The researcher explains how the new Stoned Lite functions

Nov 18, 2011 07:55 GMT  ·  By

After all the debate on the matter of the first Windows 8 Bootkit, its creator, Peter Kleissner was kind enough to clarify a few things, including the fact that Microsoft's Secure Boot feature is not really that bad, but vulnerabilities may still exist.

Yesterday we learned that Kleissner will unveil his Bootkit at the MalCon conference that will take place in India on November 25, but since there were no precise details on how the new Stoned Lite will function, we requested further clarifications on the matter of the Bootkit versus Microsoft's Secure Boot.

The researcher claims that the real issue exists in legacy boot procedures, not in the Redmond company's new feature.

“The problem with the legacy startup is that no one verifies the MBR, which makes it the vulnerable point. With UEFI and secure boot, all the boot applications and drivers have to be signed (otherwise they won’t be loaded),” Kleissner revealed.

“You can compare it to TPM, although Arie van der Hoeven from Microsoft announced that the secure boot feature is mandatory for OEMs who want to be UEFI certified. It is a good message that security is not an option.”

Stoned Lite actually works by infecting the MBR, while storing its components “outside the normal file system.” Startup files are “hooked” and “patched” before Windows starts, these files being changed in Windows 7.

“As payload I use the command line privilege escalation. Once whoami.exe is launched, it elevates the cmd.exe process rights to SYSTEM by overwriting its security token with a duplicated system process one,” he adds.

“Additionally it will patch the password validation function (MsvpPasswordValidate) so you can use any password for any local user account to log on. You will be able to start Stoned Lite from a USB flash drive or CD where it will be only active in memory.”

Related to the matter of splitting up a bootkit to different teams in a cybercriminal organization, Kleissner exemplified the Carberp Russian banking Trojan which will soon be programmed to rely on Trojan.Cidox, a bootkit that infects the partition bootloader.

To prove that he is truly one of the good guys, his most recent paper, The Art of Bootkit Development that will be published at the same event as Stoned Lite, will not only talk about how to develop Bootkits, but also how to counterattack them.

Unfortunately, he will not be personally present at the MalCon event in India, but a fellow researcher will represent him, or maybe his speech will be pre-recorded.

On November 25, he will be attending the European Bitcoin Conference in Prague where he will show “how to re-direct locally initiated BitCoin transactions, but also show how the BitCoin wallet can be secured better against theft.”