Saturday, July 27, 2013

A Secure Boot Resistant Strain of Bootkits

It was born into a world where species like it are being discriminated and oppressed, into the world where Secure Boot decides which species to boot and which not. It had to evolve to have a chance for boot and so it did. And here we are introducing a new strain of UEFI bootkits, a Secure Boot resistant strain which can thrive in this hostile environment.

The screenshot below shows a UEFI bootkit running on the system with and despite Windows 8 Secure Boot enabled.

On a serious note, in an effort to continuously improve the security of the platform firmware and hardware, we've analyzed how Secure Boot is implemented on some of the Windows 8 platforms. As a result, we are coordinating the disclosure of our research findings with affected BIOS and platform vendors and working toward mitigating them.

Some of these findings will be presented at Black Hat USA 2013 next week. We'll also demonstrate two attacks against Windows 8 Secure Boot exploiting these findings on affected systems.

We hope you can join us! If not, our presentation and demos will be posted on

RIP Barnaby Jack..

Tuesday, April 3, 2012

I've been waiting for this day for 8 years

Doc said she seems to be one of the lucky ones to have beaten both HBV and HCV.

We can drive analogy between computer and human viruses as much as we want, theorize about computer protections resembling our immune system and other BS, until we meet these real little fuckers..

Tuesday, August 5, 2008

DeepWatch -- Insane detection of Insane Rootkits -- or not so insane ??

There’s a real good reason to post this first entry here. I will be giving a talk at Black Hat this year. I dedicate this work to my wife, Natalia.. she’s been thru much this year.

If you are interested in what's going on with virtualization security and attending Black Hat then I invite you to my presentation on Wednesday at 1:45 PM in Roman Ballroom:

I will introduce DeepWatch, one of my night-time “research” works and a proof of concept implementation of chipset based detector of virtualization rootkits.

WTF ?? “Chip” what detector ?? Yeah.. that’s right. DeepWatch is a part of firmware running for a little over a year on embedded core in north-bridge on one of my debug platforms.

Well, it's unfair to call it a "detector" of virtualization rootkits.. simply because it can also remove rootkits from the virtualized system.

This screenshot should briefly summarize my talk:

You'll also see a demo where I’ll detect and more importantly remove Intel VT-x based rootkit.

I rewrote my slides since I submitted DVD-ready version. So there again will be 2 different copies of the presentation floating on the web. Please check this link shortly after Black Hat for demo and updated version of the slides:

I’ll be glad to see you at my presentation. You can grab me any time during Black Hat or DEFCON and destroy my brains with this or any other topic and lots of beer.

This stuff kinda relates to presentations by Joanna Rutkowska, Alex Tereshkin and Rafal Wojtczuk from Invisible Things Lab they give on August 7th. I suggest attending their talks as well:

disclaimer: DeepWatch has nothing to do with deepwatch [dot] com unless you consider virtualization rootkits as a p0rn.