the point isn't to get it to work without secure boot enabled, it's to have the benefits of secure boot as well as your own choice of OS. there's no reason to have to compromise on security now like you did.
Most attacks are just social engineering, spyware and daemons for DDoS attacking. Basically all stuff that can be run from user space. There's no real advantage in writing rootkits in our current climate as it's significantly more complicated and not nearly as profitable.
The cynical side of me thinks secure booting was intentionally developed to lock users into their respective platforms and only later sold as a security mechanism to avoid a massive outcry (a la the "terrorism" excuses that Apple used to argue against jailbreaking).
Secure Boot, TPM, etc. are all good if the user wants them on. I'd like my laptop to be as tamper-resistant as possible. With a TPM, I know you can't just pop a USB key in or change my BIOS settings or otherwise intercept the boot process. (At least not easily; and I'm aware of TrueCrypt's (IMO misplaced) disdain for TPM.)
With Secure Boot, I have a higher level of confidence that even if I mess up while using my computer, software cannot have me unknowingly running something other than the OS.
It's not a magic cure-all, and there's potential use for evil. But being able to lock down a machine to the configuration I want is a positive.
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.
All these articles are a couple of years old now the impression I gathered from chmag is that this is an emerging trend yet, 2 years on, it's still largely unheard of. So I do wonder just how often infected machines (via user space) become subject to rootkits. I'd say it's likely quite a low ratio.
Which brings me back to my original point: the vast majority of attacks happen in user space.
However, I will concede that I assumed rootkits had pretty much died out entirely. And as security is about covering all bases (both high risks and low risks); I welcome your correction and consider myself better informed :)
Actively working in the Windows server and desktop support world, I can tell you that rootkits are very definitely still an issue.
Older XP clients where every process an admin user runs is elevated or newer Windows versions where a "professional" user with administrative rights willy nilly clicks every UAC dialog for escalation without a thought (especially in regards to installers from questionable sources with malicious payload) - or, worse yet, they've disabled UAC altogether (because the dialogs annoy them) and EVERY process is escalated.
Products like TDSSkiller are still being actively updated and developed - and appreciated by folks like myself.
You can install anti-viral solutions, you can lock down machines with group policy, you can stay 100% on your patching coverage, but as soon as one manager says "my user needs admin rights" - now you've got something you can't lock down.
If someone can just turn off secure boot, how does secure boot increase security? Isn't the whole point of it that you can't boot a compromised machine?
nope, the point is that the machine won't boot a compromised OS without the user knowing. the scenario is that the bootloader is compromised by some process other than the user turning it off.
we're not trying to protect computers from the people that own them. security isn't about stopping people from having full control of their devices, it's about stopping processes from having control that the owners don't allow.
To be certified for Windows 8, the device needs to support UEFI secure boot and allow a _physically present user_ to turn it off(typically in order to boot other OSes).
It does reduce security a bit, but enhances user freedom a lot.
I just installed Ubuntu 12.10 on a pre-loaded windows laptop and it works just fine with UEFI/Secure Boot enabled. I just could't boot from CD but a LiveUSB install worked just fine with UEFI/Secure Boot enabled.
Sorry, I mis-spoke. SJVN corrected me: "I've never heard of an x86 OEM that doesn't allow secure boot to be turned off, Some do make it almost impossible to figure out how." (https://twitter.com/sjvn/status/302093489347375107)
Yes, but some OEMs may ship machines without Windows 8 certification, and Microsoft cannot do anything about them shipping with no way to turn Secure Boot off, an ironic consequence of the DoJ lawsuit against them.
Thus, the OEMs need to be named and shamed. However I am not holding my breath for richij (who also appears to be the article author) to name the OEMs.
And even with the OEMs who do get Win8 certification - do we trust Microsoft to enforce their own rule? If they omit the switch, or it doesn't work, will Microsoft withhold certification?
Maybe they will. But I'm glad Linux has strategies that don't rely on that.
>Does Windows 8 not run on UEFI systems without Secure Boot enabled?
It runs without any issues on machines with secure boot disabled.
>Or is this fix just due to pre-installed OEM Windows 8 configurations with Secure Boot enabled?
Yes, although the user can disable secure boot, it's an additional step and also reduces the security of their Windows 8 boot (if they're still using it).
Does anybody know the problem with the ARM technology? Or is it a licensing issue?