• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Matrosov (2012, RECon) Bootkit threats
 

Matrosov (2012, RECon) Bootkit threats

on

  • 1,575 views

 

Statistics

Views

Total Views
1,575
Views on SlideShare
1,571
Embed Views
4

Actions

Likes
0
Downloads
27
Comments
0

1 Embed 4

http://us-w1.rockmelt.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Matrosov (2012, RECon) Bootkit threats Matrosov (2012, RECon) Bootkit threats Presentation Transcript

    • Bootkit Threats:In Depth Reverse Engineering & Defense Eugene Rodionov Aleksandr Matrosov
    • Outline of The Presentation Bootkit technology  Why? How? Bootkit design principles  Architecture  Analysis instrumentation Rovnix bootkit in-depth analysis  Infected VBR analysis  Infection strategy Bootkit remediation techniques
    • Bootkit technology
    • Bootkit evolution over time o Bootkit PoC evolution: o Bootkit Threats evolution:  eEye Bootroot (2005)  Win32/Mebroot (2007)  Vbootkit (2007)  Win32/Mebratix (2008)  Win32/Mebroot v2 (2009)  Vbootkit v2 (2009)  Win64/Olmarik (2010/11)  Stoned Bootkit (2009) Win64/Olmasco (2011)  Evilcore x64 (2011)  Win64/Rovnix (2011/2012)
    • Why?Why there is a return to bootkit technology nowadays Microsoft kernel-mode code signing policy • loading unsigned kernel-mode driver High level of stealth • there are no malicious files in the file system High degree of survival • difficult to detect and remove Ability to disable security software • the malware is launched before security software
    • How?Bootkits in the wild: Infecting:  MBR (Master Boot Record)  VBR (Volume Boot Record)Proof of Concept Bootkits: Infecting UEFI
    • Bootkit design principles
    • Boot processDescription of OS boot process: protected mode without paging BIOS Kernel MBR VBR bootmgr winload.exe initialization initialization protected mode real mode with paging bootmgr interface BIOS interface
    • Bootkit Architecture • Locating & • Locating & loading loading loader driver code Starter Loader Driver Payload • Hooking system routines, maintaining • Performing hidden storage and injecting payload malicious activities
    • Injecting Payload Process1 Process2 Process3 ProcessNInjection approach Payload1 Payload2 Payload3 PayloadN APC routines Patching entry point of the user-mode executable kernel-mode Kernel- mode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN
    • Hidden Storage Architecture Applications Malware payload user-mode address space kernel-mode address space Malicious kernel-mode driver File system interface OS File system driver Physical storage interface OS storage device driver stack Hidden FS Hard drive area
    • Bootkit Analysis Instrumentation
    • Debugging bootkit with Bochs./configure --enable-debugger
    • Debugging bootkit with Bochs IDA Pro debugger Bochs internal debugger interface Bochs Core CPU Operation memory System devices
    • LIVE DEMO
    • Rovnix Reverse Engineering
    • Interesting Carberp sample (October 2011)
    • Interesting Carberp sample (October 2011)
    • Rovnix Kit Hidden File Systems Comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
    • Rovnix Architecture Dropper Infected VBR Kernel-mode driver x86 Payload x86 Kernel-mode driver x64 Payload x64
    • Installation Into the SystemCheck administrative privileges Check OS version Locate free space on the hard drive to store kernel-mode driver & hidden FS image Store the driver & hidden FS image in the located area. Overwrite bootstrap code of the active partition with malicious one
    • Callgraph of Bootkit Installation Routine
    • VBR Code InformationVBR is responsible for loading OS boot components (bootmgr, BCD, etc.). VBR Bootstrap code (IPL) Partition data NTFS bootstrap code 1 sector (15 sectors) NTFS Boot Sector (Volume Boot Record) JMP OEM BIOS Extended Boot Signature ID Parameter BPB (EBPB) Code Block (BPB) [3 b] [2 b] [8 b] [25 b] [48 b] [426 b]
    • Rovnix Polymorphic VBR Polymorphic Polymorphic decryptor decryptor Basic block 1 Encrypted malicious Basic block 2 VBR Basic block 3 ... Compressed ... original VBR Basic block N
    • Rovnix Polymorphic VBR Polymorphic Polymorphic decryptor decryptor Basic block 1 Encrypted malicious Basic block 2 VBR Basic block 3 ... Compressed ... original VBR Basic block N
    • Decrypted VBR code Hook BIOS int 13h handlerintercept hard drive I/O requests patch bootmgr system module Hook BIOS int 15h handlerintercept memory map requests protect its memory location Decompress & Restore Original VBR continue normal boot process
    • Hooking BIOS int 15h HandlerUsed by operating system to System memory query system address map. ProtectedAbused by malicious VBR to memory Malicious VBR protect its memory region from allocation by OS Interrupt vectors Int 15h handler address Int 13h handler address
    • Surviving Execution Mode SwitchingTo be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn’t used by OS)
    • Surviving Execution Mode SwitchingTo be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn’t used by OS)
    • Surviving Execution Mode SwitchingTo be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn’t used by OS)
    • Surviving Execution Mode SwitchingTo be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn’t used by OS)
    • Loading Kernel-mode DriverTo be able to load unsigned kernel-mode driver Rovnix:• Waits until kernel-mode memory manager is properly initialized:  Sets up hardware breakpoint• Allocates memory buffer in kernel-mode address space to store the driver:  Calls BlAllocateAlignedDescriptor system routine to allocate memory buffer• Inserts corresponding structure in BootDriverList of KeLoaderBlock.  The driver receives control during boot start drivers initialization
    • LIVE DEMO
    • Hidden Storage Layout• Rovnix bootkit employs modification of FAT16 for hidden partition• Hidden partition & kernel-mode driver are written either:  before first partition on the disk – if there is more than 2000 (1 Mb) free sectors  In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
    • Hidden Storage Layout• Rovnix bootkit employs modification of FAT16 for hidden partition• Hidden partition & kernel-mode driver are written either:  before first partition on the disk – if there is more than 2000 (1 Mb) free sectors  In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
    • Self-defense MechanismsTo be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: DriverObject Device Storage miniport Harddisk0DR0 driver object Attached to MajorFunction ... IRP_MJ_INTERNAL_DEVICE_CONTROL Attached to Lowest device object
    • Self-defense MechanismsTo be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: DriverObject Device Storage miniport Harddisk0DR0 driver object Attached to MajorFunction ... IRP_MJ_INTERNAL_DEVICE_CONTROL Attached to Lowest device object
    • Hidden File System Reader
    • Hidden File System Reader
    • LIVE DEMO
    • Bootkit countermeasures
    • Problem Description Untrusted platform problem: protected mode without paging BIOS Kernel MBR VBR bootmgr winload.exe initialization initialization protected mode real mode with paging bootmgr interface BIOS interface Point of Attack Non boot-start OS kernel kernel-mode drivers Pre boot OS kernel Bootmgr OS loader firmware dependencies Boot-start drivers
    • Bootkits & GPT DisksThere is no MBR & VBR code which is executed in GPT disks  Bootkits in-the-wild aren’t applicable to GPT disks Protective MBR Primary GUID Partition Primary GUID Table Header GUID Partition Table Entry partition Table GUID Partition entry 1 GUID Partition entry 1 Partition type GUID GUID Partition entry 1 Unique partition GUID Primary GUID First LBA GUID Partition entry 1 partitions Last LBA ... Attributes flags Backup GUID Partition name GUID Partition entry 1 partition Table
    • Bootkits & GPT DisksUEFI Firmware UEFI Boot Manager Windows Boot Manager (bootmgr.efi) Windows OS Loader (winload.efi) OS Kernel (ntoskrnl.exe)
    • Windows 8 Security FeaturesSecurity enhancements introduced in Windows 8:• Secure boot technology  Employing UEFI secure boot in conjunction with TPM• Early anti-malware launch module  Allows antimalware software start before any other third- party components
    • Secure BootSecure boot prevents running an unknown OS loader: UEFI will verify OS loader The key for verification is stored inside TPM Trust anchor TPM Non boot-start OS kernel kernel-mode drivers OS kernel UEFI Bootmgr OS loader dependencies Boot-start drivers
    • Early antimalware launch moduleAntimalware component receives control before any other third-party software at boot time. Early Windows OS Kernel Third-party antimalware loader initialization drivers module
    • Conclusion Bootkit technology allows malware to load unsigned kernel-mode driver and achieve high degree of stealth in the system The main target of bootkit infection are MBR & VBR Rovnix is a first known bootkit infecting VBR The most interesting features of the latest modification of Rovnix bootkit are:  Polymorphic infected VBR  Hidden Storage There are additional security features introduced in Windows 8 OS:  Early antimalware launch module  Secure Boot
    • References Rovnix Reloaded: new step of evolutionhttp://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution TDL4 reloaded: Purple Haze all in my brainhttp://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain Bootkit Threat Evolution in 2011http://blog.eset.com/2012/01/03/bootkit-threat-evolution-in-2011-2 The Evolution of TDL: Conquering x64http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf Modern bootkit trends: bypassing kernel-mode signing policyhttp://www.virusbtn.com/conference/vb2011/abstracts/LastMinute1.xml King of Spam: Festi botnet analysishttp://blog.eset.com/2012/05/11/king-of-spam-festi-botnet-analysis
    • Moscow, Russia19-20 Novembercfp@zeronights.ru
    • Thank you for your attention!Aleksandr Matrosov Eugene Rodionovmatrosov@eset.sk rodionov@eset.sk@matrosov @vxradius