Discussion:
TrueCrypt Cracked
(too old to reply)
John Smith
2009-08-05 06:44:32 UTC
Permalink
Raw Message
Bootkit bypasses hard disk encryption

At the Black Hat security conference, Austrian IT security specialist
Peter Kleissner presented a bootkit called Stoned which is capable of
bypassing the TrueCrypt partition and system encryption. A bootkit
combines a rootkit with the ability to modify a PC's Master Boot Record,
enabling the malware to be activated even before the operating system is
started.

Available as source code, Kleissner's bootkit can infect any currently
available 32-bit variety of Windows from Windows 2000 to Windows Vista
and the Windows 7 release candidate. Stoned injects itself into the
Master Boot Record (MBR), a record which remains unencrypted even if the
hard disk itself is fully encrypted. During startup, the BIOS first
calls the bootkit, which in turn starts the TrueCrypt boot loader.
Kleissner says that he neither modified any hooks, nor the boot loader,
itself to bypass the TrueCrypt encryption mechanism. The bootkit rather
uses a "double forward" to redirect I/O interrupt 13h, which allows it
to insert itself between the Windows calls and TrueCrypt. Kleissner
tailored the bootkit for TrueCrypt using the freely available TrueCrypt
source code.

Stoned Bootkit

Once the operating system has been loaded, Stoned can get to work and
install malware, such as a banking trojan, in the system. Peter
Kleissner, who is only 18 years old, has also included several plug-ins,
for example a boot password cracker and a routine for infecting the
BIOS. The framework layout of Stoned allows other programmers to develop
their own plug-ins for the bootkit. Kleissner thinks that Stoned could
also be of interest to investigation agencies, for example for
developing a federal trojan.

Once installed, Stoned cannot be detected with traditional anti-virus
software because no modifications of Windows components take place in
memory, says Kleissner. Stoned runs in parallel with the actual Windows
kernel. Even an anti-virus function in the BIOS can't stop the bootkit,
as modern Windows versions modify the MBR without referring to the BIOS.

However, administrator privileges or physical access to a system are
required for an infection. At present, only machines running the
traditional BIOS are vulnerable. The attack is unsuccessful when the
BIOS successor the Extensible Firmware Interface (EFI) is at work on the
motherboard. The most effective protection appears to be encrypting the
entire hard disk with software that is based on the Trusted Platform
Module (TPM).

For instance, using Windows' own BitLocker encryption mechanism is said
to be a reliable antidote, because an infected MBR's hash value no
longer corresponds to the hash value stored in the TPM, prompting the
TPM to abort the boot process. Kleissner didn't have an answer to the
question whether a hardware-encrypted hard disk is capable of preventing
an infection.

(Uli Ries)
Carsten Krueger
2009-08-05 13:24:50 UTC
Permalink
Raw Message
Post by John Smith
At the Black Hat security conference, Austrian IT security specialist
Peter Kleissner presented a bootkit called Stoned which is capable of
bypassing the TrueCrypt partition and system encryption.
It can't.
The user has to enter the truecrypt password at an altered system.
Post by John Smith
However, administrator privileges or physical access to a system are
required for an infection.
That's the point. If hidden physical access is possible you can install
hardware keyloger, cameras, etc.
If malware has administrator privileges on running system, it can do
everything it want.

Stoned is only yet another small rootkit that lives in MBR.
Post by John Smith
For instance, using Windows' own BitLocker encryption mechanism is said
to be a reliable antidote, because an infected MBR's hash value no
longer corresponds to the hash value stored in the TPM, prompting the
TPM to abort the boot process.
It's not reliable. If anyone has hidden physical access or malware runs
with administrator privileges ...

greetings
Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Carsten Krueger
2009-08-05 13:24:50 UTC
Permalink
Raw Message
Post by John Smith
At the Black Hat security conference, Austrian IT security specialist
Peter Kleissner presented a bootkit called Stoned which is capable of
bypassing the TrueCrypt partition and system encryption.
It can't.
The user has to enter the truecrypt password at an altered system.
Post by John Smith
However, administrator privileges or physical access to a system are
required for an infection.
That's the point. If hidden physical access is possible you can install
hardware keyloger, cameras, etc.
If malware has administrator privileges on running system, it can do
everything it want.

Stoned is only yet another small rootkit that lives in MBR.
Post by John Smith
For instance, using Windows' own BitLocker encryption mechanism is said
to be a reliable antidote, because an infected MBR's hash value no
longer corresponds to the hash value stored in the TPM, prompting the
TPM to abort the boot process.
It's not reliable. If anyone has hidden physical access or malware runs
with administrator privileges ...

greetings
Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Loading...