Tuesday, July 31, 2007

Evading Vista Kernel Defenses with Unsigned Drivers

Via ComputerWorld.com -

July 30, 2007 (Computerworld) -- A security feature in the 64-bit version of Windows Vista can be easily circumvented with a free utility that loads unsigned drivers into the kernel, according to researchers at Symantec Corp.

Among 64-bit Vista's security provisions is one new to Microsoft Corp.'s operating systems: only digitally-signed code can be loaded into the kernel. Under those new rules, code destined for the kernel -- typically drivers -- must be accompanied by a signed certificate available from a limited number of issuing authorities. Drivers not equipped with a legitimate certificate aren't loaded.

The thinking behind the move was that it would stymie rootkits, which load driver code into the kernel as part of their cloaking tactics.

But a pair of Symantec security researchers pointed to a free utility from Australian developer LinchpinLabs as one easy end-around. LinchpinLabs' Atsiv, said Ollie Whitehouse, an architect with Symantec's advanced threats research team, uses signed drivers to load other, unsigned code, into the Vista kernel.

"[Atsiv's] command line tool loads [its own] appropriate driver, which then in turn allows loading of unsigned drivers due to the implementation of their PE loader," said Whitehouse. "A side effect of using their own load is noted by the authors in their design documentation: 'Atsiv doesn't add the driver to the PsLoadedModuleslist so it is not visible in the standard drivers list.'
"This is rootkit-type behavior," said Whitehouse.

No comments:

Post a Comment