Bypassing Vista security and understanding stealth malware

Well, Vista isn't immune to security attacks. At the previous blackhat briefings, two developpers demonstrated that through what the men call "custom boot sectors" a rootkit can get itself loaded at boot time.
Since their tool "Vbootkit" can load into the kernel it can do nearly anything on the system. The proof of concept code raises a command shell to run in the context of the System account, starts the Telnet server, and more.

Vboot kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. The booting process of windows Vista is substantially different from the earlier versions of Windows. The talk will give you:

* details and know abouts for the Vista booting process.
* explain the vboot kit functionality and how it works.
* insight into the Windows Vista Kernel.

Luckily, the code isn't circulating in the wild, but they did provide binary code to several anti-virus solution makers. Potentially in the future, we will see some nasty malware abusing this vulnerability.
This is actually somewhat old news. A little more up-to-date is the upcoming Blackhat briefing from 28 juli until the 2nd of august. Joanna Rutkowska, a Polish researcher will demonstrate how to circumvent Vista security such as Bitlocker encryption. More information below:

Understanding Stealth Malware, a unique hands-on training will be run by me and Alex Tereshkin at this year's Black Hat conference! You can register at the Black Hat website here. More about the training on the blog here.

No comments: