• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

Stoned déjà vu - again

The Stoned Bootkit is back! 1987, 2009, 2010! After following the mentality of the original Stoned virus there is now the second version of the Stoned Bootkit, attacking now 64-bit Windows and Linux (still under development).

Peter Kleissner, Software Dev. Guru in Vienna

Your PC is now Stoned! ..again

Open source is a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is better quality, higher reliability, more flexibility, lower cost, and an end to predatory vendor lock-in.

http://www.stoned-bootkit.info/ - Main site (this site, redirects here)
http://de.wikipedia.org/wiki/Stoned_(Computervirus) - Stoned (Computervirus)
http://sourceforge.net/projects/bootkit

• Paper
• Presentation

I continued where I stopped at Black Hat - discussing now the extended features and the usage of the bootkit. The presentation itself is lightweight, this means at this time I focused the presentation more on my talk rather than on the slides. All the technical information are written down in the paper.

Compiling and testing

The source of the Stoned Bootkit is available via the sourceforge svn repository. You can also browse the source online. If you want to compile the bootkit, read "Stoned v2 Introduction.txt", and you need following programs installed:

Press statement - removed project from sourceforge

On January 31, 2010 the entire project was removed from sourceforge.net due to:

• Abuse of the code
• SourceForge #fail of censorship in Iran, North Korea, Syria, Sudan and Cuba
• Fail of Kaspersky and local law enforcements

It is the magic of open source that makes us to publish our software as open source.

The Stoned Bootkit is developed accordingly to the AG_OnlineDurchsuchung_Endbericht.pdf:
  Page 13: Verhinderung der Fremdnutzung: Expiration dates, customized encryption keys
  Page 13: Verhinderung der Nachahmung: Encryption, AV Tracker 2
You can get a copy of the document at http://www.stoned-bootkit.info/downloads/AG_OnlineDurchsuchung_Endbericht.pdf.

Press statement: Whistler Bootkit ain't Stoned Bootkit (20.03.2010)

Time ago allvirusthanks.org blogged about a 'Whistler Bootkit' and while they failed to censor the pictures, there's no reason to worry about. I published the Stoned Bootkit as open source to all developers to harness the power of distributed peer review and transparency of process. The Stoned Bootkit was published for months at SourceForge, because I believe in open source. Instead of taking advantage of the bootkit technology, I decided to talk about it open and presented it at Black Hat, Hacking at Random and DeepSec. The Stoned Bootkit is not criminal and its usage is not illegal, it's just an open source unsigned code loader. Even if Kaspersky thinks it would capture electromagnetic signals.

The source of Whistler Bootkit was just simply "stolen" from SourceForge from Stoned Bootkit in January (this is why I removed it from SF too). I have not tried to sell it, and let immediately remove the forum entry of opensc.ws. The Stoned Bootkit 2 source code is not for sale to anyone. Also this http://www.w32whistler.com/ fake website has nothing to do with the Stoned Bootkit.

Anti-Bootkit

There is a nice Anti-Bootkit program available at http://ebfes.wordpress.com/. You can boot it from Floppy and CD and you view the hashes of the MBR and display the hex dump. Unfortunately it doesn't seem to provide a 'directly boot the OS' feature or a 'restore default MBR' feature. I tried to contact the author, but so far there is no response.

The project is available as source (no specific license), written by a German guy and is written in Assembler. That project has quite some potential, there may be some cool features for the future like detecting bootkits based on signatures and heuristics, removing them, displaying information about them etc. Sinowal (Mebroot) for example stores the MBR backup on unpartitioned space and also its configuration there, so the C&C server URL could be extracted from there (it's stored as plain text).

You can download this Anti-Bootkit (including the source) under http://ebfe.de.vu/antibootkit/release085.zip