Windows 7 Can Be Hacked, No Fix
Earlier today at the Hack In The box Security Conference, security researchers showed how easy it is to hack into Windows 7. Ouch.
The question to ask first is this: can't every piece of software be hacked in some fashion? Quite frankly, yes. However, Microsoft (unfortunately) deals with hackers on a daily basis, patching security holes in the Windows operating system, Internet Explorer, and various programs in the Office suite. In some ways, hackers bring job stability to those who specialize in thwarting security intrusions, those who fill holes where perpetrators like to sneak in. But what if the problem can't be fixed? What if the window is wide open and there's not one thing Microsoft or any other company can do to shut it closed?
Earlier today, researchers Vipin Kumar and Nitin Kumar of NVlabs demonstrated how they could take control of a Windows 7 virtual machine using proof-of-concept code they developed called Vbootkit 2.0. The 3 KB program allows the "attacker" to take control of the computer by making changes to the operating system's files loading into the system memory during the boot process. According to Kumar and Kumar, Windows 7 cannot detect the malicious program because no files are changed on the hard disk.
"Basically, we follow a very simple algorithm for Vbootkit," the team explained during the demonstration, "Hook INT 13 for disk reads, keep patching files as they load, hook onto the next stage, and repeat the above process [until] we reach the kernel, then sit and watch the system carefully."
With that said, there's a positive and negative side to this kind of attack. The good news is that the hacker must by physically present to take control of the PC, making the threat somewhat minimal. Additionally, once the computer reboots, Vbootkit 2.0 will no longer have control since the data stored in memory is no longer available. The negative aspect is that, according to Vipin Kumar, the problem stems from Windows 7's assumption that the boot process is immune from attacks. He said that not only is there no current fix for the problem, but that it cannot ever be fixed.
The security researchers demonstrated the ability to take control of Windows 7 at the Hack in The Box Security Conference held in Dubai. The duo merely wanted to demonstrate how they could get Windows 7 (x64) running normally after implementing changes to the kernel. The demonstration was also meant to show how Vbootkit 2.0 could pass through all of the security features implemented in the kernel without being detected, and without leaving a footprint on the hard drive.
In addition to hacking into the kernel, Vbootkit 2.0 allows the attacker to control the victim's computer by remote after this initial physical invasion. The attacker can then increase the user privileges to the highest level, and remove the current user's password, allowing the attacker to gain access to all files stored on the PC. Once finished, the attacker can use Vbootkit 2.0 to restore the original password, and exit the system undetected.
So what does this mean for Windows 7? Can the problem be fixed? According to Kumar, no. However, perhaps Microsoft will take notice and figure out a workaround before the operating system eventually ships this year.
- Windows ,
- 7 ,
- Hacked ,
- controlled
- Apple Beats Recession With Its Best Q2 Ever
- Windows 7 Build 7100 is RC, But Beware of Fakes
- Opterons: 12-core in 2010, 16-core in 2011
- Time Warner, Embarq Hopes to Kill Little ISP
- Nvidia CEO Denies VIA Investment Rumors
- Apple: Netbooks Don't Deserve Mac Brand
- Pirate Bay Judge Accused of Bias
- Report: MSI to Unveil Android Netbook in June
- Find Illegal Torrents Using Google
- Microsoft Profits Down First Time in 23 Years
- Business Laptops Cost $50,000 to Replace
- Play Classic Sierra Adventure Games via Browser
- Win 7 Build 7100 Non-fakes Appear on Torrents
- OCZ Unveils PCIe-Based SSD Card
- Conficker Infecting Hospital Equipment
- GeoCities Shutting Down For Good
- Windows XP Comes Integrated into Windows 7
- Nvidia Says Core i7 Isn't Worth It
IMO its not really a hack if you have to be present every time a user reboots the PC...
I've got a hack that works for any computer, OS and even electronically controlled safes... you sneak in to where the equipment is, hold a gun to the users head and demand the passwords etc.
Obviously I wasn't at the conference so I don't know fully what was said, but I'd like to know exactly something like this is supposed to be deployed.
If it's something that fires off at boot that patches kernel files as they're loaded in then surely you need some kind of program to fire off at boot also in order to be there in the first place. Surely then there is some kind of file or process footprint which can be isolated.
Similarly, and this is layman talking here, if this bootkit patches kernel files as they're loaded, wouldn't it simply be a case to split the boot process into two parts? Authorised kernel first, verifying against a fixed file list with file and runtime sizes, then 3rd party - you'd have to masquerade your bootkit as one of these authorised kernel files in order to run but unlikely to get the file and runtime sizes the same so the boot process dumps it.
So to be honest unless this can be coded into some kind of BIOS virus, this is only an issue should a person be physically be in front of a 7 machine with their own custom boot disc to integrate the bootkit into the OS load process.
Great stuff for entertainment and espionage (corporate or otherwise), but a non-issue for the rest of us?
@ lephuronn
"Great stuff for entertainment and espionage (corporate or otherwise)"
It's not like business or government computers make up the bulk of microsofts customers right?
oh. right...
@americanbrian:
I wasn't dismissing the severity or not of the situation - simply making the statement that this vulnerability is probably not an issue for non-business users and posing an open question - in the real world, how much of an issue is this?
I think the first attack will need a physical access to the machine. (It can happen in workplaces). Then, it is up to the toolkit what needs to be installed further for remote access and control. They may not have demonstrated that now but it is left as an exercise to other hackers!