MS Watches as Vista Gets 0wn3d by Rootkit

By Ryan Naraine  |  Posted 08-04-2006
LAS VEGAS—Ben Fathi slipped into the darkened, standing-room-only conference room and took a seat on the carpeted floor.

On the Black Hat stage, malware researcher Joanna Rutkowska, of COSEINC, was discussing a new technique that could plant an offensive rootkit in Windows Vista, Microsoft's "most secure ever" operating system.

As corporate vice president for Microsoft's STU (Security Technology Unit), it is Fathi's responsibility to deliver on Vista's security promise, and Rutkowska's claim—complete with live demo—that a key anti-rootkit feature can be easily defeated could be a public relations nightmare.

But Fathi was unperturbed. Almost unnoticed in the crowd, he paid close attention to Rutkowska's slides and didn't even flinch when the room erupted in applause as the demo succeeded in loading unsigned code into Vista Beta 2 kernel (x64), without requiring a reboot.

"This is the reason we're here. To see the advancements in research and work closely with these guys [white hat hackers] to figure out what's working and what's not working," Fathi said in an interview with eWEEK immediately after the presentation.

"We've already fixed that path [of attack] … It's beta software that will have bugs. That [attack scenario] has already been fixed in later builds," Fathi said.

Read more here about Microsoft's efforts to harden Vista against attacks by kernel-mode malware.

Rutkowska, a Windows Internals expert, was one of several stealth malware researchers using Black Hat, the preeminent hacker conference, to discuss advancements in rootkit creation.

During her talk, she described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to only allow digitally signed drivers to load into the kernel.

Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to "knock the unused driver."

Read the full story on eWEEK.com: MS Watches as Vista Gets 0wn3d by Rootkit