertised."

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Fathi did not say how Microsoft had fixed the issue in later Vista builds, but he received lots of advice and recommendations from Rutkowska.

Rutkowska said Microsoft should consider forbidding raw disk access from user mode, or encrypting pagefile to keep it in kernel non-paged memory. This may cause some performance impact, she said.

/zimages/1/28571.gifMicrosoft draws on hacker expertise to test Vistas security. Click here to read more.

A third possible solution is to disable kernel memory paging entirely, Rutkowska said.

"Its very difficult to implement 100 percent efficient kernel in a general purpose operating system," she said, warning that malicious hackers will always find a way around to plant malware on target systems.

Fathi, who is leading a large Microsoft delegation at the hacker conference, agreed that theres no such thing as "100 percent secure software."

"These problems will always be around. If you have a way to get into the kernel, all bets are off. These things arent new. Were glad the researchers are finding these things and letting us know while the software is still in beta," Fathi said.

"Weve fixed this one and well continue to fix them as they come up," he said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.