|2015||LSZ Security & Risk Management Congress 2015||Security in Austria||Website|
|2015||7th Cyber Intelligence Event||Cybercrime Organizations||Website|
|2014||BotConf'14||Virus Tracker||Website | PDF | Video|
|2014||LSZ Security & Risk Management Congress 2014||Your Industrial Espionage|
|2014||6th Cyber Intelligence Event||Your Industrial Espionage|
|2013||5th Cyber Intelligence Event||IT Security im Wandel der Zeit|
|2013||Tiroler IT Day||Security in main stream media|
|2013||Deutsche Bank||Banks and Security|
|2012||Testing & Finance||Online Crooks, Governments, Banks, You and me!||Website|
|2011||Testing & Finance||Industrial Espionage|
|2011||European Bitcoin Conference||Bitcoin Malware||Website|
|2011||MalCon||The Art of Bootkit Development||Power Point|
|2010||Madrid CERT||Industrial Espionage|
|2009||DeepSec IDSC||Stoned déjà vu – again|
|2009||Hacking at Random||The Rise of MBR Rootkits & Bootkits in the Wild|
|2009||Black Hat USA||Stoned Bootkit||Website | PDF|
|2011 October||Analysis of German Bundestrojaner|
|2010 November||Advanced analysis of the 2010-11-24 local Windows kernel exploit|
|2010 March||Identifying Source Code|
|2010 June||Analysis of Mebratix|
|2010 July||Popsomp Hills|
|2010 January||Compiling Shellcode|
|2010 February||Elevated rights, process token and security identifier|
|2010 February||Abusing the TrueCrypt driver|
|2010 February||Nothing new: Msvcrt.dll|
|2009 May||The Old New Thing About Development|
|2009 March||Pagefile Attack|
|2009 March||Analysing the PDF Exploit|
|2009 June||Anti Windows Product Activation|
|2009 January||Analysis of Conficker|
|2009 January||CIPAV (Computer and Internet Protocol Address Verifier)|
|2009 February||Windows Exception Handling|
|2009 April||Software Watermarking|
|2009 April||Analysis of Stoned|
|2008 September||The Magic of Bootkits|
|2008 October||Analysis of Sinowal|
|2008 November||Advanced Analysis of Sinowal|
|2008 July||Polymorphic Encryption Methods|
|2008 December||Microsofts Rich Header|
|2008 August||Presentation: Writing a Boot Scan Engine|
The Art of Bootkit Development is my new presentation released on November 25, 2011 at MalCon 2011. It features a new bootkit called Stoned Lite that attacks Windows 8 Developer Preview.
Windows 8 Bootkit Demo from Peter Kleissner on Vimeo.
Download The Art of Bootkit Development Paper.
Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from 2000 up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".
Download Source Code (Important: The Stoned Bootkit is out of date. Take a look at other projects if you want to learn something.)
Other links related to the project:
Frequently Asked Questions
What is Stoned Bootkit and why should you concern? A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one's secure! For whom is Stoned Bootkit interesting? 1. Black Hats 2. Law enforcement agencies 3. Microsoft Why is Stoned something new? Because it is the firts bootkit that.. - attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record - attacks TrueCrypt full volume encryption - has integrated FAT and NTFS drivers - has an integrated structure for plugins and boot applications (for future development) With Stoned Bootkit you can install any software (for example a trojan) on any computer running Windows without knowing any password, even when the hard disk is fully encrypted. Can the BIOS MBR protection prevent the attack? No, because the BIOS is not called to write the MBR to disk. Windows has its own native hard disk drivers that are directly accessing the hard disk. The MBR protection in the BIOS works only with DOS and Windows 95/98. Can hardware encryption prevent the attack? Only for physical access. The attack is still possible under a running Windows because the hardware encryption is a layer below. The Stoned software will be stored encrypted by the hardware encryption and decrypted on startup, so it still becomes active on startup. How can Stoned be removed? In the framework, execute Restore.exe from the 'Executables' directory. Alternatively you can use the Windows Recovery Console (from the installation boot CD) and run 'fixmbr' for Windows XP/2003 and 'bootrec /FixMbr' for Windows Vista. That command overwrites the master boot record with the default one and thus overwrites Stoned. How can Stoned be installed? There is the Windows infector (Infector.exe in the framework), the Live CD (physical access) and the PDF infector (using an exploit to infect the system when the PDF is viewed) available. See below for more information.
Stoned is able to bypass the full volume encryption of TrueCrypt. It allows installing a trojan to a computer that's hard disk is full encrypted. Let's take a look at the technical part. For TrueCrypt encryption there are two scenarios:
The trick is that the master boot record is never encrypted - and thus can be safely overwritten and used for our own boot 'software'. For the first case additional data such as plugins, the original master boot record backup or further code can be stored to unpartitioned space. For the second case the whole Windows attacking code must fit into the master boot record, into the 63 sectors minus the decryption software. TrueCrypt has free 7 sectors where Stoned Bootkit still fits, so even full volume encryption is no problem.
My personal notebook has the system partition encrypted with TrueCrypt. I showed at Black Hat USA 2009 live that Stoned Bootkit was able to bypass that and could pwn my own system.
cmd.exe Privilege Escalation
Thanks to Vipin & Nitin Kumar for providing me their cmd.exe privilege escalation attack (source code together with some more detailed information). I rewrote a driver in C that does that job - overwriting the security token of cmd.exe with the one of services.exe. It waits until the image "whoami.exe" is loaded and escalates the rights of the cmd.exe process. An attacker can use this in the real world for example as root shell on a target system (with physical access). Take a look at the kernel debug output generated from the driver:
Image Load: \Device\HarddiskVolume1\Programme\Support Tools\whoami.exe Found Process: System Found Process: smss.exe Found Process: csrss.exe Found Process: winlogon.exe Found Process: services.exe System Service Security Token: e17c04ea Overwriting old Security Token: e1445036 cmd.exe privilege escalated successfully!
(Left to right): Windows XP SP2, Windows Vista, Windows 7 RC pwned (take a look at whoami.exe, changes from Peter Kleissner to NT-AUTHORITY\SYSTEM and cmd.exe runs under SYSTEM rights as opposed in the task manager)
You may download the Windows 7 RC + TrueCrypt attack demonstration high quality video (11,7 MB) here. Please download and read TrueCrypt Foundation's mail about the attack here. The whole mailings with the TrueCrypt Foundation can be found in the framework in the directory "TrueCrypt".
It has been sucessfully tested and verified on following systems:
Windows 2000 SP4 Windows XP SP2 Windows XP SP3 Windows Server 2003 Windows Server 2003 R2 SP2 Windows Vista Windows Vista SP1 Windows Server 2008 Windows 7 Build 6801 Windows 7 Beta Windows 7 RC Windows 7 DiskCryptor 0.7 DiskCryptor 0.8 TrueCrypt 6.1a TrueCrypt 6.2 TrueCrypt 6.2a Bochs 2.4.1 VMware Workstation 6.5.0 EeePC 901 Windows XP SP3 Dell Studio XPS 16 Windows Vista SP1
The next version of Stoned is currently under development. The next version is going to be more sophisticated than ever. Features:
In future Stoned will be developed and published by my startup company Insecurity Systems.
Please participate the Stoned Beta Program (see below) to retrieve a copy of Stoned v2 (it is not public available).
Live CD with Stoned v2 Infector
You can create your own Live CD using Windows PE from the Windows Automated Installation Kit:
(You can use the explorer to copy the Stoned executable to \Stoned\Stoned Infector.exe or the shell:) 1. Create a directory Stoned (in explorer) or in shell "mkdir C:\winpe_x86\mount\Stoned" 2. Copy the Stoned infector executable "copy Infector.exe "C:\winpe_x86\mount\Stoned\Stoned Infector.exe"" That Stoned is executed, create a "Winpeshl.ini" file in the \Windows\System32 directory with following contents: [LaunchApp] AppPath = "%SYSTEMDRIVE%\Stoned\Stoned Infector.exe"
You have now your own "law enforcement agency"-like software installer.
This is a useful application of Stoned, probably most important for law enforcement agencies. You can take the CD (or USB stick!), go to any computer (even if fully encrypted) and install your own software with Stoned on it (of course payload customizations are required). Custom development with Stoned as code base is now provided by Insecurity Systems.
They'll stone you when you're trying to be so good They'll stone you just like they said they would They'll stone you when you're trying to go home They'll stone you when you're there all alone But I would not feel so all alone Everybody must get Stoned
PDF with Stoned v2 Infector
You can create now your own PDF with malcode that executes the Stoned infector! The PDF Infector will infect the system when the PDF is viewed! 1. We use the new PDF exploit available from http://milw0rm.org/exploits/9579, download the package. It works for Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 and Windows XP. You need Pyhton 2 and Visual C++ installed (both free available). 2. Open the "Visual Studio 2008-Eingabeaufforderung" (Visual Studio command line prompt) Download the source code for the dropper that downloads the infector from the internet and executes it. Save it as Stoned.c and run "cl /LD Stoned.c": Unfortunately this specific PDF exploit does not allow big files as payload, so the infector cannot directly be embedded into the PDF (only the small dropper which downloads it from the internet). However, for other exploits, you can use the dll version of the infector (a LoadLibrary will do it). 3. Create the malicious PDF, in the package execute: evil_pdf.py Stoned.pdf Stoned.dll You should also consider changing the displayed text of the PDF to something trustworthy, use CAD-KAS PDF Editor to edit the Stoned.pdf. 4. Everyone who opens Stond.pdf get's stoned! Download the PDF infector (Warning, infects when viewing!)
Changes (a bit more historic now)
The old out-dated changelog:
[Stoned v2 Alpha 1 06.08.2009] + infecting all PhysicalDriveN with MBR + infecting all logical drives (A:, B:, etc.) with Stoned directories + updates now MBR and all files (preserves MBR backups) + takes care of previous MBR backups and backs up never a Stoned MBR (to prevent possible endless loops) + takes care of GUID Partition Table drives and drives without partition tables + deleting itself after exiting + USB Autorun.inf infection * No unauthorized abuse! + User Interface + Detection of TrueCrypt and displaying information about it Stoned v2 Alpha 1 was available with the Stoned Beta Program, you find it now in the framework under the executables directory. [Stoned v2 Alpha 2 13.09.2009] + added CDFS driver (for reading from CD/DVD/BD) + native Stoned CD, infection only in memory + out-sourced MBR spoofing in pre-boot to plugin "MBR Spoof" + re-design of chainloading + debug/free releases of the software + new installation method! PDF infector or dropper + Live CD has now removal functionality + You can start an hex editor (HxD) on the Live CD This version is only available via the PDF infector. [Stoned v2 Alpha 3 20.10.2009] + added multiple programs to be executed on the Live CD (HxD, Raw Registry Editor) + added Remote Surveillance Tool (non-public version only) + Exe Loader added -> start any executable from the bootkit (non-public version only) + Live CD now multilingual available (English, French) + Installing Whoami.exe and launching cmd.exe on the Live CD This version is published in the framework (in the executables directory). It is the last public version. Future versions will be only released at the Stoned Mailing List.