Windows 7 hack during boot sequence

[CyberPitz]

http://www.techradar.com/news/computing/pc/windows-7-hack-cannot-be-fixed--594245

Researchers at a recent hackers' conference have shown how it's possible to take control of a Windows 7 machine during its boot sequence.

Demonstrating the code at the recent Hack In The Box event in Dubai, security researchers Vipin Kumar and Nitin Kumar used a piece of code called VBootkit 2.0 to take full control of a Windows 7 machine during the booting up process.

Based on the principle that Windows 7 is meant to be safe from attack during the boot up process, the duo showed that the code, which is only 3KB in size, could actually easily be run while the OS is starting up.

The attacker can then gain remote access to the computer and can change files around with the highest level of administrator privileges, and then return the system to its original passwords to leave the hack undetected.

Unfixable

"There's no fix for this. It cannot be fixed. It's a design problem," said Vipin Kumar when demonstrating the tool.

However, the threat of the software is apparently nowhere near as great as with other internet-based hacks and viruses, as it requires the hacker to be present with the PC.

The VBootkit 2.0 software is almost undetectable on the machine as well, as it focuses on altering files in the boot up process, although when the computer is restarted the files are wiped.

 

[PvtRyan]

If you have to be physically present to use this exploit, why not just steal the PC or HDD, or use a Linux live CD to delete the Windows partition?

 

[OmegaX]

Yeah if you have to be physically present it's nothing to worry about. There are much worse things you could do.

 

[Unfocused]

If you have to be physically present to use this exploit, why not just steal the PC or HDD, or use a Linux live CD to delete the Windows partition?

One of the features is that it's undetectable.

The lack of your PC, HDD or Windows partition would be kind of a dead giveaway that someone messed with your stuff.

 

[Sanada]

I can't see how this is something significant. If this can only be done while physically at the computer then it's no different than someone deciding to perform a low level format on your HDD.

 

[CyberPitz]

The fact it exists....and you people say it's nothing big?

Forget having Windows 7 in any professional place, as ANYBODY working with you can wait until you leave work that day and just have fun.

I think you guys are missing the greater picture.

 

[PvtRyan]

The fact it exists....and you people say it's nothing big?

Forget having Windows 7 in any professional place, as ANYBODY working with you can wait until you leave work that day and just have fun.

I think you guys are missing the greater picture.

That can happen regardless of this exploit. You can't protect unencrypted software when someone has physical access to your machine. It's not possible. Besides, if your colleagues can't be trusted, then accessing a colleague's PC to install a virus that shows porn pop-ups is the least of your worries. It's extremely likely that you have access to a lot of sensitive corporate data or database passwords.

FYI, this is possible on every OS.

 

[PimpinPenguin]

The fact it exists....and you people say it's nothing big?

Forget having Windows 7 in any professional place, as ANYBODY working with you can wait until you leave work that day and just have fun.

I think you guys are missing the greater picture.

There are already far easier ways to do everything it can do already.
This is nothing new, hackers used that method to hack Vista. You load a OEM licence emulator into the memory before Vista loads fooling it to think it's been activated, and the security functions can't detect it this very day. The vulnerability is not with Windows, it's that you are loading the file before Windows start. Every OS would be affected not just Windows.

 

[VirusType2]

I agree with CyberPitz.

PvtRyn, you're right about one thing at least; pop-ups are the least of your worries. I was also thinking that something like this might be possible on other OS, but have you any evidence? (I was typing this before PimpinPenguin posted) And what about XP?

I don't see any reason for concern just yet, because despite what they say, I think that MS would be able to include some kind of tool to detect something like this. Sort of like a root-kit scanner, or something. I don't know though.

almost undetectable

keyword: almost. Almost counts for shit tbh.


Also, If you password your bios, and configure your bios to only boot from the System HDD, then maybe you are safe?

 

[Eejit]

The CIA are gonna think twice about using W7!

 

[CyberPitz]

The CIA are gonna think twice about using W7!

I've figured it out. It's the government that is making this happen, because that way they can have even MORE ways of getting access to your things!!!

 

[Iced_Eagle]

This attack has limited usage due to the fact you have to be physically there so it's not a huge threat to most people.

Plus, as others have said, you can do a lot worse things than this attack on a machine, or use other ways to get access to the system. This is simply another option for a potential hacker.

 

[CyberPitz]

Why are people so quick to just say "Meh, there's worse". Do we really need any more options?

 

[AtomicSpark]

Also, If you password your bios, and configure your bios to only boot from the System HDD, then maybe you are safe?

Unless they open your case and clear your CMOS.

I currently use encrypted Home directories on all of my computers. This, of course, doesn't prevent people from changing my system files to capture data while I'm logged in on my machine. I could use encrypted LVM (full disk encryption), but that's not multi-user friendly and has an additional overhead to my entire system, instead of just my personal files. Using encrypted LVM would only leave my boot files (kernel) open to attack, which can easily be prevented by keeping them on a USB stick and carrying them around with me. That sir, would be for the truely paranoid.

 

[VictimOfScience]

Well, since they have to be there a bigger threat is someone hitting Ctrl+A on your desktop then hitting Enter. :naughty:

 

[AtomicSpark]

People actually put stuff on their Desktop? Shit, I just use it temporary location when creating new files and what not.

 

[Iced_Eagle]

Why are people so quick to just say "Meh, there's worse". Do we really need any more options?

I'm not saying it should be ignored.

However, it's not "OMFG END OF THE WORLD! DELAY WINDOWS 7 AND REDO THE BOOT SEQUENCE!" type of attack. It will definitely be a concern for some businesses if they have confidential material on their machines. However, with the use of building security and such, that will prevent a possible intruder from getting to your machine in the first place.

Obviously, there's still the possibility of an inside job for those busineses, but at that point, they have a lot more to deal with.

This problem is NOT going to be wide-spread. Proof of concept hacks come out all of the time. However, it's not going to be a mainstream or wide-spread attack on Win7 machines at all.

If this was something that was able to be done remotely, then yes, this would be a huge issue. It's the fact you have to be physically present at the machine that makes this a "meh" factor, because as everyone said, a hacker can own your machine almost no matter what when he can sit in front of it and work his magic.

 

[BabyHeadCrab]

New Windows 7 exploit: stand next to a machine booting windows 7 and beat the machine senseless with a bat, this will cause boot failure and severe hardware damage. TERRIBLE, FLAWED OS. IRREVERSIBLY BAD.

 

[PvtRyan]

I agree with CyberPitz.

PvtRyn, you're right about one thing at least; pop-ups are the least of your worries. I was also thinking that something like this might be possible on other OS, but have you any evidence? (I was typing this before PimpinPenguin posted) And what about XP?

I don't see any reason for concern just yet, because despite what they say, I think that MS would be able to include some kind of tool to detect something like this. Sort of like a root-kit scanner, or something. I don't know though.

All this exploit really does is modify what files to load during boot and instruct it to load some files off of a bootable flash drive into memory. Technically, this is before the OS has even started. What are you going to do against that? Create a fixed list of files the OS may load? Limiting, especially in Linux's case as it's fully modifiable, and this fix is probably quite hackable. Not allow flash drives to boot when you have Windows installed? Good luck with that.

Sure, there's probably some measures you can take against this, but nothing that will prevent someone with physical access to your machine to gain access. The program to bypass those measures only has to be written once. I'm pretty sure it's part of the design philosophy of Linux to not even bother with stuff like this. Software can't replace a good lock on the door.

 

[DEATH eVADER]

One of the features is that it's undetectable.

The lack of your PC, HDD or Windows partition would be kind of a dead giveaway that someone messed with your stuff.

Yeah, someone leaves a not saying 'IOU 1 computer'

 

[-Psy-]

I'm sure most companies are smart enough to store confidential or sensitive data off-site or in an otherwise secure location.

 

[Raziaar]

Sounds like a plot for a movie.

Oops... old thread. Forgot I was searching for Windows 7.

 

[CyberPitz]

Sounds like a plot for a movie.

Oops... old thread. Forgot I was searching for Windows 7.

You do realize we ARE IN A MOVIE!!!??

It's titled "What happens when cows graze on Pitz's pasture"