Peter Kleissner is an entrepreneur, programmer and security analyst. Since 2013 Peter is involved with his start-up company Kleissner & Associates which is based in Prague (Czech Republic). Before he was working for an anti-virus company and a bank. Peter is a speaker at various conferences such as Black Hat, Botconf and Hacking at Random.

His main operating fields are Windows security and analysis of new malware. Important projects include the analysis of the Sinowal banking trojan and the development of the Stoned Bootkit, a research project to subvert the Windows security model.

You can contact Peter by email at info@kleissner.org or follow him on Twitter.

Conferences

Year Conference Talk Links
2015 IAEA International Conference on Computer Security in a Nuclear World Internet Attacks Against Nuclear Power Plants Website | Paper | Presentation
2015 LSZ Security & Risk Management Congress 2015 Security in Austria Website
2015 7th Cyber Intelligence Event Cybercrime Organizations Website
2014 BotConf'14 Virus Tracker Website | PDF | Video
2014 LSZ Security & Risk Management Congress 2014 Your Industrial Espionage
2014 6th Cyber Intelligence Event Your Industrial Espionage
2013 5th Cyber Intelligence Event IT Security im Wandel der Zeit
2013 Tiroler IT Day Security in main stream media
2013 Deutsche Bank Banks and Security
2012 Testing & Finance Online Crooks, Governments, Banks, You and me! Website
2011 Testing & Finance Industrial Espionage
2011 European Bitcoin Conference Bitcoin Malware Website
2011 MalCon The Art of Bootkit Development Power Point
2010 Madrid CERT Industrial Espionage
2009 DeepSec IDSC Stoned déjà vu – again
2009 Hacking at Random The Rise of MBR Rootkits & Bootkits in the Wild PDF
2009 Black Hat USA Stoned Bootkit Website | PDF
Papers, presentations and additional materials (proof-of-concept code) are available on the conference websites and upon request.

Analysis

2011 OctoberAnalysis of German Bundestrojaner
2010 SeptemberEntropy
2010 NovemberAdvanced analysis of the 2010-11-24 local Windows kernel exploit
2010 MarchIdentifying Source Code
2010 JuneAnalysis of Mebratix
2010 JulyPopsomp Hills
2010 JanuaryCompiling Shellcode
2010 FebruaryElevated rights, process token and security identifier
2010 FebruaryAbusing the TrueCrypt driver
2010 FebruaryNothing new: Msvcrt.dll
2009 MayThe Old New Thing About Development
2009 MarchPagefile Attack
2009 MarchAnalysing the PDF Exploit
2009 JuneAnti Windows Product Activation
2009 JulyKon-Boot
2009 JanuaryAnalysis of Conficker
2009 JanuaryCIPAV (Computer and Internet Protocol Address Verifier)
2009 FebruaryWindows Exception Handling
2009 AprilSoftware Watermarking
2009 AprilAnalysis of Stoned
2008 SeptemberThe Magic of Bootkits
2008 OctoberAnalysis of Sinowal
2008 NovemberAdvanced Analysis of Sinowal
2008 JulyPolymorphic Encryption Methods
2008 DecemberMicrosofts Rich Header
2008 AugustPresentation: Writing a Boot Scan Engine

Virus Tracker

Virus Tracker was presented by Peter at BotConf'14. Download the PDF here or watch it below:


The Art of Bootkit Development

The Art of Bootkit Development is my new presentation released on November 25, 2011 at MalCon 2011. It features a new bootkit called Stoned Lite that attacks Windows 8 Developer Preview.

Windows 8 Bootkit Demo from Peter Kleissner on Vimeo.

Download The Art of Bootkit Development Paper.


Stoned Bootkit

Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from 2000 up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".

Download Source Code (Important: The Stoned Bootkit is out of date. Take a look at other projects if you want to learn something.)

Other links related to the project:

"A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit." - Robert Hensing about bootkits.

Frequently Asked Questions

What is Stoned Bootkit and why should you concern?
	
A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one's secure!

For whom is Stoned Bootkit interesting?

1. Black Hats
2. Law enforcement agencies
3. Microsoft

Why is Stoned something new?

Because it is the firts bootkit that..

  - attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  - attacks TrueCrypt full volume encryption
  - has integrated FAT and NTFS drivers
  - has an integrated structure for plugins and boot applications (for future development)

With Stoned Bootkit you can install any software (for example a trojan) on any computer running Windows without knowing any password, even when the hard disk is fully encrypted.

Can the BIOS MBR protection prevent the attack?

No, because the BIOS is not called to write the MBR to disk. Windows has its own native hard disk drivers that are directly accessing the hard disk. The MBR protection in the BIOS works only with DOS and Windows 95/98.

Can hardware encryption prevent the attack?

Only for physical access. The attack is still possible under a running Windows because the hardware encryption is a layer below. The Stoned software will be stored encrypted by the hardware encryption and decrypted on startup, so it still becomes active on startup.

How can Stoned be removed?

In the framework, execute Restore.exe from the 'Executables' directory. Alternatively you can use the Windows Recovery Console (from the installation boot CD) and run 'fixmbr' for Windows XP/2003 and 'bootrec /FixMbr' for Windows Vista. That command overwrites the master boot record with the default one and thus overwrites Stoned.

How can Stoned be installed?

There is the Windows infector (Infector.exe in the framework), the Live CD (physical access) and the PDF infector (using an exploit to infect the system when the PDF is viewed) available. See below for more information.

TrueCrypt Attack

Stoned is able to bypass the full volume encryption of TrueCrypt. It allows installing a trojan to a computer that's hard disk is full encrypted. Let's take a look at the technical part. For TrueCrypt encryption there are two scenarios:

  1. Only the system partition is encrypted; the master boot record, unpartitioned space and the host protected area stay undecrypted
  2. Full volume encryption, only the master boot record stays unencrypted

The trick is that the master boot record is never encrypted - and thus can be safely overwritten and used for our own boot 'software'. For the first case additional data such as plugins, the original master boot record backup or further code can be stored to unpartitioned space. For the second case the whole Windows attacking code must fit into the master boot record, into the 63 sectors minus the decryption software. TrueCrypt has free 7 sectors where Stoned Bootkit still fits, so even full volume encryption is no problem.

My personal notebook has the system partition encrypted with TrueCrypt. I showed at Black Hat USA 2009 live that Stoned Bootkit was able to bypass that and could pwn my own system.

cmd.exe Privilege Escalation

Thanks to Vipin & Nitin Kumar for providing me their cmd.exe privilege escalation attack (source code together with some more detailed information). I rewrote a driver in C that does that job - overwriting the security token of cmd.exe with the one of services.exe. It waits until the image "whoami.exe" is loaded and escalates the rights of the cmd.exe process. An attacker can use this in the real world for example as root shell on a target system (with physical access). Take a look at the kernel debug output generated from the driver:

Image Load: \Device\HarddiskVolume1\Programme\Support Tools\whoami.exe
Found Process: System
Found Process: smss.exe
Found Process: csrss.exe
Found Process: winlogon.exe
Found Process: services.exe
System Service Security Token: e17c04ea
Overwriting old Security Token: e1445036
cmd.exe privilege escalated successfully!

(Left to right): Windows XP SP2, Windows Vista, Windows 7 RC pwned (take a look at whoami.exe, changes from Peter Kleissner to NT-AUTHORITY\SYSTEM and cmd.exe runs under SYSTEM rights as opposed in the task manager)

Windows XP cmd.exe privilege escalation Windows Vista cmd.exe privilege escalation Windows Vista cmd.exe privilege escalation

You may download the Windows 7 RC + TrueCrypt attack demonstration high quality video (11,7 MB) here. Please download and read TrueCrypt Foundation's mail about the attack here. The whole mailings with the TrueCrypt Foundation can be found in the framework in the directory "TrueCrypt".

Stoned..

It has been sucessfully tested and verified on following systems:

Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows Server 2003
Windows Server 2003 R2 SP2
Windows Vista
Windows Vista SP1
Windows Server 2008
Windows 7 Build 6801
Windows 7 Beta
Windows 7 RC
Windows 7

DiskCryptor 0.7
DiskCryptor 0.8
TrueCrypt 6.1a
TrueCrypt 6.2
TrueCrypt 6.2a

Bochs 2.4.1
VMware Workstation 6.5.0

EeePC 901             Windows XP SP3
Dell Studio XPS 16    Windows Vista SP1

Stoned v2

The next version of Stoned is currently under development. The next version is going to be more sophisticated than ever. Features:

In future Stoned will be developed and published by my startup company Insecurity Systems.

Future ideas:

Please participate the Stoned Beta Program (see below) to retrieve a copy of Stoned v2 (it is not public available).

Live CD with Stoned v2 Infector

You can create your own Live CD using Windows PE from the Windows Automated Installation Kit:

(You can use the explorer to copy the Stoned executable to \Stoned\Stoned Infector.exe or the shell:)
	
  1. Create a directory Stoned (in explorer) or in shell "mkdir C:\winpe_x86\mount\Stoned"
  2. Copy the Stoned infector executable "copy Infector.exe "C:\winpe_x86\mount\Stoned\Stoned Infector.exe""

That Stoned is executed, create a "Winpeshl.ini" file in the \Windows\System32 directory with following contents:

[LaunchApp]
AppPath = "%SYSTEMDRIVE%\Stoned\Stoned Infector.exe"


You have now your own "law enforcement agency"-like software installer.

This is a useful application of Stoned, probably most important for law enforcement agencies. You can take the CD (or USB stick!), go to any computer (even if fully encrypted) and install your own software with Stoned on it (of course payload customizations are required). Custom development with Stoned as code base is now provided by Insecurity Systems.

Stoned infector for law enforcement agencies

They'll stone you when you're trying to be so good
They'll stone you just like they said they would
They'll stone you when you're trying to go home
They'll stone you when you're there all alone
But I would not feel so all alone
Everybody must get Stoned

PDF with Stoned v2 Infector

You can create now your own PDF with malcode that executes the Stoned infector! The PDF Infector will infect the system when the PDF is viewed!

1. We use the new PDF exploit available from http://milw0rm.org/exploits/9579, download the package.
   It works for Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 and Windows XP.
   You need Pyhton 2 and Visual C++ installed (both free available).

2. Open the "Visual Studio 2008-Eingabeaufforderung" (Visual Studio command line prompt)
   Download the source code for the dropper that downloads the infector from the internet and executes it. Save it as Stoned.c and run "cl /LD Stoned.c":

   Unfortunately this specific PDF exploit does not allow big files as payload, so the infector cannot directly be embedded into the PDF (only the small dropper which downloads it from the internet). However, for other exploits, you can use the dll version of the infector (a LoadLibrary will do it).

3. Create the malicious PDF, in the package execute: evil_pdf.py Stoned.pdf Stoned.dll
   You should also consider changing the displayed text of the PDF to something trustworthy, use CAD-KAS PDF Editor to edit the Stoned.pdf.

4. Everyone who opens Stond.pdf get's stoned!

Download the PDF infector (Warning, infects when viewing!)

Changes (a bit more historic now)

The old out-dated changelog:

[Stoned v2 Alpha 1  06.08.2009]

  + infecting all PhysicalDriveN with MBR
  + infecting all logical drives (A:, B:, etc.) with Stoned directories
  + updates now MBR and all files (preserves MBR backups)
  + takes care of previous MBR backups and backs up never a Stoned MBR (to prevent possible endless loops)
  + takes care of GUID Partition Table drives and drives without partition tables
  + deleting itself after exiting
  + USB Autorun.inf infection
  * No unauthorized abuse!
  + User Interface
  + Detection of TrueCrypt and displaying information about it

Stoned v2 Alpha 1 was available with the Stoned Beta Program, you find it now in the framework under the executables directory.

[Stoned v2 Alpha 2  13.09.2009]

  + added CDFS driver (for reading from CD/DVD/BD)
  + native Stoned CD, infection only in memory
  + out-sourced MBR spoofing in pre-boot to plugin "MBR Spoof"
  + re-design of chainloading
  + debug/free releases of the software
  + new installation method! PDF infector or dropper
  + Live CD has now removal functionality
  + You can start an hex editor (HxD) on the Live CD

This version is only available via the PDF infector.

[Stoned v2 Alpha 3  20.10.2009]

  + added multiple programs to be executed on the Live CD (HxD, Raw Registry Editor)
  + added Remote Surveillance Tool (non-public version only)
  + Exe Loader added -> start any executable from the bootkit (non-public version only)
  + Live CD now multilingual available (English, French)
  + Installing Whoami.exe and launching cmd.exe on the Live CD

This version is published in the framework (in the executables directory). It is the last public version.
Future versions will be only released at the Stoned Mailing List.