Stoned Bootkit – Windows XP, 2003, Vista, 7 MBR Rootkit

Outsmart Malicious Hackers


What is Stoned Bootkit?

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!

For whom is Stoned Bootkit interesting?

  1. Black Hats
  2. Law enforcement agencies
  3. Microsoft

Why is Stoned something new? Because it is the firts bootkit that..

  • attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  • attacks TrueCrypt full volume encryption
  • has integrated FAT and NTFS drivers
  • has an integrated structure for plugins and boot applications (for future development)

A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit.” – Robert Hensing about bootkits

You can download Stoned Bootkit here:

Open Source Framework – Stoned Bootkit Framework.zip
Infector file – Infector.exe

Or you can read more here.

Posted in: Hacking News

, , ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


13 Responses to Stoned Bootkit – Windows XP, 2003, Vista, 7 MBR Rootkit

  1. d3m4s1@d0v1v0 August 18, 2009 at 12:27 pm #

    very, very, VERY interesting, thanks for sharing =)

  2. SherifEldeeb August 18, 2009 at 6:40 pm #

    Well, I’ve read this article and the links, and it scared the f…, hell out of me.
    The only detection method will be by booting with a live CD and check the MBR I guess.
    May God save us, and the ones we care about from threats like this…

  3. Only2perCent August 18, 2009 at 10:56 pm #

    Only, when I erased my hard drive were I able to beat this thing!

    Stay away from Microsoft products!

    Linux Mint is a very elegant alternative.

  4. Morgan Storey August 19, 2009 at 12:00 am #

    @Only2perCent : while I do agree about Linux being better, I can assure you that a Linux bootkit would be easier to write than Stoned, it could simply plugin to Lilo/Grub. All os’es are unsecure the only secure ones are ones that aren’t used, and aren’t connected.

  5. Only2perCent August 19, 2009 at 7:31 am #

    @Morgan Storey: In the future we will get use to a life in a hostile environment. As a bacteriologist once said, “Our bodies are only 10% human, – the rest is bacteria.”
    My idea of an OS is a live CD with a persistent home directory and constantly changing MAC address.

  6. d August 19, 2009 at 1:40 pm #

    @SherifEldeeb @Only2perCent: Disable all “boot from” in BIOS except the hard drive.

  7. Morgan Storey August 19, 2009 at 2:25 pm #

    @Only2perCent: Problem with that is how do you add new programs, live ones that run from a usb drive/the home drive. Then the malware just infects there, the programs installed will still have vulnerabilities and be updated slower due to having to burn the updates/new programs. You could do your plan now, but next to no computer does as it isn’t usable. I have seen a few kiosks that use it. MS has steady state for windows that allows you to roll back on boot, that could fix some stuff. But what about a bios virus.
    I agree we will need to get used to living in a hostile environment, I think we already do, put an unpatched windows box on the net not behind a router and it takes what 1minute to get owned.

    @d: Won’t work, as the bootkit installs to your hard disk. If you are talking about stopping a bootdisk/usb it is trivial to do a bios reset to bypass this. Pop the bios battery, flip the dip switch or bridge the reset pins.

  8. d August 19, 2009 at 2:48 pm #

    @Morgan Storey: For high value systems, resets can be mitigated by controls, while not inconveniencing the user. Tamper evident seals and visual checks.

    Granted: laptops, laxed corporate security, and home users are vulnerable.

  9. Only2perCent August 20, 2009 at 1:06 am #

    @Morgan Storey: In my model, a user adds software to the system by upgrading the Live CD. One can assemble a Live CD to one’s liking by adding modules, as it is done at:

    http://www.slax.org/modules.php

  10. Morgan Storey August 20, 2009 at 1:55 am #

    @d: yeah but high value systems are not the target anymore it is easier and more profitable to go after the end users machine and grab all their traffic. Regardless a bootkit installs within the os and doesn’t need a usb/cd to install at boot, it simply changes the boot record/boot loader. So if you get remote access and need to keep it, you bootkit it, and get the bootkit to re-initate your session.

    @Only2perCent: Yeah I understand your model, but the issue still remains you have to store your data somewhere, and that is a place that can be compromised. The other issue of creating a new Live CD whenever a patch is released, or a new app you want to try would become tedious, and with the laxness that even simple patching is done, I doubt most users would bother, that is why the livecd as a full time os is very rarely used.

  11. Only2perCent August 20, 2009 at 2:34 am #

    @ Morgan Storey: It is already too dark, and too late. When every computer in the World is under alphabet attack, it is no longer a matter of convenience, It is the only viable solution to be able to speak.

  12. Halojoe August 21, 2009 at 7:47 pm #

    My BIOS prevents this change. It’s doesn’t seem as scary as it should. I’m going to try it out on a HP laptop.

  13. Rishabh Dangwal September 5, 2009 at 7:03 pm #

    gr8 article..the guys at redmond would now be a bit busy and running scared :P