Although bootkit technology isn’t new, it plays an important role nowadays in attack scenarios against the Microsoft Windows 64-bit platform. Currently more and more sophisticated threats rely on bootkit components to bypass OS security mechanisms and load kernel-mode driver into the system by stealth. Such notorious in-the-wild threats like Win64/Olmarik (TDL4), Win64/Olmasco (MaxSS) and Win64/Rovnix employ bootkit technology so as to be loaded before the operating system is and, thus, are able to bypass Microsoft’s Kernel-Mode Code Signing Policy.
In this presentation we are going to perform in-depth, low-level reverse engineering of the latest modification of the Win64/Rovnix bootkit. The malware is chosen in preference to others due to its noteworthy implementation details (tracing the OS bootloader and kernel, for instance) and its somewhat unusual approach to installing the bootkit component in the system – that is, patching OS bootstrap code. We will start with an overview of bootkit design principles: main modules, their interconnection with each other, ways to receive control before OS kernel and which hooks are necessary to setup in a preboot environment in order to disable security mechanisms so as to be able to load a payload module. We will also enumerate major obstacles that bootkit have to deal with to successfully stay active in the system until the payload receives control. Furthermore, we will concentrate on Win64/Rovnix bootkit implementation details, namely: infected VBR layout, tracing the OS kernel using debugging registers, surviving execution mode switching and loading a kernel-mode driver into system address space. We will look at the OS boot loader and kernel internals that are abused by the bootkit. There will be some live demos of debugging Win64/Rovnix with the disassembler IDA Pro and the Bochs emulator. In the end of the talk, some bootkit prevention techniques are considered. We will analyze implementation details of new features appearing in the Windows 8 operating system such as Secure Boot and the early anti-malware launch module, which are intended to protect the system from bootkit threats.