Windows 7 Rootkit Code Made Available

Ralph DeFrangesco

Two security researchers, Vipin Kumar and Nitin Kumar, have decided to release the code that they used to take control of a Microsoft Windows 7 operating system at the Hack in the Box conference held in Dubai. The researchers originally announced that they would not be releasing the code, saying that it might be misused.


VBootkit 2.0 was developed to exploit a design flaw in the Windows 7 operating system. The exploit can remove and restore user passwords and strip Digital Rights Management (DRM) protections without a trace. It is now available for download under an open-source license.


Microsoft has already stated that the VBootkit 2.0 was not a serious threat because the attacker has to have physical access to the target computer in order to launch the attack. VBootkit is small, just 3KB in size. Kumar and Kumar claim that the rootkit can be modified to run remotely.


I am on the fence about this. Lets look at both sides of the equation: if the code is made available, it gives researcher's the ability to look at another vulnerability and how it might affect an operating system, specifically a new operating system. Researchers need as much code as they can get their hands on to continue to understand how exploits work. On the flip side, there are many people who would use the code for the wrong purpose. In addition, we are also teaching a new generation of hackers how to create rootkits.


In this case, I don't like the idea of making the code public. If the developers want to make the code available for research, there are a few options. They could just give it to companies like Microsoft or Symantec. Another option is to give it to a research university. Anyone wanting access to the code could apply for access to it. I think the last thing we want to do is just to make it available for anyone to download and use it. What do you think? Should the code be made available to anyone?

Add Comment      Leave a comment on this blog post
May 11, 2009 10:55 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to William


First, thank you for taking the time to respond. I think we are saying the same thing. I agree, I think the code should be made available. I just think it should only be made available to researchers that need it. Yes as you said, the "bad guys" will probably get a copy of it anyhow, but why make it easy for them? Lets continue this, it needs more discussion.

Thank you,


May 11, 2009 12:00 PM William William  says:

The advantage of publishing the code is to try and force Microsoft's hand. However, if Microsoft doesn't try to do anything about it then where does that leave us?

Not publishing it doesn't mean it won't get out and be exploited, what it does me is there will be a smaller area of researchers and coders working on detection/removal software. The thing about knowledge in the IT industry is it reaches a critical mass, somebody somewhere is going to figure it out. It might as well be the good guys.

The real issue is many still treat the Internet like their TV's, just plug and play, no worries. The manufacturers talk about security and security products like their a panacea, and people buy into it and therefore don't manage the risk appropriately. Windows 7 may be "the most secure opperating system ever", but at one point the Model T was the safest car on the road.

My point being defining current risk isn't enough, we need an open system of disclosure that can react nimbly to emerging threats, security by obscurity does't work, and I think they made the right decision, even if it's uncomfortable.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.