Old news, but still VERY important. At the recently concluded BlackHat 2009 USA, the Stoned Bootkit was released by Peter Kleissner.
The Stoned Bootkit has full access to the system and is able to bypass any security check done by Windows. Why is this dangerous and useful at the sametime? Because- first, it has an open source architecture. Second, it loads into the computer memory before Windows does! Third, it can work on any platform – Windows XP and onwards. Fourth, it can attack the TrueCrypt full volume encryption. Now, ain’t that nasty? It sure is. Wait till you read some more about it. This is it’s feature list:
– attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
– attacks TrueCrypt full volume encryption
– has integrated FAT and NTFS drivers
– has an integrated structure for plugins and boot applications (for future development)
– is a Master Boot Record, with the target to be memory resident up to the Windows Kernel
– supports the IA32, AT Architecture (IBM-conforming)
– has rich API support
– supports the following boot methods: Floppy, Hard Disk, CD/DVD/Blu Ray, Network (PXE), USB flash drives, and others!
As it is said in the features list, it supports the plugin architecture. Since its architecture is open source, you can build as many plugins you want depending on your requirements. Here is a list of plugins that is pre-shipped with the Stoned BootKit:
- User Interface
- PE Infector
- File Parsers
- HibernationFile Attack
- Music Melody!
- BootPassword Crack
- Persistent BIOSInfector
In addition to these plugins, it has the following softwares:
- Forensic Lockdown Software (provides an interface for some operations like a boot menu, original MBR restoration and of course (experimental) locking/unlocking methods.)
- Hibernation File Attack (uses the bootkit functions to open and modify the hibernation file and to compress and decompress the buffers using the xpress algorithm.)
- Sinowal Loader (loads and executes the Sinowal kernel driver from the file system.)
If you want, you can also check how it works using QEmu, Bochs or VMWare! The Stoned Bootkit project name was actually inspired by the Stoned virus, the first MBR virus which can infect the Windows XP MBR too. The project itself is built upon the Hibernation File Attack, which was built by the author in the past. The only catch in its installation is that it will need an Administrators access to infect a Windows XP system and an Elevated Administrator access to infect a Windows Vista.
The author plans to add more functionality to the further versions by adding features like polymorphism and metamorphism. The target of Stoned is to be the most sophisticated and most widespread used bootkit in 2010!