Look what Kaspersky can do….

Kaspersky Bootkit 2009

Kaspersky Bootkit 2009

What about McAfee? Microsoft? and the rest? Why is there such a hesitation preventing any of the major AVAR companies from detection / removal / prevention of this type of intrusion? They have known of the confirmed existence of the technique since early 2007.

There are already versions of the bootkit for Windows7 available to download.

Time for computer companies to spend less time making silly safety programs, incorrect security ads and feel-good logos and do some real protection/detection/removal.


Yesterday, I stumbled upon an article about how KASPERSKY can detect, remove and prevent bootkit intrusions. Yet, when i went to find the software, the software didn’t advertise THAT HUGE FEATURE. Only to find out that the Kaspersky web site must have been redirected to a phoney. More later on this…

Over night, the sudden departure of a housemate… who was apparently VERY alarmed about my breifly overhearing part of a phone call.

Was he more alarmed that I overheard it, or that somehow SOMEONE ON HIS PHONE TOLD HIM THAT I WAS EAVESDROPPING? (How did they know?) He quickly ended his call and rushed to find me. I covered. He was revealed. No immediate confrontation was necessary. Instead, it was after some more redirection/obfuscation went awry at around 1:30 this morning, he decided to leave refusing to answer any questions about his actions and decision. His parting words were that he feels bad for me and my situation, adding “Your wife is a total bitch.” He was out the door and away. More later…

Still tracking down what she did to cause the mortgage to become unpaid. And why she was aware of it being unpaid before I was. As the mortgage company is set to send those notices to my cell phone. OH WAIT, they control my phone. Good ole FLEXISPY. They have the power to intercept and block any incoming calls and text messages. …as well as outgoing ones. …as well as the ability to screen all calls.

I get a call this afternoon from a friend who has been helping me, he says that he has tried multiple times to get in touch with me but was getting SERVICE UNAVAILABLE. That FLEXISPY program, it’s always on the job!

KASPERSKY FLASHBACK: In June 2007, I was being prevented from downloading Kaspersky from any server. I had a friend download it, rename it, place it on the RitaCoolidge site where I could pick it up and use it. That method worked, only the intruding software had the ability to corrupt the program after it was installed. (junction points, configuration changes and DNS redirection.)


What is so special about Valerie Angst that so many people will go to such extreme lengths to protect her?

Valerie exposes her divorce client to liability by telling her to install surveilance software on computers and phones.

So when it is detected, Valerie Angst will stop at nothing to protect herself.

– Destroy her client’s family with a custody battle (which denies the children their father and the extended family)
– Destroy the defendant – professionally, financially, personally and emotionally
– Manipulate everyone in the legal system with ex parte communication.

– Local Police
– County Detectives
Once manipulated, they are now additionally protecting themselves.

To further terrorize, Valerie Angst instructs her client to rob his home
– Doing so with friends AND MY CHILDREN.
– Now each of them faces charges for burglary, breaking and entering, etc…

– County Detectives
– District Attorney

What is so special about Valerie Angst that all of these people and organizations will put themselves on the line to protect her? Nothing, except there is nothing she wouldn’t do to avoid prosecution.


A rootkit has existed since early 2007 that is able to load from Windows Vista boot-sectors.

The code features support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to bypass Vista’s product activation or avoid DRM.

Vbootkit is much like a door or a shortcut to access vista’s kernel.

A bootkit is a rootkit that is able to load from a boot-sectors (master boot record, CD , PXE , floppies etc) and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit.

All rootkits install when the OS is running because they use the OS’ features to load (and also they use the Administrator privileges to install), but bootkits are different, they use the boot media to attack the OS, and thus survive.

Vbootkit is a bootkit specific for Windows Vista. It’s a total in-Ram concept. So, it doesn’t touch the hard-disk under any condition and thus leaves no proofs. Just give a reboot to a vbootkit running system, and it vanishes just as it was never here.

An attack vector exists which can be used to circumvent the full security of the OS, without being easily traceable.

A few things it can do…
– It periodically raises cmd.exe’s privilege to SYSTEM after every few
– Modify Registry so as to start the telnet server automatically
– Create a user mode thread and deliver the user mode payloads in context of a system(protected) process (LSASS.EXE, Winlogon.exe etc)


Since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do and works on all versions of Vista, even localized ones.

The code for vbootkit was provided to a few antivirus vendors. Nowadays, many anti-virus solutions don’t scan for boot stuff. There was no official response. Whether they implement it or not!

How can an attacker deploy it?
An attacker doesn’t need to install, that’s the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting. After Vista boots, you can verify that you are running vbootkit, by checking the privilege of any running cmd.exe, the sample converts all low-privileged cmd.exe process to SYSTEM privileges. It also supports system compromise via PXE booting.

It doesn’t need any privileges only physical access to the machine.

It can also be installed to a remote system without physical access.

It was basically designed to run from CD, Flash drives and portable HDD. However, such versions were not persistent, so if the system rebooted, they were gone. So,there is also a persistent version which will attach to MBR of the hard-disk. Attaching means it copies the original MBR to some-other location, and thus replace the MBR. So, when the System starts now, vbootkit awakes from MBR, it bootstraps itself (since it is larger than 446 bytes), then loads the original MBR and thus normal booting continues.

As far as someone using other boot managers, it has no effect on almost 99% of such systems, because it doesn’t replace the original boot process, it only inserts itself into it.

It is small enough to fit inside BIOS flash memory at just about 1500 bytes in size. It can be reduced further. Todays BIOSes are big in size, therefore, it can easily hide in there.

How does vbootkit work?
A small summary:

–> Vbootkit code(from CD,PXE etc.)
—-> MBR
——> NT Boot sector
——–> Windows Boot manager
———-> Windows Loader
————> Vista Kernel.

Just after vbootkit takes control, it hijacks the interrupt 13, then searches for Signature for Vista OS. After detecting Vista, it starts patching Vista, meanwhile hiding itself (in smaller chunks at different memory locations).

The patches includes bypassing several protections such as checksum, digital signature verification etc, and takes steps to keep itself in control, while boot process continues to phase 2.

Phase 2 includes patching vista kernel, so as vbootkit maintains control over the system till the system reboots. Several protection schemes of Vista were analyzed such as the famous PE header checksum
(every Windows EXE contains it), the Digital Signature of files.

So, you have vbootkit loaded in Vista’s Kernel.

The vbootkit can be modified to bypass the DRM stuff. Since the DRM has been implemented in such a way, so as if unsigned drivers are loaded, then DRM will not let you play the content. What vbootkit does is let you load code without the OS knowing that it has been compromised, and thus the vbootkit can be misused to bypass DRM.

Some other things can vbootkit be used to do…
– vbootkit can be used to to create the long dead boot sector virus. Even some anti-virus vendors have stopped detecting boot sector viruses. It can revive the viruses.

Imagine the following scenarios
Suppose vbootkit is running on a computer and someone plugs-in a USB storage device (vbootkit will copy itself to the boot sector of the new device), now whenever mistakenly the USB devices boots up, it
gonna attach to the boot process of new system and thus, it can flow from system to system and the legend continues .

Now, just take another interesting scenario. vbootkit is running on a system in a company, it captures all MAC address, and at 00:00, in the silence of the midnight, the vbootkit system starts remote booting, and delivers the vbootkit code as boot code though PXE, so slowly and steadily, the whole organization gets going on

It can also be used to implement backdoors (both local and remote), just an idea. Basically, it can do anything you can imagine (that vista could do).

In the current proof of concept versions, it shows our signature at OS selection time (Boot menu). Secondly, we have added vbootkit signature into the kernel memory, so a physical dump, or a kernel scan will be able to find it.

How would you modify it if you wanted to make it as “invisible” as possible? Removing all the signatures from boot menu and memory locations. Invisibility and detection in rootkits/bootkits is a continuous game of modifying your tools to defeat the other.

Developed during pentesting a client, we needed something that could load our code in kernel, without touching the hard-disk. This started bootkit development. We developed a bootkit for the complete family of Windows NT (including 2000 /XP/ 2003 except Windows NT itself). Then Vista RC1 arrived, since it contained a brand new OS loading mechanism (the boot process is completely different from previous versions), we started analyzing Vista. The process included studying Vista’s MBR, NT Boot sector, Boot manager (Bootmgr.exe), Windows Loader (Winload.exe) and Vista’s Kernel (NTOSKRNL.EXE). Several kernel-land shell codes were developed to be used as a payload in different scenarios.

We don’t want someone to misuse it. We want to show that an attack vector like vbootkit can be used to circumvent whole kernel protections.

It doesn’t need any particular hardware or cpu capable of virtualization.

It patches the windows boot manager, the windows loader, and the vista kernel.

In the reboot persistent version of vbootkit we also patch MBR. It patches few security checks such as PE security patch, digital signature patch and other patches to maintain control of the boot process. If we miss any patch system won’t boot at all.

Please tell us more about the code you had to modify, the shellcodes you developed, and the code that runs when the system is loaded.

The code modifications are done for the security checks. For example, the PE checksum, since we modify files in memory, they should pass through checks, so, we calculate the new checksum and put it in place.

We have to modify the Vista kernel to keep ourselves in control. The modification lets us stay in spare parts of the kernel, and then we dispatch our payload, which is a shellcode which keeps on escalating commands to System privileges. We also have other kernel land shellcodes such as registry modifications to start the telnet

The POC video shows a privilege escalation shellcode. It is just another thread which finds cmd’s, escalates them and then sleeps for another 30 secs, so that no noticeable performance loss occurs. The shellcode has negligible affect on system performance.

vbootkit has a very little affect on the performance (less than .01%). This is because it doesn’t execute at all times, it works, sleeps, awakes, completes work, sleeps and so on (by the way, sleeping doesn’t take much CPU cycles).

In the proof of concept videos, Vista is running in vmware on our 4 years old Pentium-IV 2.00Ghz, 512 Ram, 40 Gb hard-disk, Geforce2 MX 400 graphics card. That is why it seems slow 🙂

Are you taking advantage of a bug in Vista to launch your attack? It isn’t that it exploits a bug in Vista’s
kernel (at least related to this scenario), it creates a tunnel to Vista’s kernel which doesn’t have any protection barriers and therefore restores full control of the machine to the user.

It can be programmed to bypass Vista’s product activation. No official Microsoft contact, but we have
discussed this with several Microsoft guys.

Software only protections are not enough to protect from bootkits. The only protection available is from hardware (Trusted Platform Module).

Microsoft can just raise the barrier for bootkits by changing algorithms, but there can be no real protection from bootkits using only software methods. Use Secure Boot (TPM).

Would you like to add something?

The beauty of VBootkit lies in the fact that it isn’t about someone else controlling your machine. It’s about you controlling your own machine, so you can run software of your choosing. Vbootkit gives control back to the user.

Presentation: http://www.nvlabs.in/uploads/projects/vbootkit/nitin_vipin_vista_vbootkit.ppt
White Paper: http://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdf

Re-written – based on an April 26, 2007 article which originally appeared in Security Focus. Copyright © 2007, SecurityFocus


After delaying the custody hearing for the last 2 years,…

and after preventing any visitation,..

and with the knowledge that he has ruled Sonya Healy is in contempt of the custody order,…

and stalling the scheduling for the hearing until mid-June (2009), …

and then scheduling the hearing for a ‘possible’ July 13, 2009, …

and knowing that my son Brennan turns 18 in August,…

on June 25, 2009, Judge DelRicci writes that he is recusing himself from further proceedings in the matter.

He will announce his reasons in open court on July 6, 2009 in courtroom G.

I was prepared to deliver a considerably long petition requesting the recusal this morning but my computers have been under heavy attack for the last week. They killed the laptop completely today. The formal paperwork reflected in a more petition-like format the post I had written on May 20, 2009.

Anyone have any thoughts on the reason the judge will use for his recusal?
a) Federal civil rights violations
b) Violations of Pennsylvania law and procedure
c) Harassment and disrespect
d) Judicial misconduct
e) Conspiracy with Local Police
f) Conspiracy with County Detectives
g) Conspiracy with the District Attorney
… feel free to post your own suggestions…


Last night was another night where I get the reminder of the hate my wife has caused.
Brennan called. The phone rang only 2 times. He hung up before I answered. It was 11:21PM.
I guess I should be happy that I didn’t get to hear him respond NOTHING again tonight.

What Sonya Healy has done to the relationship I had with my children is EVIL.
The karma that she will bring upon herself will be unbearable…


Aha… someone else has this happening to them also… I am not alone. In the following video, and others, I can recognize a remarkable number of similarities with myself.

I was only able to see this video after breaking through parts of the blocking/filtering software. They have updated their program and hacked my equipment again. For every breakthrough, I have learned there are repercussions. I’ve lost a few days to rebuilding/reconfiguring my computers… again.

From You Tube:

Parabolic Dish used to test attic for ultrasonic sounds in the 25khz – 30 khz range. All power to the house is off, the breaker is turned off. Million candle flashlight used for lighting attic, parabolic dish is attached to computer monitor speakers for audio, digital camera used for footage. Trying to determine the cause of the high pitch sounds emitted to the home. Symptoms ears are ringing off the hook, loss of hearing, sleep deprivation, dehydration, thermo burns, nausea, exhaustion, etc. Educated opinions are welcome.

OMG. THANK YOU . I have been experiencing the same torture for over 2 years now.

I was able to corroborate it in a few different ways.

1. The noise is ultrasonic, it is not heard, it is experienced. This basically means that you do not hear it via your ear drum. You experience the discomfort. It is ultrasonic – it is above what most people can hear. If you plug your ears there is NO CHANGE in the level because it is not heard.

2. Animals react differently depending on the ‘volume’ of the noise.

3. The level can cause changes in your attitude. Though difficult to gauge the level, I was able to corroborate the intensity of the noise I felt with other incidental changes. For example, I was able to predict by the number of ants around my kitchen sink if I was going to have a bad day or not. If there were alot of ants around the sink in the morning, I knew it would be a tearful, emotional day. (The signal was disturbing them up out of the ground around the outside of my home.) If however the ants were near the outside walls of the house, it would be a reasonably good day. When the ants moved to the interior walls of the house, I went back to bed or left the house.

4. I have experienced the burns. Primarily on my scalp at the top of my head. I believe this is because my head is pointing towards the source of the ultrasonic noise all night. As such the metallic elements in sweat are heated by the ultrasonic waves and cause the burn. (See video on You Tube for Kanzius – 60 Minutes for explanation of ultrasonic effect on metallic elements.) See also, CUTANEOUS THERMAL NECROSIS FROM ULTRASONIC BURN.

5. My dog has been killed by the people responsible. The effect of always being within range of the noise caused severe kidney and liver damage. Again, metallic elements heated by the ultrasonic waves. The dog passed 6 months after being poisoned during a robbery at my home. He never recovered from the poisoning and I could tell by his sudden and frequent incontinence that his organs had been damaged. This is confirmed by tests from our vet. Life expectancy is 13-15 years for his breed. He was 9. (Noise began in August 2007. Dog was poisoned in March 2008. Max passed in October 2008)

6. I am experiencing symptoms which may also be indicative of kidney and liver damage myself.

7. I was able to confirm the existence of the noise by using a flourescent light bulb. When the gas in the bulb is hit by the waves, it lights the tube. (Also demonstrated in Kanzius video.) When I heard about this method of testing for ultrasonic leaks in aircraft, I went to the locations where I ‘felt’ the noise was strongest. The tube glowed like a light saber from Star Wars.

8. There is a device called “sonic nausea’ which is sold in spy shops. See here I am convinced that I am being terrorized by a derivative of that device. It can be as small as the size of a dime.
Updated the link: Sonic Nausea
Updated the link: Mind Molester
Updated the link: Products

I was unaware of these types of devices until I searched for a phrase used by my wife in a mediation conference. She used the term ‘Tech Harassment’ in an accusation against me. I had never heard the phrase. She used it to describe a fictional accusation of me hacking her email. It made no sense at the time. It still doesn’t make sense. HOWEVER, She misused the phrase. A search for the words was unproductive for months. Until in December 2007, after a Tuesday when Microsoft released about a dozen fixes for security, I was able to find the phrase and the existence of this device which accurately described the symptoms of my experience.

9. This device is used to terrorize. It began once I detected the illegal installation of surveillance software on my computers and telephones. As that hindered effective communication and research, I only found out several things today… when I broke through their filtering software.

10. Let me know what you find. PLEASE!!!! It has been happening at my home since Summer 2007. It was turned off Super Bowl weekend 2009 when I found a contact outside this area. But it returned this last few weeks as I was breaking through again.

Terance http://www.work2bdone.com/live


Listen in on their support personnel…

He lied. Their program CAN BE INSTALLED VIA EMAIL. It isn’t necessary to open an email to have the surveillance program installed.


WebWatcher Demo


Scary? So scary, it should be criminal. Wait! It is criminal!

%d bloggers like this: