Reports of a newly developed bootkit aimed at Windows 8 are tantalizing, given how much positive and negative attention the OS's "secure boot" feature has garnered. It turns out the malware, to be unveiled at MalCon this month, really exploits vulnerabilities in older PCs' legacy boot procedures that won't be present on new machines loaded with Windows 8.
Developed by security researcher Peter Kleissner, the bootkit -- dubbed Stoned Lite -- affects Windows 8 as well as Windows Server 2008 and works similarly to its creator's Stoned bootkit, which affects Windows 2000 through Windows 7. It attaches itself to the master boot record of the targeted PC's hard drive and bypasses Windows UAC (User Account Control), enabling it to load before Windows starts. The bootkits' payload uses command-line privilege escalation to elevate cmd.exe process rights to System, Kleissner told Softpedia. It also patches the OS's password-validation function, enabling a hacker to log in to any local user account using any password.
The bootkit's small 14KB footprint would make it a fine candidate for infecting machines via a CD or USB device. However, both Stoned and Stoned Lite work only on PCs that use BIOS ROM firmware during startup. Microsoft announced in September that Windows 8 requires its host machines to use the UEFI protocol in the name of secure booting. UEFI provides a secure boot protocol, which requires the OS to furnish a digital key in order to be loaded by the machine. UEFI then can block the operations of any programs or drivers unless they have been signed by this key, a move that should prevent malware from infecting machines by changing the boot-loading process.
