Sunday, September 6, 2009

Bootkit multi-platform attack. Is the resurrection of the boot viruses?

As many know, in the world of malicious code there is an extensive nomenclature to refer to each of the malicious programs that are walking around the large network, adopted according to the directions and purpose for which it was designed, with the most widely accepted English language. Even some direct translations are ugly ;P

In this connection, they may have read about a new name that has been doing a lot of noise from the last BlackHat: Bootkit. But ... what is it?

A bootkit is basically a type of rootkit designed to infect the boot sector of Windows operating systems, commonly known as the Master Boot Records (MBR).

While the rootkit concept dates back almost to the very existence of UNIX platforms and malicious code that abuse this feature isn't new, we could say that the concept of bootkit refers to a new family of malware to circumvent any system developed threat detection hosting its harmful instructions in the boot sector.

In fact there are several names that have made noise throughout history:
  • Stoned in 1987 (it was taken as the basis for the development of Michelangelo) showing different messages on the screen.
  • BootRoot first presented in 2005 during the BlackHat and designed to run on Windows XP.
  • Kon-Bot makes a baypass on Windows authentication scheme, jumping and the authentication process.
  • Vbootkit in 2007, which runs on Windows Vista and its second version appeared this year, designed to exploit in Windows 7 (including 64-bit). Both versions presented at the BlackHat.
  • MebRoot, whose first version appeared in 2007, is designed to steal bank details and nature of which we see a screenshot presented in the paper "Now Your Computer is Stoned (... Again!). The Rise of MBR Rootkits" jointly developed by Symantec and F-Secure showing its evolution.
  • Stoned Bootkit, also presented at BlackHat this year. It's multiplatform!
In the case of the two versions of Vbootkit, they are considered proof of concept (PoC), however, as any proof of concept, finished shooting a new mode of attack by malware and the second version (prepared for Windows 7) can be a serious threat for next year.

Now ... where is the most important point of all this. I think Mebroot marked the turning point adding to the illicit sphere a new methodology together with a concept that has direct relation to the crime in terms of using malware attacks that seek not only information that can be exploited even do intelligence or espionage, but also to fuel the economy of its developers, and continues with Vbootkit v2 now prepared to exploit Windows 7.

Under this scenario, the thing is heavy, since it is in complete professionalization of the evidence increasingly malware developers.

Stoned bootkit, is also designed to skip the security structures that offer products as TruCrypt by encrypting the entire volume of a unit, causing a direct attack on TrueCrypt. That is, has the ability to infect a computer even when encrypted, gaining access to the entire system regardless of safety precautions around the credentials with administrative permissions.

Ironically, the author uses a legend similar to the one that showed the old Stoned (Your PC is now Stoned!), Display each time you boot your system:

Your PC is now Stoned! ... again

Also unlike other rootkits to infect the boot sector of a specific operating system, the new Stoned has the ability to infect all versions from Windows XP to the highly anticipated Windows 7.

Given this, perhaps to become an essential module for malware writers seeking to break the security barriers of Windows 7.

Despite the absence of a significant amount of malicious code with these characteristics (bootkits) every time you receive one makes noise in the environment. Are we talking about resurrection? I think not. Especially after trying something he did not think possible at present: the Stoned 1897, still operates on Windows Vista.

# Jorge Mieres

No comments: