[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20130714205426.2407D600AC@smtp.hushmail.com>
Date: Sun, 14 Jul 2013 21:54:25 +0100
From: whizzbang@...h.ai
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Abusing Windows 7 Recovery Process
Genius !
"Both McAfee RootKit Detective
(http://vil.nai.com/vil/stinger/rkstinger.aspx) and SysInternals
RootKitRevealer
(http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx), as
well as others provide tools to do exactly this kind of detection,
and of course, with a reputable AV/Malware product on your machine in
the first place, the only way Stoned Bootkit is going to get a hold on
your computer, is if someone physically puts it there."
we *were* talking about physical access, were we not, that being the
point of the whole thread ? If anyone with any skills gets ahold of
your machine then you'll be giving them your passphrase next time you
think you're logging in - to use along with their image of said drive.
By the time your given AV kicks in it'll be way too late. Maybe once
the OS starts, everything has been rewritten as it once was ? I guess
if there's no remote access to be had from the box (to regain the
stolen passphrase remotely) the attacker might have to gain physical
access twice, but when they've already done it once then that's
probably no great trick eh. Or maybe your box now contains a little
extra hardware that's shitting out your keystrokes elsewhere over
various wireless technologies ? The point is, physical access is
pretty much always game over, AFAIK.
When I said 'with a bootkit' I meant consider the technique, not go
google 'bootkit' - sorry if I came across as flippant. Good luck with
Mcafee protecting you against this type of thing :)
Oh wait - and the best bit from Mcafee's page regarding this:
"The adage, If you let your computer out of your sight, it’s no
longer your computer, rings true with this exploit."
On 14 July 2013 at 2:38 PM, "Alex" wrote:
Mcafee KB 66153
Am 14. Juli 2013 06:40:57 schrieb whizzbang@...h.ai:
> You didn't tell us how you cracked the full disc encryption. (There
are
> ways around controls, but that is why we have multiple security
layers.)
With a bootkit, of course. (That is why we have multiple tools.)
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists