Via custom boot sector

Apr 26, 2007 15:28 GMT  ·  By

Vbootkit is a rootkit designed to load into Windows Vista's kernel from custom boot sectors. Its authors, security researchers Nitin Kumar and Vipin Kumar claim that this is the first example of such technology. The Vbootkit's creators describe their rootkit as a back door, or a shortcut to access the Windows Vista Kernel. The Windows Vista kernel rootkit was developed on pre-release versions of the operating system, and only on the 32-bit editions of Windows Vista.

"Vboot kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. Testing was performed on Windows Vista RC1 (build 5600) and Windows Vista RC2 (Build 5744). Majority of the stuff remains valid for Windows Vista RTM (Build 6000), though it has not been verified. Testing was done only on 32 bit systems," revealed the authors.

Vbootkit is a rootkit specific for Windows Vista that uses the boot-sectors (master boot record, CD , PXE , floppies etc) to load into the operating system's kernel. Nitin Kumar and Vipin Kumar informed that they did not release the source code online, but that the binaries were in fact submitted to anti-virus companies.

"Vista is still vulnerable to unsigned code execution.vbootkit is the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is a kit which lets you doctor boot process).vbootkit concept presents how to insert arbitrary code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only digitally signed code to be loaded into kernel," additionally claimed the two authors on the NV Labs website.