Sign in with
Sign up | Sign in

Windows 7 Can Be Hacked, No Fix

By - Source: Tom's Hardware US | B 55 comments

Earlier today at the Hack In The box Security Conference, security researchers showed how easy it is to hack into Windows 7. Ouch.

The question to ask first is this: can't every piece of software be hacked in some fashion? Quite frankly, yes. However, Microsoft (unfortunately) deals with hackers on a daily basis, patching security holes in the Windows operating system, Internet Explorer, and various programs in the Office suite. In some ways, hackers bring job stability to those who specialize in thwarting security intrusions, those who fill holes where perpetrators like to sneak in. But what if the problem can't be fixed? What if the window is wide open and there's not one thing Microsoft or any other company can do to shut it closed?

Earlier today, researchers Vipin Kumar and Nitin Kumar of NVlabs demonstrated how they could take control of a Windows 7 virtual machine using proof-of-concept code they developed called Vbootkit 2.0. The 3 KB program allows the "attacker" to take control of the computer by making changes to the operating system's files loading into the system memory during the boot process. According to Kumar and Kumar, Windows 7 cannot detect the malicious program because no files are changed on the hard disk.

"Basically, we follow a very simple algorithm for Vbootkit," the team explained during the demonstration, "Hook INT 13 for disk reads, keep patching files as they load, hook onto the next stage, and repeat the above process [until] we reach the kernel, then sit and watch the system carefully."

With that said, there's a positive and negative side to this kind of attack. The good news is that the hacker must by physically present to take control of the PC, making the threat somewhat minimal. Additionally, once the computer reboots, Vbootkit 2.0 will no longer have control since the data stored in memory is no longer available. The negative aspect is that, according to Vipin Kumar, the problem stems from Windows 7's assumption that the boot process is immune from attacks. He said that not only is there no current fix for the problem, but that it cannot ever be fixed.

The security researchers demonstrated the ability to take control of Windows 7 at the Hack in The Box Security Conference held in Dubai. The duo merely wanted to demonstrate how they could get Windows 7 (x64) running normally after implementing changes to the kernel. The demonstration was also meant to show how Vbootkit 2.0 could pass through all of the security features implemented in the kernel without being detected, and without leaving a footprint on the hard drive.

In addition to hacking into the kernel, Vbootkit 2.0 allows the attacker to control the victim's computer by remote after this initial physical invasion. The attacker can then increase the user privileges to the highest level, and remove the current user's password, allowing the attacker to gain access to all files stored on the PC. Once finished, the attacker can use Vbootkit 2.0 to restore the original password, and exit the system undetected.

So what does this mean for Windows 7? Can the problem be fixed? According to Kumar, no. However, perhaps Microsoft will take notice and figure out a workaround before the operating system eventually ships this year.

Display 55 Comments.
This thread is closed for comments
Top Comments
  • 24 Hide
    SuckRaven , April 24, 2009 3:27 PM
    Quote:
    The good news is that the hacker must by physically present to take control of the PC


    That's not really good news, but at this point an intruder may as well just take the HDD and go...
  • 19 Hide
    stradric , April 24, 2009 3:58 PM
    I don't understand how this hack only applies to Windows 7... It seems like you could easily hack any OS if you had physical access to it and the right code.
  • 15 Hide
    kyeana , April 24, 2009 3:59 PM
    please. If someone physically has access to your computer, they can fairly easily gain access to it regardless. This way may be faster, but im really not worried about it
Other Comments
  • -4 Hide
    Anonymous , April 24, 2009 3:25 PM
    im a noob, what about winxp? can we hack it easily?
  • 24 Hide
    SuckRaven , April 24, 2009 3:27 PM
    Quote:
    The good news is that the hacker must by physically present to take control of the PC


    That's not really good news, but at this point an intruder may as well just take the HDD and go...
  • 10 Hide
    scryer_360 , April 24, 2009 3:31 PM
    Considering (as was stated) that the hacker has to be present to make it work, I have no worries. Its remotely taking control that worries people, but if the hacker can physically plug in a flash drive or external drive to load his code before loading the OS, then we're all right.

    Seriously, it doesn't matter what security you have on your computer (or on a safe, for that matter). If the person looking to steal from you has in his/her possession the computer, he can get the data he wants anyway. I'd even suggest an easier method: take the hard drive out of the computer you want to hack and manually pull the data. There will be a password on it, but there are free password removal programs for that, even ones that run in portable executible mode.
  • 8 Hide
    1raflo , April 24, 2009 3:32 PM
    That wont happen if everybody uses Linux as main OS beacause the security features of...

    *Gets shot in the head*
  • 7 Hide
    Anonymous , April 24, 2009 3:37 PM
    If they are taking over the VM hypervisor (or whatever you want to call it), it seems like this type of exploit is really applicable to any OS. It is a kind of "man in the middle" attach. If the OS accesses a resource, whether it is to talk to a disk controller, or make a packet request over the network hardware, and some agent can, at the lowest level, subvert the request and concoct a false response, there isn't a lot the OS can do.
  • 0 Hide
    Hanin33 , April 24, 2009 3:42 PM
    ppl that believe this hack is not as big as it is forget the frequency and prevalence of infected USB flash drives being passed around. this issue is not as benign as some would believe.
  • 6 Hide
    Anonymous , April 24, 2009 3:45 PM
    WinXP can be hacked within one minute (for a login password lower than 8 char.). Win Vista is more safe, but technically can be hacked in 15 minutes, and requires a secondary pc with lots of RAM.

    There's a reason MS discontinued support for Win 3.1 or 3.11 only recently.
    Reason being for the longest time the military used win 3.x just because it's way more safe, and smaller. Sure you can't see flashfiles or play modern games on those old operating systems, but nearly nothing went automatic.
    The reason why Windows is so hackable, is because there are so many programs running everywhere in the background. And the more that are running, the slower the OS, the less secure the OS gets.
    I think a lot of IT professionals would want an OS that is less commercial, less nice looking, and much safer, by just not having these automatic soft or hardware recognition commands.
    In WinXP I had to disable nearly half of the system services, to get it working fast. Most of them I don't need anyways!
  • 19 Hide
    stradric , April 24, 2009 3:58 PM
    I don't understand how this hack only applies to Windows 7... It seems like you could easily hack any OS if you had physical access to it and the right code.
  • 15 Hide
    kyeana , April 24, 2009 3:59 PM
    please. If someone physically has access to your computer, they can fairly easily gain access to it regardless. This way may be faster, but im really not worried about it
  • 6 Hide
    wikiwikiwhat , April 24, 2009 4:09 PM
    As long as they can't hack my brain then I'm good. Just don't waterboard me.
  • 4 Hide
    IzzyCraft , April 24, 2009 4:13 PM
    I'm sure any os with enough time can be hacked if you are on the actual computer instead of remotely, i think you have more problems to do with home security if you should be worried about someone taking your computer.
  • 3 Hide
    stuart72 , April 24, 2009 4:15 PM
    The first layer of any multi-layered network security system is always physical. If the bad guy is actualy sitting at the PC then as SuckRaven said, he's just going to take the HDD and go. Honestly - if you have physical accesss to the PC there are a thousand easier ways to compromise sceucrity than one like this, which can quite easily be thwarted by setting up the BIOS to not boot from USB/Floppy and setting a BIOS password.
    Having said that, the way they did it was pretty cool.
  • 0 Hide
    Greatwalrus , April 24, 2009 4:17 PM
    1rafloThat wont happen if everybody uses Linux as main OS beacause the security features of... *Gets shot in the head*

    It's people like you that make us look bad...

  • 3 Hide
    armistitiu , April 24, 2009 4:25 PM
    GreatWalrusIt's people like you that make us look bad...

    Give him a break. He was trying to make a joke (i hope) :) 
  • 7 Hide
    fuser , April 24, 2009 4:28 PM
    Any OS can be hacked with someone sitting the keyboard. You can make it a bit more difficult by locking the BIOS and the case, but no computer is completely secure. Mentioning Windows 7 as the target was just a ploy for attention.
  • 4 Hide
    techtre2003 , April 24, 2009 4:30 PM
    OK, they hacked a BETA OS. Isn't that the whole point of having a beta; to find out these things so you can fix them before you release the software?
    Also, saying the problem can't be fixed is just as naive as saying it couldn't be hacked in the first place.
  • -2 Hide
    falconqc , April 24, 2009 4:38 PM
    Just seems to me like they are stating the obvious. If you go low level enough you can hack anything you want and there isn't much you can do. Anyone else remember that new hddvd/br encryption? Easiest way to hack it was just to look at the stuff in memory.

    Considering the MBR seems to be the first thing to be hacked, and not Windows 7 itself, I think the title is just there to sensationalize.

    Simple fix : Some BIOS have MBR protection. Simply turn that stuff on by default, make it a default feature on all board if it isint already and make it password protected. vbootkit won't work.

    Just make the MBR read only and password protect it.
  • 4 Hide
    starryman , April 24, 2009 4:45 PM
    BIG GLEAMING GLARING caveat that the hacker has to be at the computer to initially start the attack. 99% of all hacks are remote, http, or software/email download. Come on now! If someone already has possession of your computer right in front of them, what's the point of doing any hack? A hammer and a couple of kicks to the computer is plenty enough.

    It's too much Spy vs. Spy that someone is sneaking up to your computer (physically) and putting crap on it. AND if someone does, you pretty much know a handful of people who have been around or used your computer.

    This is like saying you stole a car because someone left the door open and the keys in the ignition. Where's the skillz here?
  • 0 Hide
    starryman , April 24, 2009 4:51 PM
    Hanin33ppl that believe this hack is not as big as it is forget the frequency and prevalence of infected USB flash drives being passed around. this issue is not as benign as some would believe.


    Yeah and the people who let others plug a USB flash drive in their computer are morons. PLUS you would know who put the USB flash drive in your computer. I assume that if you let someone insert anything into your computer, you know them.

    Let's not get into the Spy vs Spy crap where some stranger sneaks onto your computer when you are away... there's bigger consequences than that ie. They just steal your computer.
Display more comments