Anti Rootkit Blog

Rootkit researcher Joanna Rutkowska has revealed that Microsoft has blocked the method that she used to install her Bluepill Rootkit.

On her blog Joanna wrote “It quickly turned out that our exploit doesn’t work anymore! The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights.”

She then goes on to say that when she first demonstrated her method at the Black Hat conference recently she gave 3 ways for Microsoft to fix the exploit problem. Microsoft had choosen the easiest option to them and that was to block Raw Disk Access from usermode. This method that Microsoft chose has far reaching affects on software companies that provide Disk Editor software. These companies will now have to have a signed digital driver to access the Raw Disk Access. This also means that an attacker would “borrow” the driver from the Disk Editing Software and use it to bypass the block Microsoft has used.

The other 2 options Joanna gave were to Encrypt the Pagefile and  Disable kernel mode paging. The option Microsoft took does not make the problem go away, it just adds another layer for an attacker to get through.

Well done Microsoft you have just made the attackers work a bit harder and you have also made some look at signed drivers a bit closer and added more info to their malicious info arsenal.

Keep Safe

regards
Steo
www.antirootkit.com

This entry was posted on Monday, October 9th, 2006 at 5:20 pm and is filed under News, Microsoft, VM Rootkits. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.