I remember well the noise that was made when word of rootkits began to surface. They were nasty little suckers that threaten to by-pass your security programs and load all kinds of nasty bugger onto your computer. It was one of these rootkits that got SonyBMG into really big trouble in 2005 when it was discovered that their music CDs were installing them as part of their DRM effort.
Well it seems that the next generation of these horrors has now arrived on the scene and are going by the name of ‘bootkits’ and these bootkits make the rootkits look like boy scouts. Announced at the Black Hat conference where its creator, 18 year-old Peter Kleissner, showed how the bootkit, called Stoned, was capable of bypassing a TrueCrypt encrypted partition and system encryption.
Stoned, the bootkit, combines a rootkit with the ability to modify a PC’s Master Boot Record which enables malware to be activated even before the operating system is started. Kleissner’s bootkit is able to infect all available 32 bit varieties of Windows from Windows 2000 to Windows Vista along with the most current Release Candidate of Windows 7.
Stoned injects itself into the Master Boot Record (MBR), a record which remains unencrypted even if the hard disk itself is fully encrypted. During startup, the BIOS first calls the bootkit, which in turn starts the TrueCrypt boot loader. Kleissner says that he neither modified any hooks, nor the boot loader, itself to bypass the TrueCrypt encryption mechanism. The bootkit rather uses a “double forward” to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt. Kleissner tailored the bootkit for TrueCrypt using the freely available TrueCrypt source code.
Once the operating system has been loaded, Stoned can get to work and install malware, such as a banking trojan, in the system. Peter Kleissner, who is only 18 years old, has also included several plug-ins, for example a boot password cracker and a routine for infecting the BIOS. The framework layout of Stoned allows other programmers to develop their own plug-ins for the bootkit. Kleissner thinks that Stoned could also be of interest to investigation agencies, for example for developing a federal trojan.
Source: The H-Security :: Bootkit bypasses hard disk encryption
Interestingly enough the bootkit will not work under two conditions. The first being if the computer is using the successor to the BIOS – known as the Extensible Firmware Interface (EFI). The second is when the drive is encrypted using Windows own Bitlocker encryption mechanism.
For anyone old enough the use of Stoned as a name for this bootkit should bring back some memories as this was also the name of a silly but irritating virus back in the late 80’s which I do remember quite well even though I never got hit by it.