back to article 0wning Vista from the boot

Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to …


This topic is closed for new posts.

Is this Windows Only?

Could this technique be used on other systems such as Linux, Mac or even Symbian?

As the article mentions you can prevent it by using TPM - thought it's pretty impressive stuff!

Anonymous Coward

Re: Windows only

The technique, as the article mentions, has been about for a while used in such things as the old boot sector viruses.

It relies on some way of being able to run privileged code when a system boots. It then hooks the normal boot process and patches bits that follow so they don't notice it or wipe it out and optionally modify the behaviour of the bits that follow aka the "payload".

The exact patching would depend on the OS and its components being booted. So the technique would be usable under Linux but the patching would be different depending on the kernel version.

If applications scan for the presence of unexpected code things end up as a game of cat and mouse. It might, for example have to patch the OS executable loader, recognize the scanner binary and patch it after loading so it thinks everything is OK.

This topic is closed for new posts.


Biting the hand that feeds IT © 1998–2018