Broadband Tech > Security > Security > Researchers show how to take control of Windows 7

Researchers show how to take control of Windows 7

quote:

---

Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday.

Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. They demonstrated how the software works at the conference.

"There's no fix for this. It cannot be fixed. It's a design problem," Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack.

While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely.

VBootkit 2.0, which is just 3KB in size, allows an attacker to take control of the computer by making changes to Windows 7 files that are loaded into the system memory during the boot process. Since no files are changed on the hard disk, VBootkit 2.0 is very difficult to detect, he said.

However, when the victim's computer is rebooted, VBootkit 2.0 will lose its hold over the computer as data contained in system memory will be lost.

VBootkit 2.0 is a follow-up to earlier work that Kumar and Kumar have done on vulnerabilities contained in the Windows boot process. In 2007, Kumar and Kumar demonstrated an earlier version of VBootkit for Windows Vista at the Black Hat Europe conference.

The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected.

---

reply to KodiacZiller

quote:

---

To be fair to M$, this hack is only successful if one has physical access to the machine

---

quote:

---

Most computers are set up so that when you first turn on your computer it will check to see if you want to boot from other drives besides your hard drive. It will automatically check to see if you have a bootable CD in your CD drive. If you computer has a floppy drive, it will check to see if your have a boot disk in the floppy drive. Then once it has checked all possible locations for a boot disk, the system will default to your hard drive and start booting Windows.

---

reply to KodiacZiller
If I have physical access to the system in question, its game over, unless of course hardware defenses like bitlocker (don't keep you key in your laptop bag please) or TPM are engaged. In reality physical insecurity is actually a design feature/requirement and physical security is left to the owner of the system to implement (this doesn't always work, hence why TPM etc exist). What OS/hardware by default has physical access security measures in place? I used to like how it was in the old days, where you had to show the nice young man with the machine gun your credentials to get physical access and if that didn't work, he demonstrated his 'security' skills in response and likely called a bunch of his buddies to further make his point.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

reply to KodiacZiller
From Tom's Hardware
April 24, 2009 -

quote:

---

"Basically, we follow a very simple algorithm for Vbootkit," the team explained during the demonstration, "Hook INT 13 for disk reads, keep patching files as they load, hook onto the next stage, and repeat the above process [until] we reach the kernel, then sit and watch the system carefully."

---

reply to KodiacZiller
SUMware is right, it's not a bug, it's an accidental (and unreasonably hard to use) feature.

Or more accurately, it's a fix for a design defect. The design defect is that Windows doesn't have a root account accessible to the computer owner. ("Administrator" has a lesser set of powers; "System" is the real root.) This fixes this defect.

It could be useful to automate this by setting up something to perform the hack every time a VM starts. Then the owner would have full control without limitations imposed by Microsoft.

reply to KodiacZiller
So if you can get close enough to the machine to modify the data stream as it is loaded into memory, what's loaded into memory cannot be trusted like you'd trust the original data stream?

Noooh. Say it ain't so.

There's a lot of piffle that gets glorified with the title of 'research'.

In a report that I plan to issue at the upcoming conference on Housing Security, I will reveal that if an attacker is able to hide under my bed, I may not be safe at night.

Don't forget the closet. They hide in closets, too.

reply to swhx7

reply to KodiacZiller
This is about as scary as the linux exploits that matunga posts. That is to say, it is no problem at all.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.8

reply to KodiacZiller
lol, I like it. I usually set the BIOS password to keep my bro from goofing it up, and set the hard drive to first boot option as it's quicker. XD

I should do the same on my macs.

reply to Link Logger
figures, but physical access = owned no matter how you look at it

reply to rcdailey

reply to KodiacZiller
There's a distinction that gets lost in some of these articles about so-called researchers, and that's the distinction between a nifty hack and something fundamental.

I'd probably be quite pleased with myself if I wrote the code we're talking about, to pervert the load image by hooking INT 13 (not that hooking INT 13 is new; WfWg 3.11 was doing that a long time ago).

But fundamental it is not, and that's the difference between just tooling around and actual research.

reply to KodiacZiller
If a hacker can get physical access to your computer you have a bigger security problem than just that nifty little useless program.
--
****aka The WIZARD *** A Founding member of Seti BBR Team Starfire***

Once again people are running around like chickens with their heads cut off for no good reason.
--
Tom

reply to dave

reply to dave

reply to KodiacZiller
Agreed. Non-story. This headline and story makes it sound like this is an issue specific to Windows 7, when it's likely true under the same conditions for any OS. Leave an unprotected computer with default BIOS settings in the open, and anyone in the presence of the PC can do this, whether it's running Windows 7 or anything else.

So what? And what is MS supposed to do to prevent it in designing an OS?

If you're concerned about it, lock down BIOS, lock the case, kill ports, put the machine behind a locked door, etc.