Boot Record Rootkit Brings Windows Vista to Its Knees

A new boot record rootkit in the wild has the potential to bring Windows Vista down to its knees. Despite having applauded Windows Vista throughout 2007 as the most secure Windows operating system on the market, the latest Microsoft client still has some problems involving write-access to raw disk sectors. In this context, in early January 2008, GMER revealed that at the end of 2007 a new stealth MBR rootkit was detected in the wild, which could compromise Windows Vista.

"Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected", the GMER member explained. "At the end of 2007 stealth MBR rootkit was discovered by MR Team members and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

Once it has infected a Vista machine, the rootkit will have full control over the boot process-code that is executed in advance of starting the operating system. The rootkit would only need to take ownership of just a few disk sectors in order to become stealth and hide itself. This scenario is further catalyzed by the fact that the rootkit code does not exist as a single file, but it is spread across disk sectors, and by the fact that no registry entry is made as the malicious item is loaded by the MBR code.

The rootkit is apparently based on a project delivered by security researchers Derek Soeder and Ryan Permeh, at Black Hat USA 2005. The eEye BootRoot exemplified a way for the subversion of the Windows kernel during the loading process via custom boot sector code. Back in 2006, as Windows Vista was passing through the final stages of development, security researcher Joanna Rutkowska successfully executed the pagefile attack on a Release Candidate 2 build of the operating system. Since then, the Redmond company has blocked write-access to raw disk sectors for user mode applications, even if the items run with elevated privileges.