Information and slides from the presentation can be found on the HAR2009 Wiki and the project website.
Since his Blackhat presentation, Peter Kleissner has been fired from his job due to his presentation at Blackhat. He is now starting a consultancy in Vienna –> Please support him if you can
Bootkits are rootkits in the Master Boot Record (MBR) and loads prior to the OS bootloader.
Historically there have been a varierty of bootkits, from stoned in 1987 through to the latest 2009/2010 bootkits (including the new Stoned Bootkit, Kon-boot, etc..).
The original stoned bootkit printed the message “your PC is now stoned”. More modern bootkits can bypass OS features such as encryption, passwords (kon-boot) and malicious activity, such as steal passwords.
The new Stoned Bootkit is designed for forensic and law enforcement to enable them to bypass encryption and passwords on a machine to be examined.
A breakdown of the Windows Vista / 7 copyright protection was discussed. The protection can be bypassed by fooling Windows into thinking that the system BIOS and certificate match a valid OEM. This allows the user to bypass the activation of the software. This bypass can be performed in a per-boot basis, or by editing the BIOS directly.
- Physical Access
- Administrator rights (elevated on Vista)
- – Shell Execute () at runtime
- – MANIFEST
The environment used is old school real mode using 16bit. It must be programmed in assembly because of this reason.
BIOS vendors are scared to fix this on systems incase they brick user systems.
Bypassing full volume encryption is implemented using a double forward for intercepting the enncryption and decryption disk I/O. The bootkit doesn’t modify the decryption software (independent).
Owning the OS from boot is implemented byloading before the OS and then injecting itself into the boot process of the OS. This process allows for multiple OS support, and splits up each part of the process. As the bootkit has it’s own PE Loader, it cannot be detected by AV vendors.
It is also possible to inject the bootkit code directly into a Hibernation file. Checksums are not validated (blank the checksums and it passes). This method can be used with the Stoned Bootkit.
Solutions to prevent bootkits
Using the TPM (Trusted Platform Module) in connection with full disk encryption. Disable MBR overwrites in Windows.
Bootkits can be used by law enforcement as it removes the issues of full disk encryption, and should be undetectable on a machine.
Support on all versions of Windows 2000 and greater.
Bypass for Truecrypt, and Diskcrypter full disk encryptions.
- Boot applications
- Proof of concept payload (cmd.exe priv escalation to SYSTEM)
Demo: Stoned v2 Infector (LiveCD) – based on WinPE
As with live demos, things don’t always go well. Still, it looked good from what I saw.
A number of example plugins are provided.
- co² plugin – slows the processor down to 80% speed
- Extraction of unpacked kernel drivers
Future considerations – 64bit, Linux support, and addressing the TPM module issue (bypass)