Windows 8 bootkit demo

Windows 8 bootkit demo

Summary: Windows 8 PWNED!

SHARE:
Austrian security researcher Peter Kleissner has posted a video showing the Stoned Lite bootkit successfully defeating Windows 8. Here's the video:

Windows 8 Bootkit Demo from Peter Kleissner on Vimeo.

As you can see, the bootkit, which is only 14KB big, bypasses Windows UAC and the security mechanism build into the Windows 8 bootloader. Kleissner previously developed a proof-of-concept ‘bootkit’ called Stoned [PDF] capable of attacking Windows platforms ranging from XP to 7. It seems that this work has now been extended to include Windows 8. The source code to Stoned is available for download from Kleissner’s website. According to Kleissner the new Windows 8 hack does not attack UEFI 'secure boot' feature and currently only works on systems running legacy BIOSes. Related:

Topics: Operating Systems, Microsoft, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Yawn...

    He didn't bypass Windows 8 Secure Boot.

    Secure Boot is only possible if the PC has UEFI, and he clearly states in his paper that he used a PC with BIOS. He does say that he enabled the TPM but that doesn't prevent the BIOS from booting any random code, which is what he is doing. UEFI Secure Boot on the other hand does prevent it, and that's the whole point. Until someone cracks it, that is :)
    CarlitosLx
    • RE: Windows 8 bootkit demo

      @CarlitosLx Given that basically all PCs currently in existence don't have UEFI, let alone secure boot, and most will eventually be upgraded to Windows 8, and all are almost certainly running something between XP and 7, then the secure boot really has nothing to do with the importance of this story, does it?
      jgm@...
      • Secure Boot is the future real soon now.

        @jgm@...
        You said: [i]"@CarlitosLx Given that basically all PCs currently in existence don't have UEFI, let alone secure boot, and most will eventually be upgraded to Windows 8, and all are almost certainly running something between XP and 7, then the secure boot really has nothing to do with the importance of this story, does it?"[/i]

        My PCs have UEFI boot? Case points: Dell Latitude E6520 and Gigabyte GA-880GM-USB3 rev3.1 to mention a few...

        UEFI was available on all Microsoft 64-bit OS since year 2002. And most 64-bit systems have UEFI which simply stands for Unified Extensible Firmware Interface aka a 64-bit BIOS.

        What are you talking about? Oh you must be talking about 32-bit systems. My bad.

        As to the secure boot has nothing to do with the importance of this story, you got that all wrong. This story isn't important at all, since most systems nowadays are 64-bit. You can't even buy 32-bit systems nowadays unless you dig really deep and look really hard for them... I'm talking PCs here, not mobile devices which all are still 32-bit architecture ARM CPU.

        Have you not heard, even the exploit author says this hack is obsolete?

        For deeper understanding on UEFI Secure Boot, just google these terms.

        [i]~~~~~~~~~~
        The more you learn, the more you realize you didn't know. That's the downside of continuing your education. The benefits come next.
        ~ Wintard[/i]
        WinTard
    • RE: Windows 8 bootkit demo

      @CarlitosLx So in addition to buying Windows 8, the consumer should also buy a new computer? What about those tat only bought a New system with Windows 7? The majority of them still use BiOS. I find it disturbing that the majority of consumer systems that are still only 32 bit, even though the systems can run a 64 bit OS.
      Rick_Kl
      • What's wrong with refreshing one of the most essential system in the house?

        @Rick_Kl

        That is the albatros of compability, and common procrastination at work here.

        I too find it disturbing that 64-bit capable CPUs are being used with mere 32-bit OSes.

        These people are probably just clueless, and don't know better.

        If they payed any attention to technology issues, such as Moore's Law, they would understand today's $300 system is vastly superior in terms of hardware, efficiency, and performance, not to mention reliability and security to their $5000 system only two years ago.

        Take for instance my HTPC (Home Theater PC), a six-core AMD with 8GB DDR3 1333 MHz RAM and 3TB HDD only cost me $350 in hardware parts (minus the license to Windows 7 Ultimate x64 via TechNet subscription). It would cost more to upgrade a 2GB RAM dinosaur system to 4GB using DDR or DDR2 RAM...

        What about the wear and tear on these old systems? Doesn't anyone treasure their data? Preventive maintenance anyone?

        And I get a -108dB signal to noise ratio, something barely available in esoteric audio equipment costing thousands of dollars...

        All these laggards are missing out! Yet most think of themselves as astute!
        However, nowadays, it is virtually impossible to find a brand-new 32-bit hardware system, and most come pre-loaded with Windows (insert your flavor) 64-bit.

        [i]~~~~~~~~~~~
        Penny wise. Pound foolish
        {English Proverb}

        Common sense isn't so common
        ~ Voltaire [/i]
        WinTard
  • RE: Windows 8 bootkit demo

    my co-worker's step-mother makes $81 an hour on the laptop. She

    has been without a job for 6 months but last month her income was

    $7707 just working on the laptop for a few hours. Read this web

    site http://shrt.st/181w
    visitthesite
    • Well...

      @visitthesite
      My father's brother's nephew's friend's cousin's former roommate thinks you're full of crap.
      jasonp@...
  • RE: Windows 8 bootkit demo

    Apache PWNED. Kernel.org PWNED. Linux.com PWNED. No wait, we only do this with Windows.
    Martijn2
    • RE: Windows 8 bootkit demo

      @Martijn2 two of those are websites and Apache was fixed within a day
      explodingwalrus
    • RE: Windows 8 bootkit demo

      @Martijn2

      You said: "No wait, we only do this with Windows"

      You got that all wrong! Or perhaps you are just being facetious?

      Right now, just google [b]Unpatched Apache Reverse Proxy Flaw Allows Access to Internal Network[/b] fresh as of today 2011-11-25 and there are no fixes for this yet!

      Obviously Apache is PWNED?

      Searching for Linux PWNED returns 470,000 results, fresh as of 2011-09...

      Searching for Apple PWNED returns 1,320,000 results.

      Apparently, true hackers have no preferences and will have everything PWNED?

      [i]~~~~~~~~~~
      There is nothing so useless as doing efficiently that which should not be done at all.
      ~ Peter F. Drucker[/i]
      WinTard
      • RE: Windows 8 bootkit demo

        @WinTard
        Unpatched Apache Reverse Proxy Flaw Allows Access to Internal Network fresh as of today 2011-11-25 and there are no fixes.

        Yet there is a work around.

        Apache has not yet released a patch for this issue. Until a patch is release, configuring the reverse proxy rules correctly will prevent this issue from occurring.

        Come back when the issue as stated in article is fixed or there is a work around.
        daikon
  • Boring rubbish

    To install this 'bootkit', you need write access to the MBR. Might as well brag about being able to 'crack' a safe after being given physical access to it and the combination.
    WilErz
    • RE: Windows 8 bootkit demo

      @WilErz Boring rubbish? I can slip into any PC I get physical access to, and that's boring? I hope you don't work in security. (By the way, look up "Kon-Boot" to see something even scarier).
      jgm@...
      • Yes, it's boring.

        @ jgm@...

        Software alone has never protected systems from attackers with physical access -- never. Anyone with even a basic understanding of computer architectures would understand that, and if you didn't (until now), you were simply uninformed. It's precisely why there's a need for firmware 'secure boot' support in UEFI.
        WilErz
      • What is scary

        @ jgm@...<br><br>If you understand computer systems architectures, there's nothing surprising, much less scary, about 'Kon-Boot'. What is scary is that so many people think of software security as some sort of magic ju-ju that will protect them from everything, no matter how stupidly they behave.<br><br>Software security should be viewed in the same way as any other security mechanisms. Would you ever imagine, for example, that putting physical documents into a safe would protect them if a thief had unrestricted physical access to the safe? Of course not. The safe itself has to be kept in a secure location, access to that location has to be carefully controlled, etc. Try to use the same common sense with software.<br><br>As an aside, I actually do work with highly confidential data, and the first rule of security is that you never, ever allow the data to leave servers in physically secure locations. If you violate that rule, you might as well send everything directly to Wikileaks or your favourite cyber-criminal ring and be done with it.
        WilErz
  • According to the source code, this bootkit doesn't work on 64-bit machines

    Excerpt from the source code readme.txt file:
    [i]"Is it valuable?

    Not anymore my dear, not since more 64-bit machines are sold than 32-bit ones. This means that the Stoned Bootkit does NOT work on at least 60% of newly sold computers. It is a battered an old hat."[/i]

    Check it out for yourself!

    Unfortunately, I do not use any 32-bit systems anymore. Except 32 bit-ARM7 code devices such as used in the iPhone and iPad.

    [i]~~~~~~~~~~
    The future has a way of arriving unannounced.
    ~ George Will
    [/i]
    WinTard
  • Doesn't matter

    Kleissner's website is down!
    Joe_Raby
    • Back up again

      It looks like he's getting some pretty big DNS reliability problems right now...

      I don't get the point about UAC though, since it's been shown that software publishers can fake internal Windows processes with a third-party application. This isn't bypassing UAC - UAC is acting exactly as it should, given that it doesn't recognize the program as 3rd-party. If UAC is elevated to the top level, is it still bypassed?

      Also, you still ned admin access to run this in any case.

      How is this any different from the Alureon bootkit variants, aside from Alureon actually being actively distributed while Stoned is just one man's attempt to get his time in the spotlight?
      Joe_Raby
  • Let the experts deal with it

    Entire bootkit framework has been uploaded to MSRT.

    You can track their analysis here:
    http://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=29a17729-e210-4789-8ce6-4eff98aa0a35
    Joe_Raby
    • RE: Windows 8 bootkit demo

      @Joe_Raby

      Clever ;)
      TheCyberKnight