I’m having almost religious moment now: I’m ready to call the spirit of Mark Russinovich, Microsoft fellow and a celebrity kernel hacker.
This is why: two Indian guys, Nitin and Vipin Kumar, invented the ultimate rootkit. It’s only 1500 bytes, it lives in the master boot record on the disk (or in BIOS, for it’s too big for the MBR), and it is patching Vista kernel. It’s called Vbootkit. Bruce Schneier, the world’s FUDmaster, and Symantec’s Security Focus duely spead the word. So it’s famous – before anyone actually have seen it.
It may be a very clever piece of code – a kind of tiny virtual machine hypervisor that can access the guest memory in situ. But I don’t think it is. I believe that the Vbootkit requires something special (conveniently omitted from the product description) to work. I believe that the claims about its powers, let alone impact, are largely exaggerated. The key word here is – believe – because I cannot substantiate my claim with any analysis or evidence.
So I call spirit of Mark Russinovich to come up from the deeps of Windows core and consider the reality of Vbootkit. Meanwhile I’m waiting for the Black Hat Europe, the rootkit code release, and find comfort in Bitlocker.