Defeating x64: Modern Trends of Kernel-Mode Rootkits
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Defeating x64: Modern Trends of Kernel-Mode Rootkits

on

  • 9,642 views

Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that ...

Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.

Statistics

Views

Total Views
9,642
Views on SlideShare
8,217
Embed Views
1,425

Actions

Likes
1
Downloads
255
Comments
0

30 Embeds 1,425

http://amatrosov.blogspot.com 932
http://paper.li 156
http://www.rehints.ru 76
http://www.redditmedia.com 67
http://amatrosov.blogspot.ru 41
http://tweetedtimes.com 36
https://twitter.com 23
http://www.securitylab.ru 12
http://a0.twimg.com 11
http://www.linkedin.com 10
http://amatrosov.blogspot.de 10
http://twitter.com 5
http://translate.google.com 5
http://amatrosov.blogspot.se 5
http://amatrosov.blogspot.co.uk 4
http://us-w1.rockmelt.com 4
http://translate.googleusercontent.com 4
http://amatrosov.blogspot.co.il 3
http://www.slideshare.net 3
http://www.slideshare.net 3
http://amatrosov.blogspot.hu 2
http://amatrosov.blogspot.nl 2
http://amatrosov.blogspot.sk 2
http://amatrosov.blogspot.fr 2
http://amatrosov.blogspot.in 2
http://amatrosov.blogspot.com.br 1
http://amatrosov.blogspot.ca 1
http://amatrosov.blogspot.it 1
http://amatrosov.blogspot.com.ar 1
http://amatrosov.blogspot.com.au 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Defeating x64: Modern Trends of Kernel-Mode Rootkits Presentation Transcript

  • 1. Defeating x64: Modern Trends of Kernel-Mode Rootkits
    AleksandrMatrosov
    Eugene Rodionov
  • 2. Who we are?
    • Malware researchers at ESET
    - rootkits analysis
    - development of cleaning tools
    - tracking new rootkit techniques
    - investigation of cybercrime groups
    http://www.joineset.com/
  • 3. Agenda
    • Evolution of payloads and rootkits
    • 4. Bypassing code integrity checks
    • 5. Attacking Windows Bootloader
    • 6. Modern Bootkitdetails:
    • 7. Win64/Olmarik
    • 8. Win64/Rovnix
    • 9. How to debug bootkit with Bochs emulator
    • 10. HiddenFsReader as a forensic tool
  • Evolution of Rootkits
  • 11. Evolution of Rootkit Installation
    exploit
    payload
    dropper
    rootkit
  • 12. Evolution of Rootkit Installation
    Malicious
    Web-site
    Exploit
    Vulnerability
    Bypass
    ASLR/DEP
    Escape
    Sandbox
    Execute
    Payload
    Download
    Rootkit
    Escalate
    Local Privilege
    Install Rootkit
    Kernel-Mode
    Exploit
  • 13. Evolution of Rootkit Features
    x86
    x64
    Dropper
    Rootkit
    Rootkit
    Rootkit
    bypassing HIPS/AV
    self-defense
    self-defense
    privilege escalation
    surviving reboot
    surviving reboot
    bypassing signature check
    installing rootkit driver
    injecting payload
    bypassing
    MS PatchGuard
    injecting payload
    Kernel mode
    User mode
  • 14. Obstacles for 64-bit Rootkits
    • Kernel-Mode Code Signing Policy:
    • 15. It is “difficult” to load unsigned kernel-mode driver
    • 16. Kernel-Mode Patch Protection (Patch Guard):
    • 17. SSDT (System Service Dispatch Table)
    • 18. IDT (Interrupt Descriptor Table)
    • 19. GDT ( Global Descriptor Table)
    • 20. MSRs (Model Specific Registers)
  • Bypassing Code Integrity Checks
  • 21. Types of Integrity Checks
    • PnP Device Installation Signing Requirements
    • 22. Kernel-Mode Code Signing Policy
    • 23. Enforced on 64-bit version of Windows Vista and later versions
  • Subverting KMCSP
    • Abusing vulnerable signed legitimate kernel-mode driver
    • 24. Switching off kernel-mode code signing checks by altering BCD data:
    • 25. abusing WinPe Mode
    • 26. disabling signing check
    • 27. enabling test signing
    • 28. Patching Bootmgr and OS loader
  • Bypassing Integrity Checks
  • 29. Attacking Windows Bootloader
  • 30. Boot Process
    CPU in Real Mode
    CPU in Protected Mode
    Full Kernel
    Initialization
    MBR
    First
    User-Mode Process
    BIOS
    Initialization
    Boot
    Loader
    Early Kernel
    Initialization
    Kernel Services
    BIOS Services
    Hardware
  • 31. Boot Process of Windows OS
  • 32. Boot Process with BootkitInfection
    load malicious MBR/VBR
    NT kernel modifications
    load rootkit driver
  • 33. Code Integrity Check
  • 34. Evolution of Bootkits
    ?
    2010
    2011
    2007
    1987
    • BootkitPoC evolution:
    • 35. eEyeBootroot (2005)
    • 36. Vbootkit (2007)
    • 37. Vbootkit v2 (2009)
    • 38. Stoned Bootkit (2009)
    • 39. Evilcore x64 (2011)
    • 40. Bootkit Threats evolution:
    • 41. Win32/Mebroot (2007)
    • 42. Win32/Mebratix(2008)
    • 43. Win32/Mebrootv2 (2009)
    • 44. Win64/Olmarik (2010/11)
    • 45. Win64/Rovnix (2011)
  • Win64/Olmarik
  • 46.
  • 47. Installation on x86 vs. x64
  • 48. TDL4 Installation on x86
  • 49. TDL4 Installation on x64
  • 50. Boot Configuration Data (BCD)
  • 51. BCD Elements determining KMCSP
    (before KB2506014)
  • 52. Abusing Win PE mode: TDL4 modules
    int 13h – service provided by BIOS to communicate with IDE HDD controller
  • 53. Abusing Win PE mode: Workflow
  • 54. MS Patch (KB2506014)
    • BcdOsLoaderBoolean_WinPEModeoption no longer influences kernel-mode code signing policy
    • 55. Size of the export directory of kdcom.dll has been changed
  • Bypassing KMCSP: Another Attempt
    Patch Bootmgrand OS loader (winload.exe) to disable KMCSP:
  • 56. Bypassing KMCSP: Result
    Bootmgr fails to verify OS loader’s integrity
    MS10-015
    kills TDL3
  • 57. TDL4 Hidden File Systems
  • 58. TDL’s Hidden Storage
    • Reserve space in the end of the hard drive (not visible at file system level analysis)
    • 59. Encrypted contents (stream cipher: RC4, XOR-ing)
    • 60. Implemented as a hidden volume in the system
    • 61. Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
  • TDL4 File System Layout
  • 62. Debugging Bootkitwith WinDbg
  • 63. WinDbg and kdcom.dll
    WinDbg
    KDCOM.DLL
    NTOSKRNL
    KdDebuggerInitialize
    RETURN_STATUS
    Data packet
    KdSendPacket
    RETURN_CONTROL
    Data Packet
    KdReceivePacket
    KD_RECV_CODE_OK
  • 64. TDL4 and kdcom.dll
    original routine
    modified routine
  • 65. TDL4 and kdcom.dll
    original export table
    modified export table
  • 66. How to Debug TDL4 with WinDbg
    • Patch ldr16 to disable kdcom.dll substitution
    • 67. Reboot the system and attach to it with WinDbg
    • 68. Manually load drv32/drv64
    “TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi
    http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
  • 69. Debugging Bootkitswith Bochs
  • 70. DEMO
  • 71. Win64/Rovnix
  • 72. Win64/Rovnix: Installation
  • 73. Win64/Rovnix: Bootkit Overview
  • 74. NTFS Bootstrap Code
    NTFS Boot Sector (Volume Boot Record)
    JMP
    [3 b]
    Extended BPB (EBPB)
    [48 b]
    Signature
    [2 b]
    Boot Code
    [426 b]
    OEM ID
    [8 b]
    BIOS Parameter Block (BPB)
    [25 b]
  • 75. NTFS Bootstrap Code
  • 76. Win64/Rovnix:Infected Partition Layout
    • Win64/Rovnix overwrites bootstrap code of the active partition
    • 77. The malicious driver is written either:
    • 78. before active partition, in case there is enough space
    • 79. in the end of the hard drive, otherwise
  • Win64/Rovnix: BootkitDetails
  • 80. Win64/Rovnix: Loading Unsigned Driver
    • Insert malicious driver in BootDriverList of KeLoaderBlock structure
    • 81. When kernel receives control it calls entry point of each module in the BootDriverList
  • Win64/Rovnix: Abusing Debugging Facilities
    Win64/Rovnix:
    • hooks Int 1h
    • 82. tracing
    • 83. handles hardware breakpoints (DR0-DR7)
    • 84. overwrites the last half of IDT (Interrupt Descriptor Table)
    • 85. is not used by OS
    As a result the malware is able to:
    • set up hooks without patching bootloadercomponents
    • 86. retain control after switching into protected mode
  • DEMO
  • 87. Olmarik vsRovnix
  • 88. What Facilitates the Attack Vector?
    • Untrusted platform problem
    • 89. BIOS controls boot process, but who controls it?
    • 90. The trust anchor is below point of attack
  • HiddenFsReader as a Forensic Tool
  • 91. HiddenFsReader as a Forensic Tool
    Retrieves content of the malware hidden file system.
    Supported malware: TDL3/TDL3+,TDL4;
    ZeroAccess (will be added soon)
    http://eset.ru/tools/TdlFsReader.exe
    http://www.youtube.com/watch?v=iRpp6vn2DAE
  • 92. HiddenFsReader (HFR) Architecture
    HiddenFileReader
    HiddenFsRecognizer
    HiddenFsDecryptor
    User mode
    Kernel mode
    SelfDefenceDisabler
    LowLevelHddReader
  • 93. Conclusion
    • The bootkit technique allows malware to bypass KMCSP
    • 94. Return to old-school techniques of infecting MBR
    • 95. Win64/Olmarik(TDL4) is the first widely spread rootkit targeting Win x64
    • 96. Win64/Rovnix relies on debugging facilities of the platform to subvert KMCSP
    • 97. The only possible way of debugging bootkits is to use emulators (Bochs, QEMU)
    • 98. The untrusted platform facilitates bootkit techniques
    • 99. HiddenFsReaderis shared amongst malware researchers
  • References
    • “The Evolution of TDL: Conquering x64”
    http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
    • “Defeating x64: The Evolution of the TDL Rootkit”
    http://www.eset.com/us/resources/white-papers/TDL4-CONFidence-2011.pdf
    • “Hasta La Vista, Bootkit: ExploitingtheVBR”
    http://blog.eset.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr
    • Follow ESET Threat Blog
    http://blog.eset.com
  • 100. Questions
  • 101. Thank you for your attention ;)
    AleksandrMatrosov
    matrosov@eset.sk
    @matrosov
    Eugene Rodionov
    rodionov@eset.sk
    @vxradius