New Windows 7 hack purports to be "unfixable"
by Donald Melanson 
posted Apr 23rd 2009 at 7:02PM
A hack that's "unfixable" is a pretty bold claim, but that's just what researchers Vipin Kumar and Nitin Kumar have announced at the now-happening Hack in the Box security conference, and they seem ready to back it up. Apparently, they've devised a means to gain control of a Windows 7 computer during the boot up process though the use of a tiny 3KB program dubbed VBootkit 2.0 (a follow-up to a similar Vista hack), which loads itself into the system memory and bypasses the hard drive altogether, making it extremely difficult to detect. Once loaded, an ill-intentioned individual could potentially change passwords, access protected files, or do just about anything else and then leave without a trace. The one fairly big drawback to the hack, however, and upside for most users, is that it can't be performed remotely, so it'll likely only be a significant concern for businesses or other folks using computers in public places -- unless, of course, Microsoft finds a way to fix the "unfixable."
[Via Electronista]
[Via Electronista]
Reader Comments (Page 1 of 3)
patriotsn1 @ Apr 23rd 2009 7:06PM
I don't think I'd download a file any "Kumar" sent me anyways.
Unless of course I won an international lottery worth $1,800,000,000
Or if an aunt I didn't know in Scandinavia died and my notice of inheritance was emailed to me.
compgeek07 @ Apr 23rd 2009 7:18PM
Don't forget all the Nigerian princesses that need our support.
Ellianth @ Apr 23rd 2009 7:30PM
Wait.. that bitch asked for your help too?
No matter, I'll keep sending her all my money and banking information. As long as she didn't promise to marry you too.
Jack Storm @ Apr 23rd 2009 7:37PM
I mean i sent her my social security but i stopped when she asked me for my bank account number, what kind of a fool did she think I was??
AJ @ Apr 23rd 2009 8:36PM
It's generally a good idea to not download files from strangers anyway, is there anything in particular you have against 'Kumar's?
Just wondering, because I'm a Kumar and we're generally quite likeable, and aren't really known for sending out mass scam emails.
Wes @ Apr 23rd 2009 9:18PM
I know what you mean, I personally found it a bit strange when I was emailed out of the blue about getting a great mortgage rate but was happy enough to provide a copy of my signature, my name, address, telephone number and social security number.
I found it even stranger when the nigerian man was knocking on my door asking to do a pc inspection which he guaranteed would clear it up of any viruses. I told him, my pc would already off but he said that was great. All I had to do, was stick this thumbstick into the drive and I would get a bonus prize next time it started.
Odd though, I keep being called by Visa telling me my credit card limit is overdrawn. I've never had a credit card with them though. How odd huh?
Sax25 @ Apr 23rd 2009 11:11PM
@Wes
..you took it too far =/
auricom @ Apr 23rd 2009 11:45PM
Wes, you ruined my day. Not because of the content of your comment, but the sheer audacity to beat up the dead horse.
Please, give me your e-mail and phone number so we can discuss how to improve your character and personality, and save 30% or more on car insurance.
thedesolate1 @ Apr 24th 2009 9:24AM
Wait you mean none of you ever wanted to try viagra?
OneLove @ Apr 24th 2009 12:34PM
Those guys left white castle long enough to create a hack.
bob @ Apr 23rd 2009 7:06PM
Dumbest hack ever if it can't be deployed remotely. That's like saying an ERD Commander or PartPE are deadly exploits.
bob @ Apr 23rd 2009 7:07PM
BartPE*
Casper42 @ Apr 23rd 2009 7:16PM
Not to mention that you can use a good BartPE disc to wipe out the bad files on the HDD and then simply reboot, and voila, the "unfixable" hack is now gone.
LAME
THE Ezio Auditore de Firenze (PSN slycooper_rocker) @ Apr 23rd 2009 7:39PM
it's not on the HDD though.
KilgoreTrout @ Apr 23rd 2009 7:54PM
I find it very scary, and if you would know what you're talking about so would you, unless you use your PCs just to play Doom of course.
sire @ Apr 23rd 2009 8:01PM
Ezio: BartPE and ERD is ran on a CD to change passwords and whatnot, it's not actually on the HDD.
ben @ Apr 23rd 2009 7:59PM
Yeah, because it's not like people want data that's on their computers to stay safe in the event they're stolen. I assume the real point of this hack is that it can be used to circumvent data encryption on the hard drive.
nerdtalker @ Apr 23rd 2009 8:18PM
Nothing to see here folks, just a lot of people trying to get all hyped up about nothing.
It isn't fair to call something a "hack" if you need physical access for it to work. Seriously.
josh @ Apr 23rd 2009 8:20PM
> "I find it very scary, and if you would know what you're talking about so would you, unless you use your PCs just to play Doom of course."
I'm fairly certain that you don't actually understand the nature of the attack. It certainly has concerns, but is not outright scary. Assuming a semblance to the vbootkit I can guess at the process this employs. It requires the computer to boot off of removable media (CD-ROM, USB, etc), at which point the program reads the master boot record and begins launching the OS, while it is still running. In many ways it is similar to a hypervisor, executing at a layer below the OS. It then modifies files the OS loads into memory, so that compromised code can be executed within the context of the OS.
Now this certainly has concerning implications. I suspect it can actually be detected in a similar manner that the Bluepill exploit is detected (look for operations that take too many clock cycles because something else is executing), but the OS is not in a position to do this. If the system is compromised before your own code executes, there is no way to regain integrity at that point. Pre-boot integrity controls are the only feasible countermeasure. Why this is labeled a Windows 7 hack is confusing, since it actually targets the weak integrity checks prior to OS code running (yes, the payload is OS specific, but the attack is not).
Now, why this isn't scary- this attack requires the boot process to be physically compromised. The attack code must execute prior to the bootloader, which means it needs to execute off of removable media and requires physical access. If a person simply maintained their boot order to load from hard disk first, and password protected their BIOS so that the boot order couldn't be changed this isn't going to be even a driveby attack (though overloading the keyboard buffer does work on some machines, to bypass the password most machines are going to require the person to take the case off and reset the cmos via jumper or pulling the battery- neither are going to be quick drive by attacks at a company). Really, it is easy to restrict this to people who have flat out stolen a machine. The open question I have is whether increased boot integrity controls (TPM for example) mitigate this attack.
By the way, the whitepaper for the original v1 attack is here: http://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdf
brett @ Apr 23rd 2009 8:35PM
informatiowned
Neoprimal @ Apr 23rd 2009 9:12PM
I don't know....I don't think it's THAT dumb. There are many, many cybercafes out there. All you really need to do is get lucky on 1 or 2 of them and you'll have a days worth of people's information to play with. Not saying that everyone who uses those machines access more than just email or games on em', but I'm sure some of them do more important things as well.
All a thief would need to do is reboot a machine to get the program into memory, and come back for the 'spoils' before the cafe closes.
Granted, it's hit and miss the entire time (since the machine may have been rebooted before they come back, etc), but it's not super dumb. And if it really can't be detected or is truly 'unfixable' then it could be problematic if it ever got into the wild.
BrianM @ Apr 23rd 2009 10:11PM
Bitlocker is around to specifically protect against this type of attack, utilize the policy to requre a PIN at boot and unless the decryption key is still warm in the RAM chip you have pretty adaquate defenses against these local only attacks. This is right up there with saying the password recovery on OSX is a vulnerability. Sensationalist journalistic crap!
insky @ Apr 24th 2009 1:41AM
So what, you don't even need to go to a cyber cafe to get people's personal information. Just get a program that lets you use your cell phone's data connection as a wifi hotspot like WMwifirouter for Windows Mobile and set the SSID as Free Wifi. Go to any high traffic area and you're bound to get at least one person that decides to do their online banking over the new super neato "Free Wifi" they just found.
I went into Starbucks once with WMwifirouter running on my phone, and in the time it took for me to order my coffee and receive it I had two people connect to "Free Wifi". I didn't check to see what websites they went to because I was just wanting to see anyone was stupid enough to connect to 'Free Wifi".
random @ Apr 24th 2009 1:49AM
If the virus gets loaded into your RAM, when the power is disconnected (i.e. when you turn it off) the virus should be wiped from the RAM (RAM cannot store data when there is no power). Unless you're silly enough to never shutdown and always put your hardware to sleep.
bdav @ Apr 24th 2009 5:57AM
@insky
I'm not quite sure what the scope of this attack you state would be - so many email services / all banks use SSL, I think you may well have quite a bit more work to do once you've pulled them packets out the sky :D
OneLove @ Apr 24th 2009 12:38PM
Can someone hack into my computer and tell me why vista hangs at the "shutting down..." screen, if i shutdown after waking from sleep?
Wwhat @ Apr 24th 2009 2:29PM
BIOS password/bootorder lock might still be bypassed by posing as some RAID controller and run code that way I imagine, to name a scenario.
As for 'needs to be in RAM', yeah it needs to be the first time, but if it then can access everything with max privilege it can just disable checking (and fake it's not disabled) and insert itself into the OS on the HD I would guess.
DraconianSoul @ Apr 23rd 2009 7:07PM
What do these people think? Microsoft will look at it and say, "Oh well, we had a good run, guess everyone can start using Ubuntu now. Sorry it didn't work out." Why do these hackers constantly think its so necessary to discover flaws in the Windows OS?
BayCreek IT @ Apr 23rd 2009 7:09PM
because finding flaws in windows is fun.
toxicpiano @ Apr 23rd 2009 7:11PM
I find flaws in Windows everyday of my life and I don't give a FUCK.
Blackstar @ Apr 23rd 2009 7:14PM
You're right. Who wants a constantly improved product line. Why should companies to perform any kind of maintenance or upgrades on what products they sell. I mean, who cares if some co-worker's 15 year old who sits down at your computer while you are on lunch can wipe out your entire system and get you fired. Not that that will ever happen. Nah. Lets all got back to NT 4 cause that was... well, 'just good enough'.
Casper42 @ Apr 23rd 2009 7:19PM
I found a flaw in Windows at my last job that pertained to Terminal Server and how a certain part of the registry gets parsed.
I reported it to MS Tech support and they said "Wow, that does seem to be a problem"
Then my Technical Account Manager (TAM in MS Speak) stepped in and said it was a "feature" and not a bug and if I wanted it changed, we would have to provide TONS of information on how this problem was monetarily affecting our company, including financial records and all kinds of other stuff.
And thus, to this day, the problem still exists.
dolapo10 @ Apr 23rd 2009 7:20PM
beacuse it helps in making a better, reliable, safer product. At least these hackers inform manufacturers about these flaws, some hackers intend to find and exploit hacks like these with possibly your bank accounts on the receiving end of the exploit. Won't it be better that hackers like the ones in the article found it and letting it being known than those who want to use it for criminal activities.
Tinu @ Apr 23rd 2009 7:21PM
Yesterday I found a flaw in Windows of a friend. They would make a squeaking noise when opened slowly.
Ellianth @ Apr 23rd 2009 7:32PM
@tinu - lol!
sitruc @ Apr 23rd 2009 7:40PM
If you can't login to and tamper with Ubuntu or most Linux builds without login credentials, you aren't doing it right. This is possible on most OS.
haX0r @ Apr 23rd 2009 7:48PM
@Tinu you can fix the Windows flaw with WD40!
Joseph @ Apr 23rd 2009 7:52PM
The pity argument is a strong one. Take pity on us, leave us alone.
Ray @ Apr 23rd 2009 8:11PM
@Casper42: The reason why they need a business impact statement is they need to determine if it's worth the time/money to fix it. It's a business decision. The last figured I heard tossed around was in the quarter mil range to generate a hotfix due to the very extensive testing involved for a piece of software that will distributed globally. If that hotfix actually makes things worse for those people...well...let's just say that's the reason for the very extensive testing. If it's a serious problem costing businesses millions of dollars, things will either 1) get a workaround and/or 2) get fixed rather quickly. On the other hand, if it's something that's just not working right but doesn't cause any harm or monetary loss, it's unlikely to get fixed immediately. It's not that they're trying to push you off (unless you just got a lazy TAM/engineer), they just need to determine if it's worth sinking all that time/money into.
Also, if it's a legacy OS (like 2k3) they're less likely to want to fix it since that's multiple OS generations behind and that sucks up finite time and resources from supporting current OSes and developing new ones (i.e. Win7/2k8 R2).
josh @ Apr 23rd 2009 8:28PM
This isn't a flaw in windows. It executes before OS code even loads. If an OS loads on a compromised system it is impossible to ensure integrity- that is one of the basic tenants of computer security. The payload is for Windows 7, but the hack involves booting prior to Windows and then launching the OS. The same premise would work for any x86 system though the payload would need to be tailored to the OS. It is literally impossible for an OS to protect against an attack that transpires prior to it executing- the only countermeasure would be for greater integrity controls via firmware on the part of the hardware vendor.
Dylan @ Apr 23rd 2009 9:30PM
@Tinu:
That's a feature, not a flaw.
Col. Readily Apparent Upon Cursory Inspection @ Apr 23rd 2009 10:20PM
Simple. Microsoft pays them to do it. Last I heard any good hacks you find they will pay you outright for the blow-by-blow of how you did it.
z-man @ Apr 23rd 2009 7:07PM
Uh-Oh
jdang @ Apr 24th 2009 3:53PM
Don't fret my friend, there is a fix for this hack.
See someone using your computer you kick his arse.
Timothy @ Apr 23rd 2009 7:09PM
If this could be deployed remotely....that'd be bad xD
Who2? @ Apr 23rd 2009 7:34PM
Actually, it's possible. All you need is every Apple product ever made in your house at one time. Your head will grow so large, you will develop psychic powers, and can then take over someone else who IS by the computer you want to hack, and have them do it. I'm getting there man, I'm getting there.
stuart.e.mitchell @ Apr 24th 2009 5:55AM
You might think
// Begin C Code
int main () {}
// End C Code
is perfect but your function just run off the end without returning a value :).
Wolfticket @ Apr 23rd 2009 7:09PM
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Beastage @ Apr 23rd 2009 7:14PM
Exactly, to call this a hack and boast about it?
krikit @ Apr 23rd 2009 7:17PM
Normally I'd agree. But in this case it mentions that "protected" files can become accessible. If they mean encrypted files this is a big flaw in Windows security. If I'm not mistaken encryption should use the user's MD5 or likewise password as the key to unlock the files. If just changing the password file gives you access to encrypted documents on Windows 7 that's a big flaw.
Also I'd like to question these security experts... How do they know it's unfixable?