Researchers Release Bootkit Code Targeting Windows 7

Two security researchers open-source code that can be used to take control of versions of the Microsoft Windows 7 x64 operating system. The team decided to release the code despite initial reservations over security.

Security researchers have made available for download the source code for a "bootkit" that allows hackers to take control of Microsoft's Windows 7 operating system.

Dubbed Vbootkit 2.0, the software was first presented by researchers Vipin Kumar and Nitin Kumar at the Hack In The Box security conference in Dubai in April. At the conference, the two researchers demonstrated how attackers could circumvent security features implemented in the kernel and gain control over Windows 7 (x64).

"It hooks the basic hard disk reading mechanism, the INT 13h method, then waits for read requests," Vipin Kumar told eWEEK in an e-mail. "When it finds a known signature, it patches the file in memory and the process continues till we reach the kernel."

The attack can be blocked using BitLocker Drive Encryption and the Trusted Platform Module, and as demonstrated requires physical access to the system.

"If one has this kind of unrestricted access, one can do many things to compromise the system," a Microsoft spokesperson pointed out. "BitLocker, in addition to data encryption, can also help protect against physical-access attacks with its secure-boot technology. The feature uses a Trusted Platform Module (TPM 1.2) to help ensure that a PC running Windows 7 has not been tampered with while the system was offline."

However, the BitLocker feature is not slated to be available in all editions of Windows 7, just the Enterprise and Ultimate versions.

"We would really like Microsoft to release one single edition with all features available to all user[s] instead of crippled editions," Kumar wrote. "Right now BitLocker and TPM are only available in the high-end versions."

While it may be possible to modify the code to launch an attack remotely, Kumar explained that the level of effort required makes it unlikely.

"We are not concerned that someone might modify the code to make it remote-capable because before he puts this much effort into Vbootkit, he might really have some easier ways to get the job done than Vbootkit," Kumar wrote. "Moreover, if that happens ... then it's time for security/anti-virus companies to put some more hard work [in] and detect Vbootkit at run-time."

Due to concerns about misuse, the researchers had not made the code widely available until now. Kumar explained that malware developers always find a way to launch attacks, and that there are easier ways to accomplish the same goal than Vbootkit.

"All we are trying [to do] is help more people understand the real enemy, malware ... So, this might trigger up new ideas in [the] security industry to help solve the problem," Kumar wrote. "We are still using age-old methods ... to detect malware."