Suspicious activity has been detected in the iVentoy toolkit, which is used to boot and install arbitrary operating systems over the network. When booting the OS over the network Windows The toolkit installed the httpdisk.sys binary driver into the system and installed its self-signed certificate, used to digitally sign the driver, into the system's root certificate store. Thirty-one of the 70 antivirus packages that scanned the httpdisk.sys file issued a malware warning.
This activity was perceived as a potential attempt to promote a backdoor and raised questions about the credibility of the open source Ventoy project. The situation was aggravated by the fact that last year, after the backdoor incident in the XZ project, the community had already drawn attention to the delivery of suspicious blobs in the Ventoy source tree.
NixOS developers suggested replacing Ventoy in the nixpkgs repository with the fnr1r fork (glim can also be considered as an alternative). The Ventoy and iVentoy projects are developed by the same author and have a similar purpose. The differences are that Ventoy is completely open and aimed at booting operating systems from USB drives, while iVentoy is only partially open and is designed for booting over the network using PXE technology.
The author of the Ventoy and iVentoy projects joined the discussion of the problem, who explained that the httpdisk.sys driver code is open, and the driver itself is intended for mounting in Windows disk images over the network using the HTTP protocol, which is used in iVentoy to obtain Server installation data WindowsInstalling drivers and scripts into the system after boot is a documented behavior.
The custom certificate used to sign this driver was added to the root certificate store to ensure that the driver could be loaded without the security applied in Windows digital signature verification systems for programs. The certificate was only inserted into a one-time WinPE environment (Windows Preinstallation Environment), created in RAM. In disk-based permanent installations Windows No changes were made. It was stated that in the next release of iVentoy, the substitution of the custom certificate will be discontinued, as WinPE will be launched in test mode to ensure driver loading.
Regarding the delivery of blobs (1, 2, 3) to Ventoy, the developer stated that these binaries are directly obtained from other open source projects and Ventoy uses them without making any changes. The ready-made executable files are used in the process of configuring the systems being launched. As an alternative, it is suggested not to take ready-made assemblies, but to compile them for Ventoy releases independently using GitHub CI.
Source: opennet.ru
