mohamad1
05-08-2009, 07:43 PM
The Vbootkit 2.0 attack tool capable of compromising Windows 7 (http://news.softpedia.com/news/What-039-s-New-in-Windows-7-Release-Candidate-RC-Build-7100-111033.shtml) has gone open source. Security researchers Vipin Kumar and Nitin Kumar have released the source code (http://www.nvlabs.in/archives/8-Vbootkit-2.0-is-now-open-source-under-GPL-license.html) of Vbootkit 2.0 under a GPL license. The tool was demonstrated at the Hack-in-the-Box conference in Dubai 2009, where the duo managed to take over the 64-bit flavor of Windows 7 via boot sectors. The pair of security researchers had initially indicated that they would not make the proof of concept code public; however, their latest move reveals new plans.
Vbootkit 2.0 can be used to own Windows 7 as the operating system is booting. Vipin Kumar explained at the Dubai event that there is no security fix for the tool, since the attack vector is not a vulnerability. Instead, Vbootkit 2.0 exploits the design of the Windows 7 boot process in order to compromise the operating system. The next iteration of Windows client assumes that all the files loaded during boot are secure, with the Winload completely trusting BOOTMGR.EXE. s
“The objective is to get the Windows 7 (x64) running normally with some of our changes done to the kernel. Also, the Vbootkit 2.0 should pass through all the security features implemented in the kernel without being detected, namely Patchguard v3, Driver signing. No files should be patched on disk, it should run complete in memory to avoid later on detection,” reads an excerpt from the Vbootkit 2.0 presentation.
http://www.softsailor.com/wp-content/uploads/2009/04/vbootkit.jpg
But Vbootkit 2.0 is not as dangerous as it might seem. Fact is that a potential attacker would have to have physical access to the victim's computer, as remote hacks are not possible. At the same time, since the code runs in memory, it will be deleted completely on reboot. Additional mitigations blocking such attacks involve BitLocker Drive Encryption (BDE) and the Trusted Platform Module in Windows 7, features that are not common to all editions of the operating system. Microsoft has downplayed the severity of Vbootkit 2.0, and emphasized that the tool does not exploit a vulnerability in Windows 7.
go here (http://news.softpedia.com/news/Windows-7-Vbootkit-2-0-Attack-Tool-Goes-Open-Source-111063.shtml)
Vbootkit 2.0 can be used to own Windows 7 as the operating system is booting. Vipin Kumar explained at the Dubai event that there is no security fix for the tool, since the attack vector is not a vulnerability. Instead, Vbootkit 2.0 exploits the design of the Windows 7 boot process in order to compromise the operating system. The next iteration of Windows client assumes that all the files loaded during boot are secure, with the Winload completely trusting BOOTMGR.EXE. s
“The objective is to get the Windows 7 (x64) running normally with some of our changes done to the kernel. Also, the Vbootkit 2.0 should pass through all the security features implemented in the kernel without being detected, namely Patchguard v3, Driver signing. No files should be patched on disk, it should run complete in memory to avoid later on detection,” reads an excerpt from the Vbootkit 2.0 presentation.
http://www.softsailor.com/wp-content/uploads/2009/04/vbootkit.jpg
But Vbootkit 2.0 is not as dangerous as it might seem. Fact is that a potential attacker would have to have physical access to the victim's computer, as remote hacks are not possible. At the same time, since the code runs in memory, it will be deleted completely on reboot. Additional mitigations blocking such attacks involve BitLocker Drive Encryption (BDE) and the Trusted Platform Module in Windows 7, features that are not common to all editions of the operating system. Microsoft has downplayed the severity of Vbootkit 2.0, and emphasized that the tool does not exploit a vulnerability in Windows 7.
go here (http://news.softpedia.com/news/Windows-7-Vbootkit-2-0-Attack-Tool-Goes-Open-Source-111063.shtml)