Advanced Evasion Techniques by Win32/Gapz
Upcoming SlideShare
Loading in...5
×
 

Advanced Evasion Techniques by Win32/Gapz

on

  • 2,693 views

 

Statistics

Views

Total Views
2,693
Views on SlideShare
2,242
Embed Views
451

Actions

Likes
2
Downloads
97
Comments
0

17 Embeds 451

http://amatrosov.blogspot.ru 137
http://www.securitylab.ru 136
https://twitter.com 109
http://amatrosov.blogspot.com 22
http://www.rehints.ru 16
http://tweetedtimes.com 7
http://amatrosov.blogspot.de 7
http://amatrosov.blogspot.sk 4
http://amatrosov.blogspot.be 2
http://translate.googleusercontent.com 2
http://amatrosov.blogspot.in 2
http://amatrosov.blogspot.co.uk 2
http://amatrosov.blogspot.nl 1
http://amatrosov.blogspot.hu 1
http://amatrosov.blogspot.ro 1
http://www.amatrosov.blogspot.ru 1
http://amatrosov.blogspot.se 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Advanced Evasion Techniques by Win32/Gapz Advanced Evasion Techniques by Win32/Gapz Presentation Transcript

    • Advanced Evasion Techniques byWin32/GapzAleksandr MatrosovEugene Rodionov
    • Outline of The Presentation Targeted Attacks with complex threats (rootkits/bootkits) Is reasonable? Gapz: dropper PowerLoader builder explorer.exe code injection trick Gapz: bootkit Classification of modern bootkits New VBR bootkit technique Gapz: payload Hidden file system implementation Disk hooks and Hooking engine NDIS, TCP/IP stack implementation, HTTP protocol C&C communications Gapz: forensic approaches
    • Targeted Attacks with Complex Threats(rootkits/bootkits)
    • Targeted Attacks with Complex Threats (rootkits/bootkits)Is reasonable for attackers? Long-lasting stealth infection Difficult to investigate by typical forensic tools Difficult to extract bot configuration information Stealth duration for one target: months Price in cybercrime market: Bootkit builder without sources: ~ 10.000$ Stealth bootkit with sources: ~ 50.000$ Custom develop with sources: ~ 100.000$
    • Gapz: dropper
    • Gapz Known DroppersDetection Name Compilation Date LPE Exploits BootkitTechniqueWin32/Gapz.A11/09/201230/10/2012CVE-2011-3402CVE-2010-4398COM ElevationVBRWin32/Gapz.B06/11/2012CVE-2011-3402COM Elevationno bootkitWin32/Gapz.C 19/04/2012CVE-2010-4398CVE-2011-2005COM ElevationMBR
    • PowerLoader Builder (since September 2012)
    • PowerLoader Builder (since September 2012)
    • PowerLoader Based DroppersPrice for Power Loader is about $500 for one builder kit with C&C panelPowerLoader(Agent.UAW)GapzRedymsAgent.UMTPowerLoadercode injectCarberp
    • Gapz Dropper Execution StagesInjecting intoexplorer.exe(entry point)Local PrivilegeEscalation(icmnf)Infecting thesystem(isyspf)stage 1 stage 2
    • Bypassing HIPS with explorer.exe Code Injectionopens shared sections fromBaseNamedObjects mappedinto explorer.exe and writesshellcode
    • Bypassing HIPS with explorer.exe Code InjectionThe dropper searches for thewindow “Shell_TrayWnd”
    • Bypassing HIPS with explorer.exe Code InjectionThe dropper calls GetWindowLong() so as to get the address ofthe routine related to the “Shell_TrayWnd” window handlerThe dropper calls SetWindowLong() to modify “Shell_TrayWnd”window-related data
    • Bypass HIPS with explorer.exe Code Injectioncalls SendNotifyMessage() to trigger shellcode execution inexplorer.exe address spacearbitrary code execution in WndProc() of “Shell_TrayWnd”:
    • Triggering Shellcode ExecutionSendNotifyMessage() transfers control to the address pointedto address points to the KiUserApcDispatcher() routine
    • Triggering Shellcode Executionuses ROP-gadgets to jump into shellcode memory region andexecute shellcode
    • Triggering Shellcode Executionuses ROP-gadgets to jump into shellcode memory region andexecute shellcode
    • Triggering Shellcode Execution
    • Gapz: bootkit
    • Modern Bootkits ClassificationBootkitsMBR VBR/IPLMBR CodemodificationPartition TablemodificationIPL CodemodificationBIOS ParameterBlock modificationTDL4 Olmasco Rovnix Gapz
    • Gapz Bootkit ModificationsDetection Name Compilation Date Bootkit TechniqueWin32/Gapz.A11/09/201230/10/2012VBRWin32/Gapz.C 19/04/2012 MBRGapz BootkitMBRModificationVBRModification
    • Gapz Bootkit OverviewModule Name Hooked Routinentldr BlLoadBootDriversbootmgr Archx86TransferTo32BitApplicationAsmwinload.exe OslArchtransferToKernelntoskrnl.exe IoInitSystemGapz bootkit features: hooks int 13h handler patches modules: ntldr, bootmgr, winload.exe, kernelimage to survive processor execution mode switchingand kernel-mode code integrity checks
    • Gapz Bootkit WorkflowHookArchx86TransferTo32BitApplicationAsmin bootmgrHookOslArchTransferToKernelin winload.exeHookIoInitSystemin kernel imageInt 13h handleris hookedBootmgr loadswinload.exeWinload.exe loadskernel imageBootkit loads maliciouskernel-mode code and runsit in a new system thread
    • Gapz VBR BootkitGapz VBR bootkit features: Relies on Microsoft Windows VBR layout The infections results in modifying only 4 bytes of VBR The patched bytes might differ on various installationsjmpBIOSParameterBlock (BPB)VBR code Text Strings0x550xAA0x000 0x003 0x054 0x19C 0x1FE 0x200transfer control
    • Gapz BPB Layoutstruct BIOS_PARAMETER_BLOCK{WORD BytesPerSector;BYTE SecPerCluster;WORD ReservedSectors;BYTE Reserved[5];BYTE MediaDescriptorID;WORD Reserved2;WORD SectorsPerTrack;WORD NumberOfHeads;DWORD HiddenSectors;DWORD Reserved3[2];LONGLONG TotalSectors;LONGLONG StartingCluster;LONGLONG MFTMirrStartingCluster;DWORD ClustersPerMFTRecord;DWORD ClustersPerIndexBuffer;LONGLONG VolumeSerialNumber;DWORD Reserved4;};
    • Gapz BPB Layoutstruct BIOS_PARAMETER_BLOCK{WORD BytesPerSector;BYTE SecPerCluster;WORD ReservedSectors;BYTE Reserved[5];BYTE MediaDescriptorID;WORD Reserved2;WORD SectorsPerTrack;WORD NumberOfHeads;DWORD HiddenSectors;DWORD Reserved3[2];LONGLONG TotalSectors;LONGLONG StartingCluster;LONGLONG MFTMirrStartingCluster;DWORD ClustersPerMFTRecord;DWORD ClustersPerIndexBuffer;LONGLONG VolumeSerialNumber;DWORD Reserved4;};
    • Gapz BPB ModificationMBR NTFS File SystemIPLVBRNTFS Volume0x200 0x1E00Number of“Hidden Sectors”MBR NTFS File SystemIPLInfectedVBRNTFS Volume0x200 0x1E00Hard DriveModified value of number of “Hidden Sectors”Bootkitbefore infectionafter infection
    • Gapz: rootkit
    • Gapz Rootkit OverviewGapz rootkit functionality is implemented asposition independent kernel-mode code forboth x86 and x64 platformsGapz rootkit capabilities: Hidden storage implementation User-mode payload injection Covert network communication channel C&C server authentication mechanism
    • Gapz Rootkit OverviewGapz rootkit functionality is implemented asposition independent kernel-mode code forboth x86 and x64 platformsGapz rootkit capabilities: Hidden storage implementation User-mode payload injection Covert network communication channel C&C server authentication mechanism
    • Gapz Kernel-mode Code Organizationstruct GAPZ_BASIC_BLOCK_HEADER{// A constant which is used to obtain addresses// of the routines implemented in the blockunsigned int ProcBase;unsigned int Reserved[2];// Offset to the next blockunsigned int NextBlockOffset;// Offset of the routine performing block initializationunsigned int BlockInitialization;// Offset to configuration information// from the end of the kernel-mode module// valid only for the first blockunsigned int CfgOffset;// Set to zeroesunsigned int Reserved1[2];};
    • Gapz Kernel-mode Code BlocksBlock # Implemented Functionality1 General API, gathering information on the hard drives, CRT string routines and etc.2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc.3 Hooking engine, disassembler engine.4 Hidden Storage implementation.5 Hard disk driver hooks, self-defense.6 Payload manager.7 Payload injector into processes’ user-mode address space.8 Network communication: Data link layer.9 Network communication: Transport layer.10 Network communication: Protocol layer.11 Payload communication interface.12 Main routine.
    • Gapz Hidden Storage Implementation Gapz implements modified FAT32 hidden volumebased on FullFat project Length of file name in FAT directory entry is 32 bytes The hidden volume is stored in the file with name:“??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}” The contents of the volume is encrypted withAES-256 in CBC mode: The sector LBA is used as IV
    • Gapz Hidden Storage Implementation Gapz implements modified FAT32 hidden volumebased on FullFat project Length of file name in FAT directory entry is 32 bytes The hidden volume is stored in the file with name:“??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}” The contents of the volume is encrypted withAES-256 in CBC mode: The sector LBA is used as IV
    • Gapz Hidden Storage Implementation Gapz implements modified FAT32 hidden volumebased on FullFat project Length of file name in FAT directory entry is 32 bytes The hidden volume is stored in the file with name:“??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}” The contents of the volume is encrypted withAES-256 in CBC mode: The sector LBA is used as IV
    • Gapz Crypto Library Implementation Gapz crypto library functionality: Hashing: MD5, SHA1 Symmetric ciphers: RC4, AES Asymmetric cipher: ECC
    • Gapz Self-Defence Mechanisms Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL andIRP_MJ_DEVICE_CONTROL handlers to monitor: IOCTL_SCSI_PASS_THROUGH IOCTL_SCSI_PASS_THROUGH_DIRECT IOCTL_ATA_PASS_THROUGH IOCTL_ATA_PASS_THROUGH_DIRECT Gapz protects: MBR/VBR from being read/overwritten its image on the hard drive from being overwritten
    • Gapz Hooking Engine Implementation Gapz hooking engine is based on the ”HackerDisassembler Engine” Tries to avoid patching the very first bytes of the routinebeing hooked (nop; mov edi, edi; etc.):
    • Gapz Hooking Engine Implementation Gapz hooking engine is based on the ”HackerDisassembler Engine” Tries to avoid patching the very first bytes of the routinebeing hooked (nop; mov edi, edi; etc.):
    • Gapz Code Injection FunctionalityAllocatememory bufferin target processaddress spaceWrite payloadand loader codeinto allocatedbufferCreate remotethread in thetarget processLoader codeDLL loader(load/unload DLL modules)Command executer(call specific handler in DLL payloadand pass necessary parameters)EXE loader 1(run EXE modules)EXE loader 2(run EXE modules)
    • Gapz Payload Loader Code: DLL Loader & Command ExecuterMap image into addressspaceFix relocations andinitialize IATLoad or unload?Execute export #1Execute export #2Release image memoryunload load
    • Gapz Payload Loader Code: EXE LoadersDrop payload image into%TEMP% directoryExecute CreateProcessWAPIEXE Loader 1Create legitimate suspendedprocess(via CreateProcessAsUser)Overwrite process image with themalicious oneSet process thread contextaccording to malicious imageResume process threadEXE Loader 2
    • Gapz Network Protocol Implementationsvchost.exeoverlord32(64).dllWin32/Gapzkernel-mode moduleTCP/IP protocol stackimplementationMessage to be sent toC&C Serveruser modekernel modeC&C ServerSend using Win32socket implementationSend directly usingNDIS miniport driver
    • Gapz Network Protocol ArchitectureGapz implementation OSI ModelHTTP protocol(block #10)TCP/IP protocol(block #9)NDIS miniport wrapper(block #8)Application/PresentationLayerNetwork/TransportLayerData Link Layer
    • Gapz Network Protocol Implementation: NDISGapz network protocol stack relies on miniport adapter driver:Miniport adapter driverIntermediate driverProtocol driver(tcpip.sys)Filter driver.........At the level ofprotocol or intermediatedrivers Win32/Gapz’s networkpacket is “invisible”Win32/Gapz communicatesdirectly to miniport adapterWin32/GapzNetworkpacket
    • Gapz C&C Communication Protocol Gapz communicates to C&C servers over HTTP protocol Capabilities of the protocol: 00 - download payload 01 - send bot information to C&C 02 - request payload download information 03 - report on running payload 04 - update payload download URL The requests corresponding to commands 0x01, 0x02 and 0x03 areperformed by the POST method of the HTTP protocol.
    • Gapz C&C Communication Protocol: HTTP RequestMessage HeaderHTTP Header Request specific dataHTTP header HTTP bodystruct MESSAGE_HEADER{// Output of PRNGunsigned char random[128];// a DWORD from configuration fileunsigned int reserved;// A binary string which is used toauthenticate C&C serversunsigned char auth_str[64];};
    • Gapz C&C Communication Protocol: HTTP RequestMessage HeaderHTTP Header Request specific dataHTTP header HTTP bodystruct MESSAGE_HEADER{// Output of PRNGunsigned char random[128];// a DWORD from configuration fileunsigned int reserved;// A binary string which is used toauthenticate C&C serversunsigned char auth_str[64];};
    • Gapz C&C Communication Protocol: C&C ReplyEncrypted rc4key K1HTTP HeaderReply specificdataHTTP message header HTTP message bodyAuthenticationstringrc4 encrypted data with key k1Decrypt key K1Decrypt authentication string and reply-specificdata using key K1Check authentication stringProcess reply-specificdataReject reply-specificdatamatchdoesn’t match
    • Gapz C&C Communication Protocol: URLs
    • Gapz C&C Communication Protocol: URLs
    • Gapz User-mode Payload FunctionalityThe moduleoverlord32(64).dllis essential part ofthe Gapz bootkitOverlord32(64).dllis injected intosvchost.exeprocessOverlord32(64).dlldispatches therequests fromkernel-modeCmd # Command Description0gather information about all the network adapters installed in the system and theirproperties and send it to kernel-mode module1 gather information on the presence of particular software in the system2 check internet connection by trying to reach update.microsoft.com3 send & receive data from a remote host using Windows sockets4 get the system time from time.windows.com5 get the host IP address given its domain name (via Win32 API gethostbyname)6get Windows shell (by means of querying “Shell” value of“SoftwareMicrosoftWindows NTCurrentVersionWinlogon” registry key)
    • Gapz User-mode Payload InterfaceGapz impersonates the handler of the payload requests in the null.sysdriver to communicate with the injected payload:Win32/Gapz moduleDriverNullDRIVER_OBJECTDriverNullDriver ImageIRP_MJ_DEVICE_CONTROLDriverUnload = NULLDriverUnload rotuineIRP_MJ_DEVICE_CONTROLhandlerDriverNullDRIVER_OBJECTDriverNullDriver ImageIRP_MJ_DEVICE_CONTROLDriverUnload DriverUnload rotuineIRP_MJ_DEVICE_CONTROLhandlerGapz’s hookjmp gapz_hookPayloadinterfacebefore patching after patching
    • Gapz User-mode Payload InterfaceGapz impersonates the handler of the payload requests in the null.sysdriver to communicate with the injected payload:Win32/Gapz moduleDriverNullDRIVER_OBJECTDriverNullDriver ImageIRP_MJ_DEVICE_CONTROLDriverUnload = NULLDriverUnload rotuineIRP_MJ_DEVICE_CONTROLhandlerDriverNullDRIVER_OBJECTDriverNullDriver ImageIRP_MJ_DEVICE_CONTROLDriverUnload DriverUnload rotuineIRP_MJ_DEVICE_CONTROLhandlerGapz’s hookjmp gapz_hookPayloadinterfacebefore patching after patching
    • Modern bootkits comparisonFunctionality GapzOlmarik(TDL4)Rovnix(Cidox)Goblin(XPAJ)Olmasco(MaxSS)MBR modification     VBR modification     Hidden file systemtype FAT32 customFAT16modificationcustom(TDL4 based)customCryptoimplementationAES-256,RC4, MD5,SHA1, ECCXOR/RC4Custom(XOR+ROL)RC6modificationCompressionalgorithm  aPlib aPlib Custom TCP/IPnetwork stack     
    • Gapz: forensics approaches
    • Hidden File System Reader
    • Hidden File System Reader
    • Hidden File System Reader
    • DEMO
    • HiddenFsReader: Free public forensic toolhttp://download.eset.com/special/ESETHfsReader.exe
    • Conclusion The most complex != The stealthiest (detection) Gapz employs a new VBR-based bootkit technique Gapz implements: network communication protocol stack crypto library hidden FAT volume HiddenFsReader is capable of dumping contents of thehidden volume
    • References Gapz and Redyms droppers based on Power Loader codehttp://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/ Mind the Gapz: The most complex bootkit ever analyzed?http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policyhttp://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf Defeating Anti-Forensics in Contemporary Complex Threatshttp://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf Bootkit Threats: In-Depth Reverse Engineering & Defensehttp://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
    • Thank you for your attention!Aleksandr Matrosovmatrosov@eset.sk@matrosovEugene Rodionovrodionov@eset.sk@vxradius