Comments on: Stoned Bootkit – Windows XP, 2003, Vista, 7 MBR Rootkit

By: Rishabh Dangwal

Rishabh Dangwal — Sat, 05 Sep 2009 19:03:03 +0000

gr8 article..the guys at redmond would now be a bit busy and running scared :P

By: Halojoe

Halojoe — Fri, 21 Aug 2009 19:47:04 +0000

My BIOS prevents this change. It’s doesn’t seem as scary as it should. I’m going to try it out on a HP laptop.

By: Only2perCent

Only2perCent — Thu, 20 Aug 2009 02:34:46 +0000

@ Morgan Storey: It is already too dark, and too late. When every computer in the World is under alphabet attack, it is no longer a matter of convenience, It is the only viable solution to be able to speak.

By: Morgan Storey

Morgan Storey — Thu, 20 Aug 2009 01:55:59 +0000

@d: yeah but high value systems are not the target anymore it is easier and more profitable to go after the end users machine and grab all their traffic. Regardless a bootkit installs within the os and doesn’t need a usb/cd to install at boot, it simply changes the boot record/boot loader. So if you get remote access and need to keep it, you bootkit it, and get the bootkit to re-initate your session.

@Only2perCent: Yeah I understand your model, but the issue still remains you have to store your data somewhere, and that is a place that can be compromised. The other issue of creating a new Live CD whenever a patch is released, or a new app you want to try would become tedious, and with the laxness that even simple patching is done, I doubt most users would bother, that is why the livecd as a full time os is very rarely used.

By: Only2perCent

Only2perCent — Thu, 20 Aug 2009 01:06:11 +0000

@Morgan Storey: In my model, a user adds software to the system by upgrading the Live CD. One can assemble a Live CD to one’s liking by adding modules, as it is done at:

http://www.slax.org/modules.php

By: d

Wed, 19 Aug 2009 14:48:11 +0000

@Morgan Storey: For high value systems, resets can be mitigated by controls, while not inconveniencing the user. Tamper evident seals and visual checks.

Granted: laptops, laxed corporate security, and home users are vulnerable.

By: Morgan Storey

Morgan Storey — Wed, 19 Aug 2009 14:25:55 +0000

@Only2perCent: Problem with that is how do you add new programs, live ones that run from a usb drive/the home drive. Then the malware just infects there, the programs installed will still have vulnerabilities and be updated slower due to having to burn the updates/new programs. You could do your plan now, but next to no computer does as it isn’t usable. I have seen a few kiosks that use it. MS has steady state for windows that allows you to roll back on boot, that could fix some stuff. But what about a bios virus.
I agree we will need to get used to living in a hostile environment, I think we already do, put an unpatched windows box on the net not behind a router and it takes what 1minute to get owned.

@d: Won’t work, as the bootkit installs to your hard disk. If you are talking about stopping a bootdisk/usb it is trivial to do a bios reset to bypass this. Pop the bios battery, flip the dip switch or bridge the reset pins.

By: d

Wed, 19 Aug 2009 13:40:31 +0000

@SherifEldeeb @Only2perCent: Disable all “boot from” in BIOS except the hard drive.

By: Only2perCent

Only2perCent — Wed, 19 Aug 2009 07:31:10 +0000

@Morgan Storey: In the future we will get use to a life in a hostile environment. As a bacteriologist once said, “Our bodies are only 10% human, – the rest is bacteria.”
My idea of an OS is a live CD with a persistent home directory and constantly changing MAC address.

By: Morgan Storey

Morgan Storey — Wed, 19 Aug 2009 00:00:41 +0000

@Only2perCent : while I do agree about Linux being better, I can assure you that a Linux bootkit would be easier to write than Stoned, it could simply plugin to Lilo/Grub. All os’es are unsecure the only secure ones are ones that aren’t used, and aren’t connected.