Full Disclosure mailing list archives
Re: Abusing Windows 7 Recovery Process
From: whizzbang () hush ai
Date: Sun, 14 Jul 2013 21:54:25 +0100
Genius ! "Both McAfee RootKit Detective (http://vil.nai.com/vil/stinger/rkstinger.aspx) and SysInternals RootKitRevealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx), as well as others provide tools to do exactly this kind of detection, and of course, with a reputable AV/Malware product on your machine in the first place, the only way Stoned Bootkit is going to get a hold on your computer, is if someone physically puts it there." we *were* talking about physical access, were we not, that being the point of the whole thread ? If anyone with any skills gets ahold of your machine then you'll be giving them your passphrase next time you think you're logging in - to use along with their image of said drive. By the time your given AV kicks in it'll be way too late. Maybe once the OS starts, everything has been rewritten as it once was ? I guess if there's no remote access to be had from the box (to regain the stolen passphrase remotely) the attacker might have to gain physical access twice, but when they've already done it once then that's probably no great trick eh. Or maybe your box now contains a little extra hardware that's shitting out your keystrokes elsewhere over various wireless technologies ? The point is, physical access is pretty much always game over, AFAIK. When I said 'with a bootkit' I meant consider the technique, not go google 'bootkit' - sorry if I came across as flippant. Good luck with Mcafee protecting you against this type of thing :) Oh wait - and the best bit from Mcafee's page regarding this: "The adage, If you let your computer out of your sight, it’s no longer your computer, rings true with this exploit." On 14 July 2013 at 2:38 PM, "Alex" wrote: Mcafee KB 66153 Am 14. Juli 2013 06:40:57 schrieb whizzbang () hush ai: > You didn't tell us how you cracked the full disc encryption. (There are
ways around controls, but that is why we have multiple security
layers.) With a bootkit, of course. (That is why we have multiple tools.)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Abusing Windows 7 Recovery Process whizzbang (Jul 14)
- Re: Abusing Windows 7 Recovery Process Alex (Jul 14)
- Re: Abusing Windows 7 Recovery Process whizzbang (Jul 14)
- Re: Abusing Windows 7 Recovery Process Alex (Jul 14)