eWeek: MS Watches as Vista Gets ‘0wn3d’ by Rootkit
Rutkowska, a Windows Internals expert, was one of several stealth malware researchers using Black Hat, the preeminent hacker conference, to discuss advancements in rootkit creation.
During her talk, she described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to only allow digitally signed drivers to load into the kernel.
Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to “knock the unused driver.”
The shell code used in the demo successfully disabled signature checking in the rooted machine, rendering the system vulnerable to the loading of unsigned drivers. [Entire story]