Security and Forensics Linkfest: Duck & Cover edition

Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Black Hat 2009 Highlights

All eyes are on Vegas this week.

The Black Hat ® Technical Security Conference: USA 2009 is in full swing and it’s been a doozie so far.

Aside from all the security experts being pwned, there appear to be some very interesting presentations going on.

See this Black Hat ® Technical Security Conference: USA 2009 // Archives page for PDF whitepapers, presentation slides, and a few video/audio files as well.

Here are ones that I found particularly fascinating:

• Bill Blunden’s “Anti-Forensics: The Rootkit Connection” [White Paper] (PDF) and Presentation Slides (PDF).

• Alfredo Ortega & Anibal Sacco’s “Deactivate the Rootkit: Attacks on BIOS anti-theft technologies” - [White Paper] (PDF) and Presentation Slides (PDF).  Fascinating look how CompuTrace technology that “protects” systems in event of theft could actually be exploited while the system was “safe in custody” of the owner.

Lots more there as well covering both traditional technology, social-engineering, software, and even hardware lock-picking forensics.  Neat stuff!

Bootkit Fun with Stoned-Vienna

Remember when we were all looking at Kon-Boot: Bypass Windows Login Security (and some helpful blocking solutions) and Kon-Boot post (minor) update?  The Kon-Boot application was a “boot-kit” that allowed complete bypass of Windows user authentication password.  In the follow-up post it appeared that whole-disk encryption solutions and/or TPM enablement on supported systems prevented such an attack from working.

Well…not much longer (at least for True-Crypt).

• Bootkit bypasses hard disk encryption - The H Security

• Stoned-Vienna.com - Peter Kleissner’s project page for this latest boot kit iteration. Lots of very good technical information.

• White Paper (PDF) and Presentation (PDF) – Peter’s Black Hat ® Technical Security Conference: USA 2009 presentations on Stoned-Vienna.  The white paper is particularly detailed in technicals on how the injection process occurs as well as the methodology.  Great stuff and must-read material for boot-kit researchers.

• 4.16: Kon-Boot – Piotr Bania never did publish any technical information on how the Kon-Boot process worked.  Luckily for us, Peter’s got the stuff to sort it out for us.  If you are still wondering how Kon-Boot works, this is the reading material source to go to for now.

• Stoned Bootkit Blog – Peter’s ongoing updates on Stoned Vienna developments.

I didn’t get to see the presentation, and I’m still trying to find the time to pour though the technicals but it appears (and I am open to correction here) the following facts are in play with this “True-Crypt bypassing boot kit”:

• It is a boot kit as it injects itself into the Windows kernel after the BIOS by hi-jacking the bootloader process,

• It does not bypass the need for the user to still authenticate themselves to the TrueCrypt volume; by that I mean it does not “break/crack” the encryption itself,

• It does co-exist with the TrueCrypt boot-loader, survives that process, then goes on to actually “infect” the kernel post-loader to do whatever the “payload” offers.

• It could, possibly, be crafted to intercept and capture the passphase/id and send those to the attacker, thus providing them future authentication credentials needed to bypass WDE in future local attacks.

Those second and third points seem critical because in my Kon-Boot mitigation testing, the boot kit could not share the same memory space (in most BIOS’es) as the WDE boot-loader so either one or both failed…thus protecting the system.

The last one is just conjecture based on my current level of reading of the boot kit.

Stoned-Vienna is able to work around that successfully.  In theory it could also possibly work (with development) against other commercial whole-disk encryption solutions/products as well.  The encrypted volume would still need to be authenticated to but once past, the boot kit could go on to do its thing.

And to be clear…this isn’t a blast at any TrueCrypt weakness, it’s really still a function of how (most) Windows systems/deployments are weakened by the bootloader/kernel hand-off process.  Unless the boot-loader file as it loads into memory can be authenticated, along with the kernel files (see VBootkit vs. Bitlocker in TPM mode for a great example) the basic vulnerability will exist.  Disk encryption developers can only do so much to protect their own boot-loaders; the rest seems to be a Windows architecture issue.

Stay tuned as I am sure this will be dissected more in the coming weeks.

Malware Watch

• H1N1 Shortcut Malware - F-Secure Weblog – Clever malware file masquerading as a “link” shortcut file. Though it looks like it is seeded with junk, there is enough executable code (batch-file stuff) that it can actually ftp the payload (a vbs script) when clicked.

• Malware embedded in the Windows registry - Eternal sunshine of the geeky mind – Lead link to executable malware in the Windows registry of all places.

• Malware IN Registry a.k.a If It Can’t Be Done, Why Am I Looking At It? - Security Ripcord – Don Weber provides a technical examination on just how this malware exists and executes from an embedded state (as opposed to a call to an executable file) in the registry.

• Persistence is futile - SophosLabs blog – More notes on the malware.

That all reminded me of another (different technique…similar result) technique for hiding malware launch points in the Windows registry from a few years ago.

• Reports: Long Registry Names Could Hide Malware - eWeek

• Updated Windows Registry Concealment Info;Symantec AV Vulnerability  - SANS-ISC Blog – more analysis and a link to the “LVNSearch.exe” tool which can scan Windows registry hives and display long value names that typically do not display correctly in Windows (and thus hide the malware launch point) from regular reviews.

• Panda USB Vaccine with NTFS Support - Panda Research Blog – Notice of an updated version of the Panda USB Vaccine tool that prevents a USB device from being infected by a autorun malware modifier.  This new version now supports NTFS formatted USB devices…not that common to the general public but often seen in IT shops.

• Panda SafeCD 3.4.3.5 Released - Panda Research Blog – New LiveCD boot disk that allows for “off-line” scanning and cleaning of an infected system.

• New Virut Strain Blocks AV/Security Web sites - Fortinet FortiGuard Blog – Great analysis of a new malware strain that does some tricky things to both stay alive/hidden as well as block access by the local system to anti-virus/anti-malware websites.

Don’t just stay safe; stay informed!

--Claus V.