Black Hat deja  vu – Stoned again

End of July is the time of the year when SophosLabs, prompted by press coverage, start receiving a lot of questions about newly published undetectable pieces of malicious code that will change the threat landscape once and forever. It is the Black Hat Briefings time!

As everybody knows, the real value of a conference is meeting fellow researchers, having fun, crashing parties and hopefully learning a few tricks from presenters. The Black Hat conference is so big that it gets increasingly difficult to choose which presentations to see. As a malware researcher I know I should see presentations given on the subject of malware but I often feel that it is more useful to attend non-malware related streams where I can learn more about other security issues I am not so familiar with. Being in SophosLabs allows me to analyse the latest malware so I can be unimpressed by some talks, especially the ones with subjects that keep cropping up every year.

One of those repeating subjects is MBR rootkits, often referred to as bootkits, since they replace the original boot sector code. While I do appreciate the importance of launching your code as soon as possible, for both attackers and defenders of the operating system, I cannot say I see the point of having another bootkit talk, like this year’s Peter Kleissner’s Stoned bootkit (caution, angry blog writer) framework talk.

I failed to find a motive behind the publishing of yet another bootkit source code except for self-promotion and showing-off your technical skills. What is the novelty of Stoned bootkit? Through a structured bootkit framework with its own API, Stoned bootkit gives less skilled malware writers an opportunity to create sophisticated malware by reusing the published bootkit framework source code and following simple steps outlined in Kleissner’s paper. Another advantage over previously seen bootkits is that it is allegedly more stable, supports several Windows versions, allows the writer to load other drivers using its own loader (Sinowal rootkit driver is mentioned as an example) and works even if the drive is encrypted with TrueCrypt.

You may wonder why the author is calling the new bootkit Stoned. Well, it is an homage to the Stoned boot sector virus which was widespread in DOS time, sometime in mid 1990’s. The most obvious similarity between the original Stoned and the new bootkit is that both infected MBRs contain the code to display the text “Your PC is now Stoned!” with a 1in 8 probability when the system boots.

Worst of all, Peter Kleissner seems to be working as a contractor for an anti-virus company, which unfortunately gives material to people claiming that security companies first employ malware writers so that they can later create commercial tools to get rid of it.

The components of the new Stoned bootkit are detected by Sophos products as Mal/BKitDrp-A and Troj/BKit-A.