Update: additional information has been added to this story regarding Peter Kleissner's legal status, and clarification from Kleissner on the nature of the exploit.
At the upcoming MalCon security conference in Mumbai, Austrian independent developer and security analyst Peter Kleissner is scheduled to release the first known "bootkit" for Windows 8—an exploit that is able to load from a hard drive's master boot record and reside in memory all the way through the startup of the operating system, providing root access to the system. The exploit allegedly defeats the security features of Windows 8's new Boot Loader. However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS. Kleissner said he has shared his research and paper and the paper he plans to present, "The Art of Bootkit Development," with Microsoft.
Kleissner previously developed the Stoned bootkit, a proof-of-concept exploit that could attack Windows XP, Vista, and 7, as well as Windows Server 2003. Stoned, which is available as source code from Kleissner's site, was able to install itself into the Windows kernel and gain unrestricted access to the entire system, even on systems with encrypted drives—because the master boot record on those drives remains unencrypted.
The details of the Windows 8 bootkit have not yet been shared, but Kleissner said in his Twitter feed this morning that the new bootkit, called Stoned Lite, has an infector file that is only 14 kilobytes in size, and the bootkit can be started from a USB drive or CD. He added that he was considering adding "in-memory patching of msv1_0!MsvpPasswordValidate." That exploit, previously demonstrated against Windows XP as part of a bootkit, changes the password validation routine in Windows to accept any password as valid for an account.
Windows 8's boot loader has added a number of security features to prevent malware and security breaches, including a measure that requires any software loaded at boot time to be authenticated with a valid digital signature. Microsoft advertised this feature as a malware killer, because it would in theory block any unsigned software from loading into memory before startup. But the new boot loader has caused concern in the open-source world, because Linux distributions such as Red Hat and Ubuntu don't come with a digital signature.
MalCon noted that Kleissner's appearance is still tentative, as he hasn't yet been granted a visa for the conference. However, he may still present via video and release the code through the conference if he is unable to attend. The visa problem isn't a small one: Kleissner has a court date of December 15 on charges related to the Stoned Bootkit. After Kleissner presented Stoned at the Black Hat conference in 2008, a prosecutor moved to build a case against the researcher for violating Austrian anti-hacking laws.
reader comments
91