Boot Kit Renders Windows + Truecrypt Entirely Vulnerable
Having been using PCs for at least twenty years and having been an IT Professional for the last eight it’s a rare occasion for me to be blown-away by a piece of technology but the Stoned Bootkit, presented by the author Peter Kleissner at HAR 2009, literally blows my mind. You can find the video here or the presentation here.
Essentially a bootkit is a small piece of code that can be inserted into the Master Boot Record of a PC’s main boot drive, this code is then executed every time the PC is switched on and executes before the operating system loads. This is effectively a variant of more traditional rootkits which tend to install themselves as low-level drivers as part of the operating system and they are both equally dangerous in that once a system has been compromised the writer of the rootkit/bootkit can effectively do whatever they like. This may range from logging and transmitting keystrokes and capturing bank details to bypassing product activation or enabling law enforcement to gain access to allow forensic analysis.
The Stoned Bootkit is effectively a technical demo and whilst it is entirely effective I am not aware that it has been put to any nefarious purpose, in fact it was released by Peter Kleissner at the Black Hat security conference in 2009 to an audience of security professionals and I believe intended by the author as an ‘eye opener’ for the industry. Notably, Stoned is the first bootkit that has been tested an verified on Windows 2000, Windows XP, Server 2003, Server 2008 and Windows 7.
So why does this blow my mind? It’s not that the technology is brand new – MBR viruses have been around for decades which is something which Kleissner acknowledges himself by naming his boot-kit after one of the earliest examples: the Stoned Virus from 1987 (I remember encountering the variants Manitoba and Zapper in the early nineties). The reason that I was so awed by Kleissner’s presentation is the comprehensive list of attack scenarios he presents, the ease with which this is possible and the fact that it can be used to entirely bypass whole-disk encryption (tested against Truecrypt and DiskCryptor). The bootkit is available for download as an ‘infected PDF’ or even as Live CD that can be used to boot and infect any PC to which you can gain physical access.
There has been some debate between Kleissner and Truecrypt about whether this constitutes a ‘valid’ attack, the debate is fairly academic since Truecrypt themselves acknowledge that the attack is effective provided that the attacker has administrator privileges (most non-technical users run this this way), that administrator privileges can be gained (most likely by other exploits) or through physical access to the machine. I’ll concede that Stoned isn’t a valid attack against Truecrypt itself but it is a valid attack against the PC and a such can still be used to entirely bypass Truecrypt which still allows an attacker to achieve the same aim.
As a footnote, it appears that Peter Kleissner is being sued by his former employer, Ikarus Security Software GmbH, for an alleged intellectual property violation (source code theft), given that he is only 18 years old I sincerely hope that this does not harm or curtail Peter’s future career and potential. Alarmingly there are reports (English here) that Ikarus and Kaspersky are attempting to build a criminal case agains Kleissner on charges including “distributing malicious code”, if this sticks it could be worrisome for all security researchers (particularly hobbyist hackers with no money for a good legal defence) who often write code that could be classified as malicious whether they intended it or not – all security flaws could be exploited, does that make it wrong to point them out?
