Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: the stoned bootkit

Hybrid View

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    the stoned bootkit

    Stoned bootkit is a new Windows bootkit which attacks all modern Windows versions. It is loaded before Windows starts and is memory resident up to the Windows Kernel. Thus Stoned is executed beside the Windows Kernel and has full access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. Like in 1987, "Your PC is now Stoned! ..again".
    quote from Peter Kleissner.

    authors site is here http://www.stoned-vienna.com/

    that seems mighty similar to my idea I cant wait to see the open source

    regards BanMe
    Last edited by BanMe; July 10th, 2009 at 11:44.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    Saaaaay wha? AFAIR eEye did it first for public in 2005. After that it become wide spreaded idea.

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Im well aware of that.. though this one is alot more useful and its gonna be opensource
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    Mhm, well then http://www.piotrbania.com/all/kon-boot/ is also worth looking. (Despite the fact it's not open source.)

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by BanMe View Post
    though this one is alot more useful and its gonna be opensource
    Search that web site again for this exact quote (or your name "BanMe")... He actually put it up there as a user quote.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    just had a look at their website...seems one hell of a project
    Found in the OpenGL header file for Visual C++ 6: 'typedef GLint int '. AAAARRRRGGGHHHH!!! [Don't get it? You're not a C programmer.]

    A hacker does for love what others would not do for money.

    Being married to a programmer is like having a cat. You talk to it but you're never really sure if it hears you, much less comprehends what you say.

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    That is pretty cool, ive only been referenced in ug hacks for games but this is different,I guess this is a good thing

    regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  8. #8
    I still think it's overhyped. Bootkits are well known among security realted people (or at least they should be), even if stoned-bootkit will be better than previous bootkits it would be still nothing new, just better. Oh, and the fact you can beat up TrueCrypt -- AFAIR Joanna talk about it in one of her blog posts. http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html

    And some quotes from the site:
    "I didn't know there was even a word for that" - July 3, Metalab Vienna, in response to the term 'bootkit'
    Nothing to be proud of.

    "…and that is why I use Linux." - macpablo (macpablodesigns.com) when he first heard about that on a podcast
    Well, you can use Linux/BSD/Solaris/OSX/Et cetera (they are all flavours o Unix in the end) but it's not the key. As I said earlier -- check kon-boot.

    "though this one is alot more useful and its gonna be opensource " - user BanMe in forums in response to eEye's BootRoot which is a dedicated attack only
    I would like to change that -- in response to stoned-bootkit is nothing new -- (Because that's why I have written previous post. Idea not implementation.)

    Nevertheless keep up good work Peter.

  9. #9
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    what do you mean by overhyped? he use's the regular channels? he works at making people interested about his project by showing it to people and making it open source?

    Quote Originally Posted by cli3nt
    I would like to change that -- in response to stoned-bootkit is nothing new -- (Because that's why I have written previous post. Idea not implementation.)
    well idea's are meant to be built upon there is never "really" anything new.. you dont just come up with the wheel and forget about it..you build upon it..especially if you envisioning a 'car' (henry ford reference there if you missed it). This applies to everything..(fact)

    So there is no real reason to get all huffy about it..(another tire reference..)
    "But to each, his own",I guess.

    regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  10. #10
    Quote Originally Posted by BanMe View Post
    what do you mean by overhyped?he use's the regular channels?he works at making people interested about his project by showing it to people and making it open source?
    Well I think he put too much effort for advertising his product + it's nothing new = and because of that I think it's overhyped right now. Open source doesn't matter here.

    Quote Originally Posted by BanMe View Post
    well idea's are meant to be built upon there is never "really" anything new.. you dont just come up with the wheel and forget about it..you build upon it..especially if you envisioning a 'car' (henry ford reference there if you missed it). This applies to everything..(fact)
    I can't fully agree (because there are many exceptions) but in general OK, let it be nonetheless that's not the case. I don't like when someone twisting my words and he did that. Didn't he?

    Quote Originally Posted by BanMe View Post
    So there is no real reason to get all huffy about it..(another tire reference..)
    "But to each, his own",I guess.
    I suppose, in the end, I can agree fully on this one.

    Well too much talking from me about such silly matter. (4 posts here already. Too much :P.)
    Peace & code
    Last edited by cli3nt; July 15th, 2009 at 13:22.

  11. #11
    More to the point though: practically speaking, how would one go about detecting one of these bootkits?

  12. #12
    Well if you can get your app to start before the bootkit, you will be able to see it.

    That means you need a prebootkit bootkit.

    Think ring -3

    Woodmann

  13. #13
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    @Snatch: there are various ways to go about it..

    MBR Analysis..while computer is on from usermode or kmode..This also can also be done while Hard Drive is 'dormant' by attaching it to another computer and doing Direct low level disc scanning.

    Also as Woodmann stated if you can get a application running before the bootkit you can detect it its more a ring -1 or HyperVisor solution,some ASUS motherboards have a Linux OS that run straight on the Motherboard..but then this also opens up the vector of attack directly to the motherboard.

    But these solutions are all just band-aids for after the fact infection detection.. I am more into the idea of before the fact infection prevention..as most rootkit and bootkits come with some 'installer'..I use the word 'Installer' lightly because It could be a true 'Installer' or it could be a exploit install..the regular installer method more then likely requires Administrative Privileges to write to the MBR..the Exploit Install method only require that the user that is under attack by the exploit be a Administrative User or uses some for of privilege escalation.

    But both methods have alot of things in common..

    Both have to use NtCreateFile or NtOpenFile to gain access the Hard Drive
    Both have to Read From and Write to the MBR..NtReadFile NtWriteFile..
    Both have to place Files on the Disc...so that the bootkit actually performs its duty..
    Both have to Gain Execution of a Thread at some point to do all or most of this work for them..


    Regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  14. #14
    There is also the possibility of using a Linux boot CD, or something of that sort that once loaded, could mount the HD, and read the MBR. All one would need would be a small program that could check the validity of the "fixed parts" of the MBR. And then do that for all windows versions, and you have the ability to detect tampering.

    It's a good idea, but I think you need to get in lower to truly be immune.

  15. #15
    Interesting thoughts! A boot app for detection would be a nice solution though I don't recall ever seeing any before.
    I was thinking the Windows boot CD FixMBR utility would be enough to eliminate the bootkit unless it had hacked other autoruns to rehack the MBR in case it is fixed. Even if you dump the MBR with a boot disc, how would you know if it is a legitimate Microsoft MBR or a hacked one? Without something to compare with, it seems like it could still be difficult to detect.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •