Thursday, November 17, 2011

New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot

A security researcher who has in the past has created low-level rootkits capable of staying resident on an infected machine after reboots, said he has now accomplished the same feat on Windows 8, which hasn't even hit the shelves yet. Peter Kleissner said he has created a new version of his Stoned bootkit that defeats the pre-boot security checks included in the forthcoming OS and survives reboots.

Kleissner is known in the security community for his creation of the Stoned bootkit, a sophisticated form of rootkit that is designed to load from the master boot record and stay resident in memory throughout the boot process. The previous version of the bootkit was designed to work on Windows XP through Windows 7, but the new one that Kleissner has written also works on Windows 8. He said in a message on Twitter Thursday that Stoned Lite is a small footprint bootkit that can be loaded from either a USB stick or a CD.
He said he may also add some other functionality to the software in the near future.
"Might add in-memory patching of msv1_0!MsvpPasswordValidate, so it allows to log on with any password.. nothing new but nice and fancy," Kleissner said in a later Twitter message.

The pre-boot security mechanisms in Windows 8 have drawn a lot of scrutiny in recent months, particularly the fact that Microsoft is implementing a version of UEFI instead of the traditional BIOS. UEFI includes some functionality that allows Microsoft to require that any software loaded during the boot sequence of a Windows PC be signed by one of the keys loaded into the firmware. Open-source advocates have argued that the technology could allow the company to prevent users from loading alternate operating systems, but Microsoft and officials from the Linux Foundation have said that isn't necessarily the case.

Kleissner said that he notified Microsoft of his work and has given the company the source code of the bootkit and the paper he's written for a conference presentation.

Microsoft has not confirmed the details of Kleissner's claims.