From the past to the future, the new bootkits menace
As security experts have already highlighted in this months and years, the trend of the most sophisticated malicious code is to be able to reach the lowest levels of the machine to infect, putting out of the game all the security mechanisms and gaining full control of the PC and the operating system. This trend embraces more and more the term “bootkit”, literally a bootable rootkit, on which the attentions of researchers and Assembly code enthusiasts have recently focused uncovering new, potential threats with an ancient heart and dangerous security flaws sold as malware-proof security measures.
A bootkit is a rootkit executed in the very first machine startup phases, a short time interval in which the system BIOS initializes peripherals and reads configuration data before handing control to the hard disk sector zero. There the Master Boot Record reads the partitions table before handing control to the boot sector of the partition on which the operating system resides, or alternatively to the boot loader within a multi-boot configuration.
Bootkits are able to replace the MBR to seize BIOS interrupts and so to act beforehand every time a software, the operating system and the low level drivers perform a reading/writing operation on disk. It is, as who follows the computer security “scene” since unsuspected times is well aware of, a trick used since the dawn of digital times, with the only difference that 20 years ago there was DOS in place of Windows and the bootkits for Wintel systems were called boot or Master Boot Record viruses.
The trick to abuse the BIOS is old but the result is effective even today, as the Mebroot rootkit has painfully remembered in these years being a part of the botnet known as Torpig/Sinowal and as researchers Anibal Sacco and Alfredo Ortega have demonstrated with their recent BIOS rootkit proof-of-concept. The same Sacco and Ortega were back in action during 2009 edition of Black Hat conference in Las Vegas, this time exposing a severe flaw within the Computrace LoJack for Laptops consumer security service.
The tool is sold as a protection system featuring a permanent “home calling” feature, which periodically connects to a central server asking for instructions and that can be used, in case of loss or theft of a portable pc, to erase the hard disk or trace the device position. LoJack for Laptops resides within the system ROM and works together with the BIOS, and according to what Sacco and Ortega state it behaves like a real persistent rootkit that takes the system “hostage”, is invisible and resistant to any removal effort.
A cyber-criminal could exploit such mechanism for his own benefit if he was able to take control of the home calling feature, and according to the work made by researchers duo LoJack’s configuration data including IP address, port and URL of the remote server are managed with no particular security measures, so that it would be trivial to search for and locate such data within the Windows Registry and the space between the hard disk partitions and then modifying them and redirecting the entire process towards malicious servers.
The flaws found by Sacco and Ortega within LoJack security software are a damned serious problem considering that the system is being preinstalled on 60% of all the new marketed laptops. But talking about BIOS abuse and invisible code at Las Vegas it has been showed something worse, a bootkit that borrows the name and the infection strategies from an historical boot virus and turns them into a modern weapon introduced as the ultimate picklock for defeating security on whatever Windows version.
The creation of very young Peter Kleissner is called Stoned, just as the other Stoned that since 1988 was the base of many DOS boot virus variants including the notorious Michelangelo. Kleissner describes his tool as a research project whose target is to create the most sophisticated bootkit ever, that could be used both by malware writers to gain full control of the system and by developers to load uncertified Windows drivers for test purposes, boot-time applications like boot loaders, backup and restore software and so on.
Currently Stoned gets the headlines mostly because it is capable of infecting all the modern 32 bit Windows versions, from Windows 2000 up to Windows 7 Release Candidate, and for its ability to bypass TrueCrypt‘s disk encryption. The bootkit replaces the original Master Boot Record and is flexible enough to successfully manipulate the eventual preexistent boot loaders (as the one from the aforementioned TrueCrypt), the BIOS interrupts and the Windows kernel functions calls.
According to what the young Austrian states his work is a plug-in based development framework with yet-to-explore and refine capabilities, and a true “game over” for Microsoft’s security policies lately become quite a lot tight on what an executable code (be it legit or malicious) can be authorized to do with the heart of the operating system because of PatchGuard, the protection integrated in the 64 bit Windows versions (XP-2008-Vista-7) that prevents kernel alteration.
Stoned is a game over partly softened by the fact that it isn’t fully compatible with the aforementioned PatchGuard, it can only run on traditional BIOS and not on the new technology Extensible Firmware Interface (EFI) that should replace it on the long term and because it isn’t capable of bypassing the Trusted Platform Module low level protections with full hard disk encryption including the MBR sector.
Anyway the resourceful Kleissner says he is working on solving all these defects, making the Stoned framework completely independent from the operating system (Linux or Windows), implementing compatibility with 64 bit Windows systems and TPM hardware defenses and lastly defeating the Microsoft OSes activation technology. So Game Over from Los Angeles and welcome to the new incarnation of the everlasting Stoned boot virus.