mailing list archives
Bootkits to the next level
From: dninja at gmail.com (Robin Wood)
Date: Sun, 28 Jun 2009 11:24:09 +0100
2009/6/26 Rob Fuller <jd.mubix at gmail.com>:
So all of this is just theoretical right now so, it's probably flawed
somewhere, but that's what ya'll are for ;-)
When I first herd the word "bootkit" my mind went instantly to boot cd/usb.
The guest in Episode 154 though was talking about more of a payload that
gets delivered in malware that some how (I'm thinking by editing the boot
params just like you do for dual booting) infects the machine.
Well, lets ride down my road a bit. You kinda need physical access to put a
CD or usb in the drive right? hmm, not so much. With the push for
virtualization people already have most of their most precious information
on virtual machines. And how does VMware install their VMware Tools? ;-) now
you are starting to see where I am going. Here is the theoretical "what if"
An attacker pushed the mounting of a CD / USB drive to a server, bypassing
or breaking the authentication to do so (although I don't think there is
any, kinda like the old days before sessions, of directly accessing the
admin page, bypassing the login page). Then waiting for a reboot to happen,
or just causing one yourself.
Wam bam, thank you ma'am. Now I hope I am totally wrong, but hopefully this
got you thinking in a new direction.
Don't know if it is just VirtualBox but if I have a CD mounted that
has autorun on it the autorun gets run whenever the machine is
suspended and resumed. Does this go for VMWare as well?
I rarely reboot my VMs but I do suspend and resume them quite frequently.