Defeating Vista Security with Drivers

A couple of interesting developments came to light in the last couple of weeks, both of which affect Windows Vista security to some extent. The first issue centers around Windows Genuine Advantage (WGA). As you'll learn when you read the related news story, "OEM BIOS Emulator Bypasses Vista Activation," below, code has been released that can fool Vista into thinking that it's a genuine copy when it's not. That feat is accomplished by using a third-party driver.

While on the surface this doesn't seem like a security problem, it actually is. First of all, imagine some small-to-midsized business (SMB) trying to save money on a migration to Vista. The company might shop around to try to find the best price possible on a new software and hardware combination. The company ends up buying from someone who's actually selling pirated copies of Vista that have a driver installed to fool WGA.

Such an unscrupulous seller might just as easily have installed anything on the machines, including botnets, rootkits, and keyloggers that could be undetectable by existing security solutions. These processes could be undetectable because a driver can be used to protect a process so that for the most part the process can't be inspected by another process. And if the process's memory space can't be inspected, then any malware inside it can't be detected.

Two weeks ago, Alex Ionescu released a proof-of-concept tool called D-Pin Purr 1.0. The tool, which works only on 32-bit versions of Vista, uses a driver that can protect or unprotect a process. Ionescu wrote, "It is trivial to make a process protected or unprotected by bypassing all the code integrity checks and sandbox in which protected processes are supposed to run." So basically, Ionescu discovered a way to bypass a major security feature of Windows Vista--one that many vendors have been complaining about because it prevents their tools from fully working to some extent or other.

If the tool really works as intended (and while I haven't tested it, I suspect that it does), then certainly "bad guys" can create a similar tool to defend their botnet, rootkit, and keylogger code.

Sure, elevated privileges might be required to install drivers into Vista, which seems to imply that the potential impact is limited. However, as history clearly shows, intruders routinely combine vulnerabilities and mix in social engineering, so they might eventually be able to get a driver installed.

You can read more about Ionescu's tool in his blog at the URL below, where he also provides a download link for D-Pin Purr.

http://www.alex-ionescu.com/