Defeating x64: The Evolution of the TDL Rootkit
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Defeating x64: The Evolution of the TDL Rootkit

  • 3,802 views
Uploaded on

n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread......

n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,802
On Slideshare
3,678
From Embeds
124
Number of Embeds
11

Actions

Shares
Downloads
108
Comments
0
Likes
4

Embeds 124

http://amatrosov.blogspot.com 54
http://www.techgig.com 49
http://translate.googleusercontent.com 5
url_unknown 3
http://amatrosov.blogspot.ru 2
http://www.linkedin.com 2
http://10.150.200.57 2
http://twitter.com 2
https://twitter.com 2
http://www.rehints.ru 2
http://66.196.80.202 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Defeating x64: The Evolution of the TDLRootkit Aleksandr Matrosov Eugene Rodionov
  • 2. Who we are?  Malware researchers at ESET - rootkits analysis - developing cleaning tools - tracking new rootkit techniques - research cybercrime groups http://www.joineset.com/
  • 3. Agenda Evolution of TDL rootkits Installation on x86 vs. x64 TDL bootkit or how to bypass driver signature check How to debug bootkit with Bochs emulator Kernel-mode hooks TDL hidden file system layout Payload injection TdlFsReader as a forensic tool
  • 4. Evolution of rootkits
  • 5. Evolution of rootkits features x86 Dropper Rootkit bypassing HIPS/AV self-defense privilege escalation surviving reboot installing rootkit driver Kernel mode injecting payload User mode
  • 6. Evolution of rootkits features x86 x64 Dropper Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot installing rootkit bypassing signature driver injecting payload check Rootkit bypassing MS PatchGuard Kernel mode User mode injecting payload
  • 7. Obstacles for 64-bit rootkits o Kernel-Mode Code Signing Policy  It is “difficult” to load unsigned kernel-mode driver o Kernel-Mode Patch Protection (Patch Guard):  SSDT (System Service Dispatch Table)  IDT (Interrupt Descriptor Table)  GDT ( Global Descriptor Table)  MSRs (Model Specific Registers)
  • 8. Evolution of TDL rootkits TDL3/TDL3+ TDL4Kernel-mode code Base independent piece of PE image in the hiddenrepresentation code in hidden file system file systemSurviving after reboot Infecting disk Infecting MBR of the disk miniport/random kernel-mode driverSelf-defense Kernel-mode hooks, registry Kernel-mode hooks, MBR monitoring monitoringInjecting payload into tdlcmd.dll cmd.dll/cmd64.dllprocesses in the systemx64 support  Complexity  
  • 9. Evolution of TDL rootkits TDL3/TDL3+ TDL4Bypassing HIPS AddPrintProcessor AddPrintProvidor, AddPrintProvidor ZwConnectPortPrivilege Escalation  MS10-092Installation mechanism by loading kernel-mode driver by loading kernel-mode driver overwriting MBR of the diskNumber of installed 4 10modules
  • 10. Installation on x86 vs. x64
  • 11. Installation stages exploit payload dropper rootkit
  • 12. Dropped modulesDropped modules Descriptionmbr original contents of the infected hard drive boot sectorldr16 16-bit real-mode loader codeldr32 fake kdcom.dll for x86 systemsldr64 fake kdcom.dll for x64 systemsdrv32 the main bootkit driver for x86 systemsdrv64 the main bootkit driver for x64 systemscmd.dll payload to inject into 32-bit processescmd64.dll payload to inject into 64-bit processescfg.ini configuration informationbckfg.tmp encrypted list of C&C URLs
  • 13. Installation on x86 Adjust fail SeLoadDriver success privilege Copy itself into Check OS WinXP Vista/Win7 PrintProcessor version director Set IMAGE_FILE_DLL Exploitation success flag in the PE header Fail fail install MS10-092 Copy itself into Call %TMP% directory AddPrintProvidorW API Create Call manifest requesting DeletePrintProvidorW admin privilege API Call ShellExecute
  • 14. Installation on x64 Prepare hidden FS image Write FS image, fail patch MBR and Adjust success SE_SHUTDOWN_PRIVILEGE Exploitation success MS10-092 fail Call ZwRaiseHardError to create BSOD Copy itself into %TMP% directory Restart Dropper Create manifest requesting admin privilege Call success ShellExecute Report to C&C fail
  • 15. TDL bootkit or how to bypass driversignature check
  • 16. Types of integrity checkso PnP Device Installation Signing Requirementso Kernel-Mode Code Signing Policy Enforced on 64-bit version of Windows Vista and later versions 64-bit Windows Vista and 32-bit Windows Vista later and later Boot-start driver   Non boot-start PnP driver   Non boot-start, non-PnP driver   (except stream protected media drivers)
  • 17. Subverting KMCSPo Abusing vulnerable signed legitimate kernel-mode drivero Switching off kernel-mode code signing checks by altering BCD data: abusing WinPe Mode disabling signing check patching Bootmgr and OS loader
  • 18. Boot process of Windows OS real mode real modeLoad MBR Load MBR real mode real mode Load VBR Load VBR real mode/ real mode/ protected mode protected mode Load Load ntldr bootmgr real mode/ Load kernel Load protected mode and boot winload.exe or start drivers winresume.exe Load kernel Boot Process of pre Boot Process of post and boot Windows Vista OS Windows Vista OS start drivers MBR – Master Boot Record VBR – Volume Boot Record
  • 19. Code integrity check Non boot-start OS kernel kernel-mode drivers OS kernel Bootmgr OS loader dependencies Boot-start drivers
  • 20. Boot Configuration Data (BCD) BCD BCD BCD Object1 Object2 BCD BCD BCD Element1 Element2 Element3 Windows boot Inheritable manager Windows boot BCD Object Application loader Device Ntldr
  • 21. BCD Elements determining KMCSP(before KB2506014)BCD option DescriptionBcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity(0x16000020) checksBcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in(0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproductBcdLibraryBoolean_AllowPrereleaseSignatures enables test signing(0x16000049)
  • 22. BCD Elements determining KMCSP(before KB2506014)BCD option DescriptionBcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity(0x16000020) checksBcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in(0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproductBcdLibraryBoolean_AllowPrereleaseSignatures enables test signing(0x16000049)
  • 23. Abusing Win PE mode: TDL4 modulesModule name Descriptionmbr (infected) infected MBR loads ldr16 module and restores original MBR in memoryldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address spaceldr64 implementation of ldr32 module functionality for 64-bit OS int 13h – service provided by BIOS to communicate to IDE HDD controller
  • 24. Abusing Win PE mode: workflow Load infected MBR Continue kernel Infected mbr is initialization loaded and executed Load ”drv32” Call or “drv64" Load “ldr16” from KdDebuggerInitialize1 hidden file system “ldr16” is from loaded kdcom.dll loaded and executed substitute Hook BIOS int 13h kdcom.dll Load ntoskrnl.exe, with”ldr32” handler and hal.dll,kdcom.dll,b or “ldr64" restore original Original mbr is ootvid.dll ant etc MBR loaded and executed distrort /MININT option Load VBR Load winload.exe VBR is loaded and executed Substitute EmsEnabled option with WinPe Load bootmgr read bcd Bootmgr is loaded and executed
  • 25. MS Patch (KB2506014)o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policyo Size of the export directory of kdcom.dll has been changed
  • 26. MS Patch (KB2506014)o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policyo Size of the export directory of kdcom.dll has been changed
  • 27. MS Patch (KB2506014)o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policyo Size of the export directory of kdcom.dll has been changed
  • 28. Bypassing KMCSP: another attemptPatch Bootmgr and OS loader (winload.exe) to disableKMCSP:
  • 29. Bypassing KMCSP: ResultBootmgr fails to verify OS loader’s integrity
  • 30. Bypassing KMCSP: ResultBootmgr fails to verify OS loader’s integrity
  • 31. Debugging the bootkit with Bochs
  • 32. Bochs support starting from IDA 5.5
  • 33. •DEMO
  • 34. Kernel-mode hooks
  • 35. Storage Device Stack Disk PDO Disk PDO (Partition 1) (Partition 2) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO driver object (Partition 0) Hard drive Disk Lower Lower Filter Filter driver object Hard drive port/miniport Disk PDO driver object
  • 36. Stealing Miniport Driver Object Disk PDO Disk PDO (Partition 1) (Partition 1) Hard drive Disk Upper Upper Filter Filter driver object Disk class Disk FDO Before Infection driver object (Partition 0) After Infection Hard drive Disk Lower Lower Filter Filter driver object Hard drive Fake port/miniport Disk PDO driver object TDL4 “Real” driver object Disk PDO Stolen Objects
  • 37. Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
  • 38. Stealing Miniport Device Object Driver Object Miniport driver ... StartIo ... DeviceObject DriverObject DriverObject DriverObject Device Object Device Object NextDevice Device Object ... Device Object NextDevice DriverObject Device Real (Stolen) Device Object Object Driver Object Bootkit driver Device Object Fake Duplicate Device Object
  • 39. Filtering Disk Read/Write Requestso Filtered requests:  IOCTL_ATA_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH;  IRP_MJ_INTERNAL_DEVICE_CONTROLo To protect:  Infected MBR;  Hidden file system from being read or overwritten SCSI request block Bootkit driver hooks Infected MBR or hidden file Otherwise system is read/written Bootkit driver: Bootkit driver: Counterfeit data and call corresponding complete request miniport’s handler
  • 40. TDL hidden file system
  • 41. TDL’s hidden storageo Reserve space in the end of the hard drive (not visible at file system level analysis)o Encrypted contents (stream cipher: RC4, XOR-ing)o Implemented as a hidden volume in the systemo Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)
  • 42. TDL3/TDL3+ Rootkit Device Stack TDL3 Driver object DeviceXXXXXXXX TDL3 Physical device object DriverObject ... XXXXXXXX – random 8-character ASCII string ?globalrootdeviceXXXXXXXXYYYYYYYYfile_name - for user-mode components deviceXXXXXXXXYYYYYYYYfile_name – for kernel-mode components
  • 43. TDL4 Device Stack DriverPnpManager TDL4 Driver object Driver object DeviceXXXXXXXX Unnamed TDL4 Volume TDL4 Physical device object device object DriverObject DriverObject ... Vpb ... ... Volume parameter block DeviceObject RealDevice XXXXXXXX – random 32-bit hexadecimal integer
  • 44. TDL4 File System Layout One One Variable length Not more than 8 Mb sector sector Infected MBR Disk partitions TDL4 Hidden FS Growth direction
  • 45. Payload injection
  • 46. Injecting payload into target process Process1 Process2 Process3 ProcessN Payload1 Payload2 Payload3 PayloadN user-mode kernel-mode TDL4 driver TDL4 hidden storage Payload1 Payload2 Payload3 PayloadN
  • 47. Injecting workflow Set Exit from work item ImageLoadNotifyRoutine On loading kernel32.dll Go back in the context of System process Queue special kernel-mode Detach from target process APC Initialize IAT and call payload’s entry point In the context of the target process Queue user-mode APC Queue work item Allocate user-mode buffer with code In the context of System process and path to the payload Attach to target process Map image of the payload In the context of the target process
  • 48. TDL4 cleaning approach
  • 49. How to remove TDLo Defeat self defense:  Disable WORK_ITEM checking infected MBR and kernel-mode hooks  Remove hooks of storage miniport device objecto Restore original MBR
  • 50. Debugging bootkit with WinDbg
  • 51. WinDbg and kdcom.dll KdDebuggerInitialize1 RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK
  • 52. TDL4 and kdcom.dll
  • 53. TDL4 and kdcom.dll
  • 54. How to debug TDL4 with WinDbgo Patch ldr16 to disable kdcom.dll substitutiono Reboot the system and attach to it with WinDbgoManually load drv32/drv64“TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievihttp://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
  • 55. TdlFsReader as a forensic tool
  • 56. TdlFsReader as a forensic tool
  • 57. TdlFsReader architecture TdlFileReader TdlFsRecognizer TdlFsDecryptor User mode Kernel mode TdlSelfDefenceDisabler LowLevelHddReader
  • 58. TdlFsReader architecture TdlFsRecognizer TdlFsDecryptor FsCheckVersion TdlCheckVersion FsStructureParser TdlDecryptor TdlSelfDefenceDisabler TdlUnHooker HddBlockReader
  • 59. •DEMO
  • 60. Conclusiono Win64/Olmarik (TDL4) is the first widely spread rootkit targeting Win x64o Return to old-school techniques of infecting MBRo The only possible way of debugging bootkit is to use emulators (Bochs, QEMU)o TDL4 is highly resistant to forensic analysiso TdlFsReader will be shared amongst malware researchers
  • 61. References “The Evolution of TDL: Conquering x64”http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf “Rooting about in TDSS”http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf “TDL3: The Rootkit of All Evil?”http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf Follow ESET Threat Bloghttp://blog.eset.com
  • 62. Questions
  • 63. Thank you for your attention ;)Aleksandr Matrosovmatrosov@eset.sk@matrosovEugene Rodionovrodionov@eset.sk@vxradius