Stoned Bootkit

stoned bootkitTypically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

  • Attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  • Attacks TrueCrypt full volume encryption
  • Has integrated FAT and NTFS drivers
  • Has an integrated structure for plugins and boot applications (for future development
  • Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.

    1 thought on “Stoned Bootkit

    1. Chris John Riley

      Just to clarify, the Stoned Bootkit doesn’t actually attack Truecrypt. This is a common mis-conception (and one that unfortunately cost Peter his job from my understanding).

      From talking to Peter recently, the stoned bootkit simple uses hooks to intercept INT13H calls and as such doesn’t need to concern itself with the Full-Disk Encryption on the device. The user will still be prompted to enter the encryption password before booting. Any system that doesn’t check the validity of the MBR when booting, is by design vulnerable to the bootkit style attack. Peter has spoken to the TrueCrypt people about checking the MBR (http://peterkleissner.com/?p=11) however it doesn’t look like they will fix the issue.

    Comments are closed.