quote from Peter Kleissner.

authors site is here http://www.stoned-vienna.com/

that seems mighty similar to my idea I cant wait to see the open source

regards BanMe

Saaaaay wha? AFAIR eEye did it first for public in 2005. After that it become wide spreaded idea.

Im well aware of that.. though this one is alot more useful and its gonna be opensource

Mhm, well then http://www.piotrbania.com/all/kon-boot/ is also worth looking. (Despite the fact it's not open source.)

just had a look at their website...seems one hell of a project

Search that web site again for this exact quote (or your name "BanMe"... He actually put it up there as a user quote.

That is pretty cool, ive only been referenced in ug hacks for games but this is different,I guess this is a good thing

regards BanMe

I still think it's overhyped. Bootkits are well known among security realted people (or at least they should be), even if stoned-bootkit will be better than previous bootkits it would be still nothing new, just better. Oh, and the fact you can beat up TrueCrypt -- AFAIR Joanna talk about it in one of her blog posts. http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html

And some quotes from the site:
"I didn't know there was even a word for that" - July 3, Metalab Vienna, in response to the term 'bootkit'
Nothing to be proud of.

"…and that is why I use Linux." - macpablo (macpablodesigns.com) when he first heard about that on a podcast
Well, you can use Linux/BSD/Solaris/OSX/Et cetera (they are all flavours o Unix in the end) but it's not the key. As I said earlier -- check kon-boot.

"though this one is alot more useful and its gonna be opensource " - user BanMe in forums in response to eEye's BootRoot which is a dedicated attack only
I would like to change that -- in response to stoned-bootkit is nothing new -- (Because that's why I have written previous post. Idea not implementation.)

Nevertheless keep up good work Peter.

what do you mean by overhyped? he use's the regular channels? he works at making people interested about his project by showing it to people and making it open source?



well idea's are meant to be built upon there is never "really" anything new.. you dont just come up with the wheel and forget about it..you build upon it..especially if you envisioning a 'car' (henry ford reference there if you missed it). This applies to everything..(fact)

So there is no real reason to get all huffy about it..(another tire reference..)
"But to each, his own",I guess.

regards BanMe

Well I think he put too much effort for advertising his product + it's nothing new = and because of that I think it's overhyped right now. Open source doesn't matter here.


I can't fully agree (because there are many exceptions) but in general OK, let it be nonetheless that's not the case. I don't like when someone twisting my words and he did that. Didn't he?


I suppose, in the end, I can agree fully on this one.

Well too much talking from me about such silly matter. (4 posts here already. Too much :P.)
Peace & code

More to the point though: practically speaking, how would one go about detecting one of these bootkits?

Well if you can get your app to start before the bootkit, you will be able to see it.

That means you need a prebootkit bootkit.

Think ring -3

Woodmann

@Snatch: there are various ways to go about it..

MBR Analysis..while computer is on from usermode or kmode..This also can also be done while Hard Drive is 'dormant' by attaching it to another computer and doing Direct low level disc scanning.

Also as Woodmann stated if you can get a application running before the bootkit you can detect it its more a ring -1 or HyperVisor solution,some ASUS motherboards have a Linux OS that run straight on the Motherboard..but then this also opens up the vector of attack directly to the motherboard.

But these solutions are all just band-aids for after the fact infection detection.. I am more into the idea of before the fact infection prevention..as most rootkit and bootkits come with some 'installer'..I use the word 'Installer' lightly because It could be a true 'Installer' or it could be a exploit install..the regular installer method more then likely requires Administrative Privileges to write to the MBR..the Exploit Install method only require that the user that is under attack by the exploit be a Administrative User or uses some for of privilege escalation.

But both methods have alot of things in common..

Both have to use NtCreateFile or NtOpenFile to gain access the Hard Drive
Both have to Read From and Write to the MBR..NtReadFile NtWriteFile..
Both have to place Files on the Disc...so that the bootkit actually performs its duty..
Both have to Gain Execution of a Thread at some point to do all or most of this work for them..


Regards BanMe

There is also the possibility of using a Linux boot CD, or something of that sort that once loaded, could mount the HD, and read the MBR. All one would need would be a small program that could check the validity of the "fixed parts" of the MBR. And then do that for all windows versions, and you have the ability to detect tampering.

It's a good idea, but I think you need to get in lower to truly be immune.

Interesting thoughts! A boot app for detection would be a nice solution though I don't recall ever seeing any before.
I was thinking the Windows boot CD FixMBR utility would be enough to eliminate the bootkit unless it had hacked other autoruns to rehack the MBR in case it is fixed. Even if you dump the MBR with a boot disc, how would you know if it is a legitimate Microsoft MBR or a hacked one? Without something to compare with, it seems like it could still be difficult to detect.

I left that part out of my post. Mind working faster than the fingers

I would generate a series of signatures of valid MBRs. I would generate one of the current one, and compare it to the list. If you were comparing the "fixed part", and not the part that describes the boot device, "in theory" you could detect it. Also, barring some sort of ploymorphism, you could also check for signatures matching known exploits.