Rootkit infiltrates beta version of Windows Vista
As promised, security expert Joanna Rutkowska's presentation at the Black Hat security conference demonstrated a technique by which the kernel protection mechanism of the Beta 2 version of Windows Vista can be bypassed.
Although the x64 version of Vista is supposed to allow only signed kernel mode drivers, Rutkowska succeeded in loading her own unsigned code into the Vista kernel. To achieve this, Rutkowska's hack continuously demanded memory until Vista was forced to store already loaded kernel mode drivers into virtual memory on the hard drive. She was then able to manipulate the memory segments that lay there unprotected, planting her own drivers. Rutkowska recommended several countermeasures to Microsoft, including forbidding direct raw disk access by user-mode applications, or encrypting the pagefile storage. A third possibility would be disabling kernel memory paging altogether.
Microsoft Director of Windows Product Management Austin Wilson talked about the successful hack with the American media. Administrator rights are still necessary for the attack, he emphasised. The researcher's suggestions would be investigated, he indicated, but the delivery of Vista would not be delayed because of it. Microsoft security chief Ben Fathi was by contrast of the opinion that the loophole that Rutkowska used had already been closed by Microsoft.
Rutkowska praised Microsoft for its decision to allow only signed kernel mode drivers. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure," she said. "It's just not as secure as advertised." One hundred percent kernel security can hardly be achieved in a universally applicable operating system, she emphasised. Hackers will always find a way to bypass the security. Ben Fathi agreed on this point. "We're happy that researchers are turning up and sharing these things with us while Vista is still in the beta stage."
In the second part of her presentation, Rutkowska then displayed her highly anticipated Virtual Machine Based Rootkit (VMBR). The Blue Pill rootkit, as it is known, shifts the running operating system into a virtual environment – without a restart and invisibly to the user – and hence cannot be detected from within the system by any currently known methods. Microsoft, which is itself researching its own in-house VMBR SubVirt, is taking the novel threat quite seriously. They intend to find a way to prevent that kind of attack prior to the final Vista version, they report. For this reason they are working together with Intel and AMD to discuss how to resolve the issue.