mailing list archives
Bootkits to the next level
From: jd.mubix at gmail.com (Rob Fuller)
Date: Fri, 26 Jun 2009 12:01:52 -0400
So all of this is just theoretical right now so, it's probably flawed
somewhere, but that's what ya'll are for ;-)
When I first herd the word "bootkit" my mind went instantly to boot cd/usb.
The guest in Episode 154 though was talking about more of a payload that
gets delivered in malware that some how (I'm thinking by editing the boot
params just like you do for dual booting) infects the machine.
Well, lets ride down my road a bit. You kinda need physical access to put a
CD or usb in the drive right? hmm, not so much. With the push for
virtualization people already have most of their most precious information
on virtual machines. And how does VMware install their VMware Tools? ;-) now
you are starting to see where I am going. Here is the theoretical "what if"
An attacker pushed the mounting of a CD / USB drive to a server, bypassing
or breaking the authentication to do so (although I don't think there is
any, kinda like the old days before sessions, of directly accessing the
admin page, bypassing the login page). Then waiting for a reboot to happen,
or just causing one yourself.
Wam bam, thank you ma'am. Now I hope I am totally wrong, but hopefully this
got you thinking in a new direction.
Rob Fuller | Mubix | Room362.com | Hak5.org
-------------- next part --------------
An HTML attachment was scrubbed...
- Bootkits to the next level Rob Fuller (Jun 26)