New Windows 7 hack purports to be "unfixable"

Don't forget all the Nigerian princesses that need our support.

Wait.. that bitch asked for your help too?

No matter, I'll keep sending her all my money and banking information. As long as she didn't promise to marry you too.

I mean i sent her my social security but i stopped when she asked me for my bank account number, what kind of a fool did she think I was??

It's generally a good idea to not download files from strangers anyway, is there anything in particular you have against 'Kumar's?

Just wondering, because I'm a Kumar and we're generally quite likeable, and aren't really known for sending out mass scam emails.

I know what you mean, I personally found it a bit strange when I was emailed out of the blue about getting a great mortgage rate but was happy enough to provide a copy of my signature, my name, address, telephone number and social security number.

I found it even stranger when the nigerian man was knocking on my door asking to do a pc inspection which he guaranteed would clear it up of any viruses. I told him, my pc would already off but he said that was great. All I had to do, was stick this thumbstick into the drive and I would get a bonus prize next time it started.

Odd though, I keep being called by Visa telling me my credit card limit is overdrawn. I've never had a credit card with them though. How odd huh?

@Wes

..you took it too far =/

Wes, you ruined my day. Not because of the content of your comment, but the sheer audacity to beat up the dead horse.

Please, give me your e-mail and phone number so we can discuss how to improve your character and personality, and save 30% or more on car insurance.

Wait you mean none of you ever wanted to try viagra?

Those guys left white castle long enough to create a hack.

BartPE*

Not to mention that you can use a good BartPE disc to wipe out the bad files on the HDD and then simply reboot, and voila, the "unfixable" hack is now gone.

LAME

it's not on the HDD though.

I find it very scary, and if you would know what you're talking about so would you, unless you use your PCs just to play Doom of course.

Ezio: BartPE and ERD is ran on a CD to change passwords and whatnot, it's not actually on the HDD.

Yeah, because it's not like people want data that's on their computers to stay safe in the event they're stolen. I assume the real point of this hack is that it can be used to circumvent data encryption on the hard drive.

Nothing to see here folks, just a lot of people trying to get all hyped up about nothing.

It isn't fair to call something a "hack" if you need physical access for it to work. Seriously.

> "I find it very scary, and if you would know what you're talking about so would you, unless you use your PCs just to play Doom of course."

I'm fairly certain that you don't actually understand the nature of the attack. It certainly has concerns, but is not outright scary. Assuming a semblance to the vbootkit I can guess at the process this employs. It requires the computer to boot off of removable media (CD-ROM, USB, etc), at which point the program reads the master boot record and begins launching the OS, while it is still running. In many ways it is similar to a hypervisor, executing at a layer below the OS. It then modifies files the OS loads into memory, so that compromised code can be executed within the context of the OS.

Now this certainly has concerning implications. I suspect it can actually be detected in a similar manner that the Bluepill exploit is detected (look for operations that take too many clock cycles because something else is executing), but the OS is not in a position to do this. If the system is compromised before your own code executes, there is no way to regain integrity at that point. Pre-boot integrity controls are the only feasible countermeasure. Why this is labeled a Windows 7 hack is confusing, since it actually targets the weak integrity checks prior to OS code running (yes, the payload is OS specific, but the attack is not).

Now, why this isn't scary- this attack requires the boot process to be physically compromised. The attack code must execute prior to the bootloader, which means it needs to execute off of removable media and requires physical access. If a person simply maintained their boot order to load from hard disk first, and password protected their BIOS so that the boot order couldn't be changed this isn't going to be even a driveby attack (though overloading the keyboard buffer does work on some machines, to bypass the password most machines are going to require the person to take the case off and reset the cmos via jumper or pulling the battery- neither are going to be quick drive by attacks at a company). Really, it is easy to restrict this to people who have flat out stolen a machine. The open question I have is whether increased boot integrity controls (TPM for example) mitigate this attack.

By the way, the whitepaper for the original v1 attack is here: http://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdf

informatiowned

I don't know....I don't think it's THAT dumb. There are many, many cybercafes out there. All you really need to do is get lucky on 1 or 2 of them and you'll have a days worth of people's information to play with. Not saying that everyone who uses those machines access more than just email or games on em', but I'm sure some of them do more important things as well.

All a thief would need to do is reboot a machine to get the program into memory, and come back for the 'spoils' before the cafe closes.
Granted, it's hit and miss the entire time (since the machine may have been rebooted before they come back, etc), but it's not super dumb. And if it really can't be detected or is truly 'unfixable' then it could be problematic if it ever got into the wild.

Bitlocker is around to specifically protect against this type of attack, utilize the policy to requre a PIN at boot and unless the decryption key is still warm in the RAM chip you have pretty adaquate defenses against these local only attacks. This is right up there with saying the password recovery on OSX is a vulnerability. Sensationalist journalistic crap!

So what, you don't even need to go to a cyber cafe to get people's personal information. Just get a program that lets you use your cell phone's data connection as a wifi hotspot like WMwifirouter for Windows Mobile and set the SSID as Free Wifi. Go to any high traffic area and you're bound to get at least one person that decides to do their online banking over the new super neato "Free Wifi" they just found.

I went into Starbucks once with WMwifirouter running on my phone, and in the time it took for me to order my coffee and receive it I had two people connect to "Free Wifi". I didn't check to see what websites they went to because I was just wanting to see anyone was stupid enough to connect to 'Free Wifi".

If the virus gets loaded into your RAM, when the power is disconnected (i.e. when you turn it off) the virus should be wiped from the RAM (RAM cannot store data when there is no power). Unless you're silly enough to never shutdown and always put your hardware to sleep.

@insky

I'm not quite sure what the scope of this attack you state would be - so many email services / all banks use SSL, I think you may well have quite a bit more work to do once you've pulled them packets out the sky :D

Can someone hack into my computer and tell me why vista hangs at the "shutting down..." screen, if i shutdown after waking from sleep?

BIOS password/bootorder lock might still be bypassed by posing as some RAID controller and run code that way I imagine, to name a scenario.

As for 'needs to be in RAM', yeah it needs to be the first time, but if it then can access everything with max privilege it can just disable checking (and fake it's not disabled) and insert itself into the OS on the HD I would guess.

because finding flaws in windows is fun.

I find flaws in Windows everyday of my life and I don't give a FUCK.

You're right. Who wants a constantly improved product line. Why should companies to perform any kind of maintenance or upgrades on what products they sell. I mean, who cares if some co-worker's 15 year old who sits down at your computer while you are on lunch can wipe out your entire system and get you fired. Not that that will ever happen. Nah. Lets all got back to NT 4 cause that was... well, 'just good enough'.

I found a flaw in Windows at my last job that pertained to Terminal Server and how a certain part of the registry gets parsed.

I reported it to MS Tech support and they said "Wow, that does seem to be a problem"
Then my Technical Account Manager (TAM in MS Speak) stepped in and said it was a "feature" and not a bug and if I wanted it changed, we would have to provide TONS of information on how this problem was monetarily affecting our company, including financial records and all kinds of other stuff.

And thus, to this day, the problem still exists.

beacuse it helps in making a better, reliable, safer product. At least these hackers inform manufacturers about these flaws, some hackers intend to find and exploit hacks like these with possibly your bank accounts on the receiving end of the exploit. Won't it be better that hackers like the ones in the article found it and letting it being known than those who want to use it for criminal activities.

Yesterday I found a flaw in Windows of a friend. They would make a squeaking noise when opened slowly.

@tinu - lol!

If you can't login to and tamper with Ubuntu or most Linux builds without login credentials, you aren't doing it right. This is possible on most OS.

@Tinu you can fix the Windows flaw with WD40!

The pity argument is a strong one. Take pity on us, leave us alone.

@Casper42: The reason why they need a business impact statement is they need to determine if it's worth the time/money to fix it. It's a business decision. The last figured I heard tossed around was in the quarter mil range to generate a hotfix due to the very extensive testing involved for a piece of software that will distributed globally. If that hotfix actually makes things worse for those people...well...let's just say that's the reason for the very extensive testing. If it's a serious problem costing businesses millions of dollars, things will either 1) get a workaround and/or 2) get fixed rather quickly. On the other hand, if it's something that's just not working right but doesn't cause any harm or monetary loss, it's unlikely to get fixed immediately. It's not that they're trying to push you off (unless you just got a lazy TAM/engineer), they just need to determine if it's worth sinking all that time/money into.

Also, if it's a legacy OS (like 2k3) they're less likely to want to fix it since that's multiple OS generations behind and that sucks up finite time and resources from supporting current OSes and developing new ones (i.e. Win7/2k8 R2).

This isn't a flaw in windows. It executes before OS code even loads. If an OS loads on a compromised system it is impossible to ensure integrity- that is one of the basic tenants of computer security. The payload is for Windows 7, but the hack involves booting prior to Windows and then launching the OS. The same premise would work for any x86 system though the payload would need to be tailored to the OS. It is literally impossible for an OS to protect against an attack that transpires prior to it executing- the only countermeasure would be for greater integrity controls via firmware on the part of the hardware vendor.

@Tinu:

That's a feature, not a flaw.

Simple. Microsoft pays them to do it. Last I heard any good hacks you find they will pay you outright for the blow-by-blow of how you did it.

Don't fret my friend, there is a fix for this hack.

See someone using your computer you kick his arse.

Actually, it's possible. All you need is every Apple product ever made in your house at one time. Your head will grow so large, you will develop psychic powers, and can then take over someone else who IS by the computer you want to hack, and have them do it. I'm getting there man, I'm getting there.

You might think

// Begin C Code
int main () {}
// End C Code

is perfect but your function just run off the end without returning a value :).

Exactly, to call this a hack and boast about it?

Normally I'd agree. But in this case it mentions that "protected" files can become accessible. If they mean encrypted files this is a big flaw in Windows security. If I'm not mistaken encryption should use the user's MD5 or likewise password as the key to unlock the files. If just changing the password file gives you access to encrypted documents on Windows 7 that's a big flaw.

Also I'd like to question these security experts... How do they know it's unfixable?