TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..
This weeks flame war between TrueCrypt and Peter Kleissner had me both upset and laughing at the same time.
For a start, hats off to young Peter (18 years old according to his site), who recently presented at Black Hat his concept for a “universal rootkit” exploit, which, using that older-than-he-is technology of MBR replacement, manages to subvert Windows in such a way as to be able to drop a payload into memory as the computer boots.
I’m not sure, but isn’t that what MBR viruses have done since day one? I guess Peter agrees because his new “Stoned Bootkit” rootkit is named “Stoned” in homage to one of the original MBR Viruses of 1987
Replacing the MBR to get the machine to do something before booting the operating system is pretty well know – every full disk encryption software product uses that trick, as does every boot loader, boot manager, or partition manager I can think of. I think even some disk imaging software uses code run via MBR changes. But still, using that mechanism to then run something which subverts the disk interrupt driver (aka again every full disk encryption product), to load his own payload as Windows boots is clever.
Unfortunately though, Peter seems to have taken offence to a perceived snub by the authors of Truecrypt (an open source full-disk-encryption software), who in short told him that he’d discovered nothing new, and that any prevention methods put in place by software to detect his rootkit could of course, be detected and circumvented by said rootkit, so were thus pointless.
Yes, it’s a sad truth that Trojans and rootkits are nasty little things which, because they tend to run first, also have the ability if they are clever to subvert anything which goes looking for them (to hide themselves). The only way to reliably detect them is to compare an “in band” and “out of band” analysis of the system – the two should of course agree, but if something is hiding itself “in band”, the out of band scan will show it up.
Both McAfee (RootKit Detective) and SysInternals (RootKitRevealer), as well as others provide tools to do exactly this kind of detection, and of course, with a reputable AV/Malware product on your machine in the first place, the only way Stoned Bootkit is going to get a hold on your machine is if someone physically puts it there – Writing to the MBR from within Windows is an incredibly privileged operation, and easy to block (that’s why there are hardly any MBR viruses any more).
Peters’ frustration of TrueCrypts apathy to his discovery went so far as to entice him to perhaps unwisely blog about their ambivalence – his entry “TrueCrypt Foundation is a joke to the security industry, pro Microsoft” is a work of art in itself, but more worthy perhaps are the viewers comments, most incredibly constructive and encouraging – very unlike the usual flame wars which follow unpopular cryptographic discussion. Two gems from commentators called Thomas and Christian respectively come to mind:
What the TrueCrypt Foundation wanted to tell you is, that your attack is actually nothing special. Its a root kit, which in fact just doesn’t start with windows but at the first point when its possible, the MBR. Well, “root”-kit is the correct word, because “root” means it runs under administrator privileges. A basic rule in computer security (yes, TrueCrypt tried to explain that) are that someone who already _has_ administrator privileges on your computer (and so is able to install your/any rootkit) has _full_ access to it. That is a fact which was known way before your bootkit. In fact, its known since computers exists.
Still you have made a great job! Your program will alert many people who think they made their PC secure by installing TrueCrypt and still keep working with an admin account where they should not. You prove that a security policy is indispensable, because admin privileges will give malicious software the ability to tamper with the installed security software.
Yes, it’s a sad fact that, as the old adage goes “If you let your machine out of your sight, it’s no longer your machine”.
NOTE: Some people have already asked me if McAfee Endpoint Encryption for PC’s or SafeBoot Device Encryption for PC’s is vulnerable to this kind of attack. As I say above, this is not really an attack – Stoned Bootkit can’t suck the data off your machine unless you allow it to be installed, then you yourself login. But, of course IF you allowed such to happen, then yes, Stoned Bootkit could put some malware on your machine. The mitigation of course is to use a good AV/Malware solution and to not leave your machine in such a place where Stoned Bootkit could be introduced.
Although Peter has not written a specific exploit for the McAfee/SafeBoot drivers (and it would be significantly harder to do than TrueCrypt due to the fact we are closed source and that we have MBR rootkit detection built in, which Peter would also have to bypass), it’s not beyond the possibility (in theory) that he could, or that someone has already done so. I’d like to think that your AV/Malware detection product would pick this up though very quickly. Rootkits are not too hard to find once you know what you are looking for.