A Singapore-based company, Coseinc, has presented two proof-of-concept attacks on Microsoft's beta OS.
One of the test attacks is pretty involved, and pretty chilling. Codenamed 'BluePill', the attack allows for running what the company claims is well-nigh undetectable malware on AMD64 computers with Vista. By using the virtualisation enabled on that platform to basically create a whole separate version of the operating system that can pre-process information before it reaches the 'real' operating system, it can hide from antivirus and pretty much anything else.
Unlike earlier reports of using a virtual machine to hide malicious software, Coseinc says Bluepill can do its dirty work on the fly, with no reboot or other major preparation work required.
The company didn't show an actual BluePill demo at the BlackHat conference today, but it did demo the second attack. This one gets around another positive security change in Vista that blocks anything - like rootkits or keyloggers - from loading drivers that aren't digitally signed.
By messing around with the hard disk file that Vista uses to store virtual memory, Coseinc makes an end-run around the driver loading protection. The attack tricks Vista into moving drivers into virtual memory by eating up a ton of real memory. Once there, it finds a driver of choice (null.sys in the demo) and modifies it with attack code. The attack then tells Vista to use that driver, along with the attached payload.
While seemingly potent, these are just examples right now. There are no known attacks using these methods. Microsoft, along with antivirus and other security companies, will have time to bring in countermeasures that would (I hope) make them impossible before Vista is finished. But the work is a good example of the challenges facing Microsoft when there's a cadre of motivated, money-minded online criminals just waiting to find holes in Vista. As Coseinc said today, there are welcome security changes in the new OS. But again, I wish Microsoft good luck. It is going to need it.