Anti Rootkit Blog

Security company Authentium has revealed that it has cracked the Vista Kernel Protection called PatchGuard. Microsoft in their recently released half yearly security report said that PatchGuard was created to stop malware like rootkit’s from getting into the kernel where they can hide almost anything on the computer especially Keyloggers and Spyware.

“Kernel Patch Protection for x64 Windows: Kernel Patch Protection improves security and makes it more difficult for hackers to hide malware, such as rootkit’s, deep in the OS where antimalware technologies may have a more difficult time removing it. ”
Source: Microsoft Security Intelligence Report - January - June 2006

Helmuth Feericks, chief technology officer of Authentium told Reuters recently that his company had found a way to turn off Patchguard, install software and turn it back on again. Although no specific details have been given as to how they were able to turn off Patchguard, it does seem that other people like crafty hackers will soon find their own way and publish it.
The Authentium Blog shows an entry where PatchGuard Kernel Protection is described as “not very useable or useful”. The entry does not go into much detail because of a gag-order from Microsoft. It goes to show that if big Security companies see it as useless then we all will be targets of it’s uselessness.

It is ironic how Microsoft is currently only using PatchGuard on 64 bit Vista as an added security attraction for businesses who are the most likely users of this version of Vista. Ordinary everyday users of the 32 bit version will not have Patchguard protecting them and they could be lucky as this would have given them a false sense of security.

In recent weeks we have seen security companies like McAffee asking Microsoft for access to the Vista kernel so that they can provide HIPS ( Host Intrusion Prevention System ) applications to their 64 bit Vista customers.

Vista Kernel Protection is cracked and it will not be long then until we see Rootkit’s for 64 bit Vista.

Keep Safe

regards
Steo
www.antirootkit.com

We all remember Joanna Rutkowska and the Bluepill Rootkit she demonstrated at the Black Hat conference a few months ago. She demonstrated how a rootkit could be installed using the Hardware Virtualisation provided with an AMD chip. Well now we have a new VM Rootkit called Vitriol which was developed by security specialist Dino Dai Zovi.
Dino will demonstrate Vitrol at Microsoft’s Blue Hat conference in late October.

Vitriol is a VM rootkit for MacOS X using Intel VT-x on Intel Core Duo/Solo. Dino has provided us with a PDF document of the slides he will use at the Blue Hat Conference which by the way is only open to selected security specialists.

Keep Safe

regards
Steo
www.antirootkit.com

Rootkit researcher Joanna Rutkowska has revealed that Microsoft has blocked the method that she used to install her Bluepill Rootkit.

On her blog Joanna wrote “It quickly turned out that our exploit doesn’t work anymore! The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights.”

She then goes on to say that when she first demonstrated her method at the Black Hat conference recently she gave 3 ways for Microsoft to fix the exploit problem. Microsoft had choosen the easiest option to them and that was to block Raw Disk Access from usermode. This method that Microsoft chose has far reaching affects on software companies that provide Disk Editor software. These companies will now have to have a signed digital driver to access the Raw Disk Access. This also means that an attacker would “borrow” the driver from the Disk Editing Software and use it to bypass the block Microsoft has used.

The other 2 options Joanna gave were to Encrypt the Pagefile and  Disable kernel mode paging. The option Microsoft took does not make the problem go away, it just adds another layer for an attacker to get through.

Well done Microsoft you have just made the attackers work a bit harder and you have also made some look at signed drivers a bit closer and added more info to their malicious info arsenal.

Keep Safe

regards
Steo
www.antirootkit.com