Both Nitin and Vipin are graduates from India. In the interview, they gave a short definition of Vbootkit:
...Vbootkit is much like a door or a shortcut to access vista's kernel.
A bootkit is a rootkit that is able to load from a boot-sectors (master boot record, CD , PXE , floppies etc) and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit. All rootkits install when the OS is running because they use the OS' features to load (and also they use the Administrator privileges to install), but bootkits are different, they use the boot media to attack the OS , and thus survive. Vbootkit is a bootkit specific for Windows Vista.
It's a total in-Ram concept. So, it doesn't touch the hard-disk under any condition and thus leaves no proofs. Just give a reboot to a vbootkit running system, and it vanishes just as it was never here...
- periodically raises cmd.exe's privilege to SYSTEM after every few seconds.
- modify Registry so as to start the telnet server automatically.
- create a user mode thread and deliver the user mode payloads in context of a system(protected) process (LSASS.EXE, Winlogon.exe etc).
Basically, anything is possible with Vbootkit. As it seems that Microsoft Vista is now under threat with these 2 young programmers, but the good thing is that the codes are not known to be released to public, except to a few anti-virus vendors.
Rootkits for previous versions of Windows, e.g. Windows XP/2000/2003, are however downloadable from their site.
Deployment of Attack
From the way it is designed, the attacker does not need to install anything. All it requires is to boot the system by placing the Vbootkit media in the drive and commence booting procedure. Hence, no special privileges is needed to access the media sector. Furthermore, it can also be installed remotely under certain conditions, even without physical access.
The size of Vbootkit is about 1500 bytes and thus can be easily hide in the memory area. In addition, it was said that this size can be further reduced!
Avoid DRM and Activation
Nitin and Vipin also claimed that the vbootkit can be modified to bypass the DRM stuff. Since the DRM has been implemented in such a way, so as if unsigned drivers are loaded, then DRM will not let you play the content. What vbootkit does is let users load code without the OS knowing that it has been compromised, and thus the vbootkit can be deployed to bypass DRM.
Vbootkit can also be programmed to bypass Vista's product activation!
Summary
Although Vbootkit may sound dangerous and threatening at times. But, on the overall outlook, Vbookit actually gives control of the system back to the user.It is users controlling their own machine, so they can run software of their choice.