Comments on: Stoned Bootkit http://voipsa.org/blog/2009/09/09/stoned-bootkit/ Collective thoughts and musings on the state of VoIP security today. Sat, 03 Dec 2011 12:02:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Chris John Riley http://voipsa.org/blog/2009/09/09/stoned-bootkit/comment-page-1/#comment-342319 Chris John Riley Wed, 09 Sep 2009 15:28:18 +0000 http://voipsa.org/blog/?p=794#comment-342319 Just to clarify, the Stoned Bootkit doesn't actually attack Truecrypt. This is a common mis-conception (and one that unfortunately cost Peter his job from my understanding). From talking to Peter recently, the stoned bootkit simple uses hooks to intercept INT13H calls and as such doesn't need to concern itself with the Full-Disk Encryption on the device. The user will still be prompted to enter the encryption password before booting. Any system that doesn't check the validity of the MBR when booting, is by design vulnerable to the bootkit style attack. Peter has spoken to the TrueCrypt people about checking the MBR (http://peterkleissner.com/?p=11) however it doesn't look like they will fix the issue. Just to clarify, the Stoned Bootkit doesn’t actually attack Truecrypt. This is a common mis-conception (and one that unfortunately cost Peter his job from my understanding).

From talking to Peter recently, the stoned bootkit simple uses hooks to intercept INT13H calls and as such doesn’t need to concern itself with the Full-Disk Encryption on the device. The user will still be prompted to enter the encryption password before booting. Any system that doesn’t check the validity of the MBR when booting, is by design vulnerable to the bootkit style attack. Peter has spoken to the TrueCrypt people about checking the MBR (http://peterkleissner.com/?p=11) however it doesn’t look like they will fix the issue.

]]>