Vbootkit 2.0 Given Open Source Status

Security researchers Nitin and Vipin Kumar have released the code for their recently-announced boot-time rootkit - and it's a pretty interesting piece of work.

Vbootkit is written to serve as a rootkit – to take and hold full, un-detectable control of a system – provided it is substituted for the system’s normal boot loader, at start-up time.

The program starts by hooking the (in) famous INT 0x13, an instruction which makes the BIOS provide hardware-level hard disk and floppy disk read and write access to whatever program issues it. Normally, this interrupt is intercepted by the operating system and re-directed to a filesystem driver.

However, at boot-time there is no operating system in place yet, so the caller (in this case Vbootkit 2.0) can, by hooking (taking control of) INT13, “see” and change everything that is copied from the disk to memory.

Vbootkit 2.0 then uses this advantage to patch (modify) the various components of the Windows 7 boot process (BOOTMGR.EXE, winload.exe and finally the kernel itself, ntoskrnl.exe) as they are being loaded from disk, but after the file integrity checks have been made. Once loaded into the next component, the boot-kit changes the previous component back to its original, un-tampered-with state in memory.

Once the kernel is finally loaded (in its modified, compromised state) the system is up. Afterwards, Vbootkit 2.0 patches tcpip.sys so it can monitor the network interface and starts listening for commands from the attacker.

The communication channel chosen is ICMP (the one used by the “ping” command, which simply tells you if a computer exists at a certain IP address; it is very rarely, if ever blocked by firewalls).

Nothing is loaded or run in user mode and nothing is written to disk.

It’s then game over for the system, including any security solutions inside it, as the kernel memory can only be accessed with kernel privileges and kernel privileges are not granted to user-mode programs, ever, under the Windows 7 security model.

All this is purely of academic interest for now, as people aren’t going to boot from an infected disk (unless, of course, Microsoft Windows 7 installation disks somehow get compromised – a highly unlikely scenario).

Nor is it likely that the boot record of a Windows 7 disk could be modified from within the running Windows 7 system, as the system does not grant such access to user mode programs.

However, one (big) piece of the puzzle is already in place. It’s rather likely that a way to overcome the present limitations of Vbootkit 2.0 exists and it’s also likely that such a way will be found.

When that happens, we can only hope that it will be a security researcher who finds and publishes it.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.