Vista kernel tampering tool released, then mysteriously disappears

Vista kernel tampering tool released, then mysteriously disappears

Summary: The race to defeat a key anti-rootkit/anti-DRM mechanism in Windows Vista has heated up again with the release of a tool that loads unsigned drivers into 64-bit Windows kernel and a swift decision by Microsoft to treat the utility as malicious spyware. But a third developer has joined the fray with "Purple Pill," a new utility that could be very troublesome for Microsoft if it works as advertised.

SHARE:
TOPICS: Windows, Microsoft
15

The race to defeat a key anti-rootkit/anti-DRM mechanism in Windows Vista has heated up again with the release of a tool that loads unsigned drivers into 64-bit Windows kernel and a swift decision by Microsoft to treat the utility as malicious spyware.

Race heats up to tamper with, defend Vista kernelBut a third developer has joined the fray with "Purple Pill," a new utility that could be very troublesome for Microsoft if it works as advertised.

The latest contretemps was triggered by Linchpin Labs, an Australian software development shop that created and shipped Atsiv (Vista spelled backwards), a command-like tool that allows the user to load and unload signed or unsigned drivers on 32 bit (x86) and 64 bit (x64) versions of Windows XP, Windows 2K3 and Windows Vista.

Atsiv was designed to provide compatibility for legacy drivers and to allow the hobbyist community (er, rootkit researchers) to run unsigned drivers without rebooting with special boot options or denial-of-service under Vista.

It effectively offered a deliberate way to load code that conflicts with the Kernel Mode Code Signing (KMCS) policy included in Windows Vista x64 editions -- the default KMCS policy is to only allow code to load into the kernel if it has been digitally signed with a valid code signing certificate -- and could be used by stealth malware to hide deep in the bowels of the Vista kernel.

Because Atsiv used a signed certificate to get itself onto Vista, it was easy for Microsoft to fight back. The company immediately shipped a Windows Defender signature update that tagged the Atsiv driver as a spyware threat and worked with VeriSign to revoke the code signing key used to sign the Atsiv kernel driver, rendering it invalid.

Redmond's security team is also mulling a plan to add the revoked key to the kernel mode code signing revocation list,an additional defense-in-measure that would require a system reboot in order for the new revocation list to take effect, according to Scott Field, a security architect on Microsoft's Windows team.

The Microsoft counter-measures have angered the folks at Linchpin Labs. According to this Gregg Keizer report, the privately held startup is complaining that the blocking of Atsiv borders on antitrust violations.

Linchpin Labs may have conceded defeat but Alex Ionescu, a kernel developer, reverse engineer and Microsoft Student Ambassador is pushing the envelope even more with what he calls Purple Pill, a tool that relies on a driver signed with a key that perhaps more than 50% of Vista users depend on for their machine to boot.

Here's Ionescu's description of Purple Pill (this has since been removed from his site):

  • It uses the OS mechanisms for loading drivers: NtLoadDriver. The driver is loaded by the native Mm SysLdr (The internal PE Loader) without any hacks, and it is present in the PsLoadedModuleListHead.
  • Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded. This also means that PMP will become aware that the driver is loaded, and disable high-definition media playback. This means that this tool will not help you bypass DRM in any way, because the original Vista protection mechanisms are still in place. Note that on Vista 32-bit, this behavior already exists by default in the OS, so it is not a “bug” of Purple Pill.
  • And the best part: Purple Pill doesn’t use any certificate of mine or driver that I’ve written (or any other particular). In fact, Purple Pill uses a driver is signed with a key that perhaps more then 50% of Vista users are currently depending on for their laptop to boot. If this key gets blacklisted, all those customers would end up with largely unusable systems. Although Purple Pill itself may be added to Windows Defender, users which want to load it can simply disable the service or whitelist the application manually. I don’t see a realistic way in which this key can be blacklisted, so the Purple Pill will always be able to load (this is not a guarantee).
  • Finally, Purple Pill can also unload the driver you've loaded.

Vista kernel tampering tool released, then mysteriously disappears

Ionescu, currently an intern at Apple, originally released the Purple Pill (screenshot above) code but, as I was preparing this blog entry, I noticed that it has since been yanked from his personal blog. (Google cache of original release).

Topics: Windows, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Kudo's to MS while smacking them upside the head

    I congratulate Microsoft for working VERY hard to make their OS much more secure. Every effort to eliminate rootkits, infections, malware, et all, my hats of to you. The smack upside the head comes entirely from this

    [B]anti-rootkit/anti-DRM[/B]

    You tied massive security efforts into your DRM subsystem. You threw down the gauntlet, and you will lose. The most intelligent people in the world [B]WILL NOT BE TOLD HOW THEY CAN USE THEIR COMPUTER[/B] and will succeed in destroying all your security efforts because you tied it to DRM.

    They are going to mess with your kernel, they are going to hack your DRM and make your life miserable, likely affecting millions with side effects of your futile efforts to patch and stay ahead of them.

    instead of having the "white hat" hackers of the world helping you make the anti-malware side more and more bulletproof, they will focus instead on the aspect I mentioned, they will use their computer and their content any way they see fit.

    I do feel for the development team tasked with making security more secure, all the while mandated by marketing to make the MPAA/RIAA happy. They should be two separate development streams, one meeting with success, the other failing to keep up.

    TripleII
    TripleII-21189418044173169409978279405827
    • Microsoft is working hard at avoiding the real problem.

      "I congratulate Microsoft for working VERY hard to make their OS much more
      secure."

      So would I, if they were doing that.

      They could eliminate most of the avenues malware use to get into the system by
      backing down on the high level of integration of the HTML control, IE, and the
      desktop. ActiveX needs to be managed at the application level ONLY, with the
      HTML control reduced to a display component dependent on the calling application
      to fetch content and do anything with it other than display HTML. The helper
      application list needs to be put into the hands of the application as well, with the
      OS simply providing a separate lists of "sandboxed" and "unsandboxed" helper
      applications... with sandboxed applications never using the unsandboxed list
      except for their own internal use.

      This has been a known problem for 10 years now. Microsoft has known how to fix
      it for 10 years. Instead, they're trying to come up with an even tighter and more
      intimate "security zone" model in .NET.

      So given that... I don;t see that Microsoft's doing anything about security other than
      using it as an excuse to push their DRM agenda.
      Resuna
      • What does ActiveX have to do with kernel security?

        ActiveX runs in user space, in the context of the user running the application. In protected mode IE in Vista, IE uses a restricted token that has even lower rights than the normal limited user -- it doesn't have any write access to even the user's files, let alone system files.

        What do you mean when you say "high level of integration of the HTML control, IE, and the desktop" ? Windows 2000 was the last OS that uses MSHTML to render the folder views. And as of IE7, IE and Windows Explorer are completely separate. I have used the WebBrowser control and MSHTML for the past 8 years in my own applications, and I have no idea what you are trying to say.
        PB_z
  • Compatibility with legacy stuff impaired

    I've often though about just such a "universal" driver to be able
    to load legacy drivers for unsupported hardware in Vista.
    WITH THE USER'S FULL KNOWLEDGE AND CONSENT of course!
    Naive me never considered it as a rootkit/hacker enabler.
    kd5auq
  • where did it go?

    Did you ask Alex why the purple pill got yanked?
    Any answer?
    just curious...
    ridingthewind
  • Not surprised to find Apple funding Windows malware

    [i]Ionescu, [b]currently an intern at Apple[/b], originally released the Purple Pill (screenshot above) code[/i]

    Gee, what a shock! But no, Apple isn't at all terrified of Vista!! ;)
    NonZealot
    • Might be why it was yanked

      As bad as Apple is, you can't honestly believe that they are funding research into malware creation and rootkit installation. iPod or not, even a whiff of that and the company is toast, Board of directors arrested kinda thing.

      Aside: why is anyone terrified of Vista? It may well turn out to be a great OS (SP1) but nothing really special about it.

      TripleII
      TripleII-21189418044173169409978279405827
    • Macs are selling

      at 3x the rate of Windows PCs. It isn't Apple that's feeling insecure, zealot.
      frgough
      • The new lineup

        will only help. In another blog, the low end iMac, 20" LCD, based on what I could compare came out almost even (maybe 10% more) than the same Dell or HP. Given the cool factor, I have a hunch Apple will do quite well with the back to school crowd.

        TripleII
        TripleII-21189418044173169409978279405827
      • Where do you get your numbers?

        Here is the real numbrs. Last quarter Apple sold about 1.76 million Macs. During that time 36 million PCs sold. By the end of this quarter there will be more Vista installations in use then all Macs and Linux installations combined.
        ShadeTree
        • He mispoke

          Apple's computer sales are growing at 3Xs the overall industry PC growth rate (i.e. Apple sales are growing at 30%, 10% for PCs averaged). This translates into a lot of revenue though since the margins are higher.

          http://www.macnn.com/articles/07/04/18/apple.share.grows.by.30/

          TripleII
          TripleII-21189418044173169409978279405827
      • Sure they are ;)

        So Apple is outselling all other vendors (Dell, HP, Compaq, IBM, Gateway, ect) combined? And at 3 time the rate?

        My Apple stock is way underpriced: With what you just said, it should be up to about 10,000 dollars a share by now...
        John Zern
    • Read the article again.

      Purple Pill was on his personal site. Not Apple's.
      Letophoro
  • Microsoft considers the USER IS A HACKER

    So ANYBODY who installs or loads ANYTHING on
    Vista, without Microsoft's express
    permission and approval, is to be blocked.

    Read the EULA. It is very explicit.
    Ole Man
    • What does Apple's EULA say in OSX?

      Is it allowed to be modified to run on a PC? Just asking as a user who purchases an Apple OS does own it, right? should be allowed to do whatever they eant with it. That is what you're saying, right
      John Zern