Related Links

Top 5 Stories


Austrian researcher reveals BIOS intercept rootkit for Windows 8

28 November 2011

Peter Kleissner, the brains behind previous rootkit/bootkit exploits, has published details of his rootkit exploit for the upcoming Windows 8 operating system.

As Infosecurity reported last week, the rootkit from Kleissner, an Austrian security researcher, effectively means that root level access could be gained to the new operating system before the kernel code of the operating system is loaded.

According to the Maximum PC newswire, while many coders were playing around with the Windows 8 Developer Preview, Kleissner was vetting it for possible vulnerabilities.

"Whatever he was up to seems to have worked. Kleissner has successfully identified a vulnerability in this early version of the upcoming operating system and even posted a video of his proof-of-concept 'Stoned Lite' bootkit successfully exploiting this flaw", says the newswire.

Infosecurity notes that the rootkit works by using a CMD privilege escalation – carried out by loaded a low-level driver into memory before the Windows 8 operating system kernel loads.

Amazingly, the bootkit (or rootkit, whichever term you use) is just 14 kilobytes in size, suggesting the Kleissner has used his own compiler.

The MaximumPC newswire, meanwhile, quoted the researcher as saying that the rootkit attack methodology does not exploit the Unified Extensible Firmware Interface (UEFI) feature of Windows 8 or a secure boot approach, but uses a BIOS intercept.

As the newswire observed, with the release of Windows 8 still a fair way away, Microsoft has plenty of time to fix this bug discovered by Kleissner.

This article is featured in:
Application Security  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×