Bootkit : One Deadly Weapon In The Attacker Arsenal

There was a great presentation at BlackHat about Bootkit. Which is simply a rootkit being loaded from the MBR before the system starts.

 

 

This could be use to defeat full drive encryption where the system would be infected after it boot. Below you have a copy of the main page of the http://www.stoned-vienna.com/ web site with tons of great information on the subject:

Stoned Bootkit

Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system.

 

It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, 'Your PC is now Stoned! ..again'….

Peter Kleissner, Software Dev. Guru in Vienna

Your PC is now Stoned! ..again; Some links:

http://www.stoned-vienna.com/ - Main site (this site, redirects here)
http://stoned-bootkit.blogspot.com/ - Blog
http://vimeo.com/5114740 - Short video introduction to the project
http://www.pauldotcom.com Episode 155 - Interview and very good write up
www.blackhat.com speakers & topics - Stoned Bootkit at Black Hat USA 2009

Black Hat déjà vu - Stoned again
TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..

Download the Stoned Bootkit Paper

• Paper
  
• Black Hat USA 2009 Presentation
  
• Open Source Framework
  
• Infector file that was used in the Black Hat USA 2009 presentation
  

'A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit.' - Robert Hensing about bootkits

Please take also a look on my upcoming Hacking at Random presentation "The Rise of MBR Rootkits & Bootkits in the Wild".

Frequently Asked Questions

What is Stoned Bootkit and why should you concern?

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one's secure!

For whom is Stoned Bootkit interesting?

1. Black Hats
2. Law enforcement agencies
3. Microsoft

Why is Stoned something new?
Because it is the firts bootkit that..
- attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
- attacks TrueCrypt full volume encryption
- has integrated FAT and NTFS drivers
- has an integrated structure for plugins and boot applications (for future development)

With Stoned Bootkit you can install any software (for example a trojan) on any computer running Windows without knowing any password, even when the hard disk is fully encrypted. Relate questions from the Black Hat presentation:

1. Can the BIOS MBR protection prevent the attack?

No, because the BIOS is not called to write the MBR to disk. Windows has its own native hard disk drivers that are directly accessing the hard disk. The MBR protection in the BIOS works only with DOS and Windows 95/98.

2. Can hardware encryption prevent the attack?

Only for physical access. The attack is still possible under a running Windows because the hardware encryption is a layer below. The Stoned software will be stored encrypted by the hardware encryption and decrypted on startup, so it will still become active when starting.

TrueCrypt Attack

Stoned is able to bypass the full volume encryption of True Crypt. It allows installing a Trojan to a computer that's hard disk is full encrypted. Let's take a look at the technical part. For True Crypt encryption there are two scenarios:

1. Only the system partition is encrypted; the master boot record, unpartitioned space and the host protected area stay unencrypted.
   
2. Full volume encryption, only the master boot record stays unencrypted.
   

The trick is that the master boot record is never encrypted - and thus can be safely overwritten and used for our own boot 'software'. For the first case additional data such as plugins, the original master boot record backup or further code can be stored to unpartitioned space. For the second case the whole Windows attacking code must fit into the master boot record, into the 63 sectors minus the decryption software. TrueCrypt has free 7 sectors where Stoned Bootkit still fits, so even full volume encryption is no problem.

My personal notebook has the system partition encrypted with TrueCrypt. I showed at Black Hat USA 2009 live that Stoned Bootkit was able to bypass that and could pwn my own system.

cmd.exe Privilege Escalation

Thanks to Vipin & Nitin Kumar for providing me their cmd.exe privilege escalation attack (source code together with some more detailed information). I rewrote a driver in C that does that job - overwriting the security token of cmd.exe with the one of services.exe. It waits until the image "whoami.exe" is loaded and escalates the rights of the cmd.exe process. An attacker can use this in the real world for example as root shell on a target system (with physical access). Take a look at the kernel debug output generated from the driver:

Image Load: \Device\HarddiskVolume1\Programme\Support Tools\whoami.exe
Found Process: System
Found Process: smss.exe
Found Process: csrss.exe
Found Process: winlogon.exe
Found Process: services.exe
System Service Security Token: e17c04ea
Overwriting old Security Token: e1445036
cmd.exe privilege escalated successfully!

(Left to right): Windows XP SP2, Windows Vista, Windows 7 RC pwned (take a look at whoami.exe, changes from Peter Kleissner to NT-AUTHORITY\SYSTEM and cmd.exe runs under SYSTEM rights as opposed in the task manager)

You may download the Windows 7 RC + TrueCrypt attack demonstration high quality video (11,7 MB) at http://www.stoned-vienna.com/downloads/TrueCrypt Windows 7 RC.avi.

 

Please download and read TrueCrypt Foundation's mail about the attack at http://www.stoned-vienna.com/downloads/TrueCrypt Foundation Mail 18. Juli 2009.tif. The whole mailings with the TrueCrypt Foundation can be found in the Stoned framework in the directory 'TrueCrypt'.

Local Infector

An automated infector Live CD will be published soon. It allows infection of a local machine (requires physical access and the ability to boot from CD or USB stick, this is the second installation way, the first would be using the Windows infector executable). As boot base the Windows PE 2.0 from the Windows Automated Installation Kit is used for automatic deployment. Instructions of how to create your own Stoned Windows PE CD and a download for pre-configured iso will follow. For more information read the blog entry at http://stoned-bootkit.blogspot.com/2009/08/vipin-kumar-windows-pe-and-eminem.html.

Stoned..

• is a software in the Master Boot Record, with the target to be memory resident up to the Windows kernel
  
• attacks Windows XP, Server 2003, Vista, Server 2008, 7
  
• supporting architecture: IA32, AT Architecture (IBM-conforming)
  
• full featured, including own file system drivers for FAT and NTFS!
  
• supports different boot media, hard disk, removable-media, cd, dvd, flash drives, network..
  
• there will be new versions, plugins and updates!

It has been successfully tested and verified on following systems:

1. Windows 2000 SP4
   
2. Windows XP SP2
   
3. Windows XP SP3
   
4. Windows Server 2003
   
5. Windows Server 2003 R2 SP2
   
6. Windows Vista
   
7. Windows Vista SP1
   
8. Windows Server 2008
   
9. Windows 7 Build 6801
   
10. Windows 7 Beta
    
11. Windows 7 RC
    
12. DiskCryptor 0.8
    
13. TrueCrypt 6.1a
    
14. TrueCrypt 6.2
    
15. TrueCrypt 6.2a
    
16. Bochs 2.4.1
    
17. VMware Workstation 6.5.0
    

Stoned v2

The next version of Stoned is currently under development. The next version is going to be more evil than ever.

Features:

- 64-bit support based on the implementation of vbootkit 2.0
- infecting all local drives (including USB autorun spread)
- Linux support - experimental
- BIOS persistent infection - experimental

The first beta will be released with Hacking at Random 2009. Other changes will be removal of the (under a lot of critics) selling notice. In future Stoned will be published by my startup company Insecurity Systems.

Future ideas:

- burning CDs with Stoned when they are inserted
- using driver that is used by infector and kernel driver
- infection on access
- TPMkit
- using more open source to get the things done

 

Happy Hacking @itsmeafterall