Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    MS Watches as Vista Gets 0wn3d by Rootkit

    By
    Ryan Naraine
    -
    August 4, 2006
    Share
    Facebook
    Twitter
    Linkedin

      LAS VEGAS—Ben Fathi slipped into the darkened, standing-room-only conference room and took a seat on the carpeted floor.

      On the Black Hat stage, malware researcher Joanna Rutkowska, of COSEINC, was discussing a new technique that could plant an offensive rootkit in Windows Vista, Microsofts “most secure ever” operating system.

      As corporate vice president for Microsofts STU (Security Technology Unit), it is Fathis responsibility to deliver on Vistas security promise, and Rutkowskas claim—complete with live demo—that a key anti-rootkit feature can be easily defeated could be a public relations nightmare.

      But Fathi was unperturbed. Almost unnoticed in the crowd, he paid close attention to Rutkowskas slides and didnt even flinch when the room erupted in applause as the demo succeeded in loading unsigned code into Vista Beta 2 kernel (x64), without requiring a reboot.

      “This is the reason were here. To see the advancements in research and work closely with these guys [white hat hackers] to figure out whats working and whats not working,” Fathi said in an interview with eWEEK immediately after the presentation.

      “Weve already fixed that path [of attack] … Its beta software that will have bugs. That [attack scenario] has already been fixed in later builds,” Fathi said.

      /zimages/1/28571.gifRead more here about Microsofts efforts to harden Vista against attacks by kernel-mode malware.

      Rutkowska, a Windows Internals expert, was one of several stealth malware researchers using Black Hat, the preeminent hacker conference, to discuss advancements in rootkit creation.

      During her talk, she described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to only allow digitally signed drivers to load into the kernel.

      Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to “knock the unused driver.”

      /zimages/1/142980.jpg

      The shell code used in the demo successfully disabled signature checking in the rooted machine, rendering the system vulnerable to the loading of unsigned drivers.

      Even as she basked in the success of the theoretical attack, Rutkowska offered Microsoft a pat on the back for its decision to block unsigned drivers. “The fact that this mechanism was bypassed does not mean that Vista is completely insecure,” she said. “Its just not as secure as advertised.”

      /zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      Fathi did not say how Microsoft had fixed the issue in later Vista builds, but he received lots of advice and recommendations from Rutkowska.

      Rutkowska said Microsoft should consider forbidding raw disk access from user mode, or encrypting pagefile to keep it in kernel non-paged memory. This may cause some performance impact, she said.

      /zimages/1/28571.gifMicrosoft draws on hacker expertise to test Vistas security. Click here to read more.

      A third possible solution is to disable kernel memory paging entirely, Rutkowska said.

      “Its very difficult to implement 100 percent efficient kernel in a general purpose operating system,” she said, warning that malicious hackers will always find a way around to plant malware on target systems.

      Fathi, who is leading a large Microsoft delegation at the hacker conference, agreed that theres no such thing as “100 percent secure software.”

      “These problems will always be around. If you have a way to get into the kernel, all bets are off. These things arent new. Were glad the researchers are finding these things and letting us know while the software is still in beta,” Fathi said.

      “Weve fixed this one and well continue to fix them as they come up,” he said.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Avatar
      Ryan Naraine

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×