Security researcher demonstrates Windows 8 bootkit [video]

By Tom Warren, on 25th Nov 11 2:47 pm with 25 Comments

Security researcher Peter Kleissner has created a Windows 8 bootkit that bypasses User Account Control (UAC).

The bootkit, just 14KB in size, is believe to be the first proof-of-concept exploit code for Windows 8. The attack works on the current Windows 8 developer preview and allows a command prompt to run under the SYSTEM account after exploitation. User Account Control (UAC) is defeated as the technology does not prompt the end user. ZDNet reports that Kleissner has previously developed a proof-of-concept ‘bootkit’ called Stoned. His latest attempt at Windows 8 appears to follow in similar footsteps. It’s not clear from the video whether Kleissner has managed to port any of the Stoned Bootkit features to Windows 8.

Microsoft has previously detailed its security improvements with Windows 8. Windows 8 will include an array of security features to better protect end users against a variety of online threats. Microsoft is beefing up its Windows Defender solution to include improved protection for a range of malware. Microsoft will deliver the same set of malware signatures via Windows Update. Defender will now include real-time detection and protection from malware using a file system filter. Defender will also interface with Microsoft’s secure boot technology in Windows 8. Windows PCs with UEFI-based secure boot will be able to take advantage of Microsoft’s Windows security to ensure firmware and firmware updates all remain secure. Microsoft is able to achieve this by loading only properly signed and validated code during boot.

Microsoft has also improved its SmartScreen filtering for Windows 8 and Internet Explorer. Microsoft has extended its browser technology to Windows as a whole. Windows 8 will now protect end users by checking applications and URLs against reputation-based database. The technology appears to be working on existing solutions. Microsoft is also working with other security vendors to ensure their apps are also improved with Windows 8.

  • http://twitter.com/OldCongress Gamer

    awesome

  • Anonymous

    am more interested in know how he was able to capture the bootloader

    • Hugues Lefebvre

      Could be in a VM?

    • http://profiles.google.com/carlosrfonseca Carlos Ribeiro da Fonseca

      The windows bootloader? It’s a file named “ntldr”, you can find it in the root of your boot partition (usually C).

    • Anonymous

      No i mean how he was able to caputure IT on video since you’d need a video capture software to do that which wouldn’t work when windows is loading

    • Bosh

      A video camera?

    • http://pulse.yahoo.com/_NZRPL7DK7DFQQO44J5TM4PQLGU Harvey

      Don’t really look like a video camera recording.  Probably a VM as someone else mentioned

    • Кирилл Ярин

      You can use another PC with frame grabber card.

    • http://profiles.google.com/carlosrfonseca Carlos Ribeiro da Fonseca

      It probably was either with a VM or on a machine with a IPMI sub-system.

    • Кирилл Ярин

      You are wrong. NTLDR was bootloader in NT 5.x.  Read about modern bootloader in http://en.wikipedia.org/wiki/Windows_Vista_startup_process

    • http://profiles.google.com/carlosrfonseca Carlos Ribeiro da Fonseca

      True.

      But anyway, that wasn’t the question. :)

      Also, I’m stuck using Windows Server 2003 (Microsoft Windows [Version 5.2.3790]) here in the office, and that one has the ntldr file.

  • http://profiles.google.com/carlosrfonseca Carlos Ribeiro da Fonseca

    Oh boy, so why is this news?

    Didn’t we know for ages that if the bad guys can get their hands on your computer, it’s not your computer anymore?

    Specifically, if the bad guys not only can get to the computer but also make the BIOS boot code of their choice, it’s definitely not your computer anymore..

    This isn’t very different from using a Hiren’s BootCD to reset the administrator password because, again, if you can get the PC to boot code of your choice you can get it to do anything you want.

    And this is precisely what UEFI Secure Boot addresses, not letting you boot code of your choice but just code that matches a signature stored in the UEFI code itself. At least until someone finds a way to bypass that, of course :)

  • Guest

    Given that’s it’s a DP, there’s still lots of time to address it. But I have to wonder why he’s releasing this publicly? To get credit? Ego boost? Why not disclose to the vendor like most responsible researchers?

    • Guest

      If you go through the linked articles, it turns out he did inform MS in advance. It’s also worth noting that this was against a legacy bios, not UEFI or that + secure boot. Indeed, the vulnerability of Windows and every other OS to this type of attack is one of the main arguments for UEFI and secure boot. Seems like all he proved is that a boot process nobody every claimed was secure, isn’t.

    • Seth_p

      Yep

  • Anonymous

    wow, someone with administrative privelages can modify files on the filesystem, someone please give this guy a medal. in the reverse engineering world, this is on such a noobish level.

  • Anonymous

    Am I wrong in thinking that this is the point of Secure Boot?

    • Guest

      No, that’s roughly correct (UEFI+SB really). Although like everything else you’d expect that to be cracked in the future too.

  • Iamwhoiam

    “User Account Control (UAC) is defeated as the technology does not prompt the end user.”

    It’s not really that hard to bypass UAC, and UAC was never meant as a “security” feature to begin with.

  • Anonymous

    As long as Microsoft gets informed about these problems in time, I’m fine with this. Exploits are there to be found and to be fixed.

  • Gabriel Lopes

    That’s why this version of Windows 8 is called Developer Preview…

  • Emi Cyberschreiber

    wow… omgg how did he do all that?? you know, people say windows 8 sucks for desktops! and metro and search and everything in win8 even if its a dev preview, so i believe them!
    /s

    anyway, i see the point of this video but still its a dev preview… UAC works bad, admin rights work bad, even something like homegroups work bad! among alot of stuff, BUT since its a preview release obviously some stuff will not work perfect.
    yeah, Win8 is stable and all, but still its far from ready.

    so nice info and video but its silly to test this on a preview release, with alot of bugs. if RTM have it, i will “worry” about it, but we will have to wait for that

  • Guest

    UAC, on the default level (Winodws 7), when logged in as an administrator still lets programs gain administrative priviliges without prompting. To get it to work properly, set it to level 4 or run as a limited user.
    This does not apply to Vista – it is effectively on level 4 by default.

    Refer to: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    Once you’ve got administrator, you can pretty much do whatever you want. You could put the machine into developer mode to enable unsigned drivers and (after a reboot) you are free to go and run whatever you want with the highest possible level of priviliges.
    TBH, I don’t think Microsoft will be fixing this (apart from suggesting you should use a UEFI-enabled system).

  • User

    i don’t understand. / no entendí :(