There is a new tool out there that impersonates the CHKDSK utility and can grab a user’s password and then exit without the user’s knowledge.
The utility looks like the Windows CHKDSK tool, which looks for errors or problems with a hard disk before a machine boots. CHKDSK will execute if the system detects a logical error and then attempt to fix it, and anyone who’s been a Windows user for more than a year or two definitely has seen the utility pop up.
The Evil Maid CHKDSK utility written by Alex Weber loads from a USB device and will present the user with a screen that looks just like the actual CHKDSK screen, saying the tool is checking the volume on the C: drive for errors. The tool shows a message saying, “One of your drives needs to be checked for consistency. You must perform this check before rebooting.”
The tool then asks the user to enter his password, which is the hook. The actual CHKDSK utility doesn’t make this request. Once the user enters the password, the fake utility will write the password to the USB drive and then exit. Weber said in an email interview the tool could also run on operating systems besides Windows.
“It makes use of standard PC BIOS interrupts and 16-bit real-mode assembly, which is I think supported by every x86/x86-64 PC out there. It doesn’t rely on (or even know about, truthfully) the operating system on the computer, so yes, it could target other operating systems with very little work. It basically comes down to changing the messages that the user sees,” Weber said.
The attacker would need physical access to the victim’s machine in order to execute this attack. Weber said he considers his utility a work in progress.
Security researchers — not to mention attackers and malware authors — have been working on various forms of stealthy, low-level malware such as bootkits for years now. The idea, of course, it to place the malware on the victim’s machine quietly and in such a privileged position on the PC that it will survive reboots and system reinstalls. This gives the attacker control of the machine at its most basic level and the ability to record user actions.
The goal behind the Evil Maid attack implemented by Rutkowska in 2009 was to defeat the TrueCrypt full-disk encryption program in a manner similar to the one Weber’s utility uses. Booted from a USB drive, Rutkowska’s tool installs a small sniffer that waits for the user to enter his TrueCrypt passphrase, which it then records. The user would not see any indication the attack had taken place. The Evil Maid moniker is in reference to a malicious hotel maid implementing it against an unsuspecting hotel guest.
Weber said his utility works silently, but after the compromise there is an indication something has happened.
“There is one very obvious indication of compromise that I haven’t found a solution to – Windows will ask the user to format the drive because the drive won’t contain a (valid) partition table. I don’t know of a way around that, but that’s why the code is on Github 🙂 Perhaps writing a bare-bones partition table to the drive along with the password would prevent that,” Weber said.
“I don’t think it’s a terribly useful tool until that’s resolved, but my main design goal was to only use the MBR [master boot record] — I literally used every single byte available.”