PaulDotCom mailing list archives
Bootkits to the next level
From: dninja at gmail.com (Robin Wood)
Date: Sun, 28 Jun 2009 11:24:09 +0100
2009/6/26 Rob Fuller <jd.mubix at gmail.com>:
So all of this is just theoretical right now so, it's probably flawed somewhere, but that's what ya'll are for ;-) When I first herd the word "bootkit" my mind went instantly to boot cd/usb. The guest in Episode 154 though was talking about more of a payload that gets delivered in malware that some how (I'm thinking by editing the boot params just like you do for dual booting) infects the machine. Well, lets ride down my road a bit. You kinda need physical access to put a CD or usb in the drive right? hmm, not so much. With the push for virtualization people already have most of their most precious information on virtual machines. And how does VMware install their VMware Tools? ;-) now you are starting to see where I am going. Here is the theoretical "what if" An attacker pushed the mounting of a CD / USB drive to a server, bypassing or breaking the authentication to do so (although I don't think there is any, kinda like the old days before sessions, of directly accessing the admin page, bypassing the login page). Then waiting for a reboot to happen, or just causing one yourself. Wam bam, thank you ma'am. Now I hope I am totally wrong, but hopefully this got you thinking in a new direction.
Don't know if it is just VirtualBox but if I have a CD mounted that has autorun on it the autorun gets run whenever the machine is suspended and resumed. Does this go for VMWare as well? I rarely reboot my VMs but I do suspend and resume them quite frequently. Robin
Current thread:
- Bootkits to the next level Rob Fuller (Jun 26)
- Bootkits to the next level Robin Wood (Jun 28)