Defeating x64: Modern Trends of Kernel-Mode Rootkits

10,460 views

Published on

Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
10,460
On SlideShare
0
From Embeds
0
Number of Embeds
1,511
Actions
Shares
0
Downloads
287
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Defeating x64: Modern Trends of Kernel-Mode Rootkits

  1. 1. Defeating x64: Modern Trends of Kernel-Mode Rootkits <br />AleksandrMatrosov<br />Eugene Rodionov<br />
  2. 2. Who we are?<br /><ul><li> Malware researchers at ESET</li></ul> - rootkits analysis<br /> - development of cleaning tools<br /> - tracking new rootkit techniques<br /> - investigation of cybercrime groups <br />http://www.joineset.com/<br />
  3. 3. Agenda<br /><ul><li> Evolution of payloads and rootkits
  4. 4. Bypassing code integrity checks
  5. 5. Attacking Windows Bootloader
  6. 6. Modern Bootkitdetails:
  7. 7. Win64/Olmarik
  8. 8. Win64/Rovnix
  9. 9. How to debug bootkit with Bochs emulator
  10. 10. HiddenFsReader as a forensic tool</li></li></ul><li> Evolution of Rootkits<br />
  11. 11. Evolution of Rootkit Installation<br />exploit<br />payload<br />dropper<br />rootkit<br />
  12. 12. Evolution of Rootkit Installation<br />Malicious <br />Web-site<br />Exploit<br />Vulnerability<br />Bypass<br />ASLR/DEP<br />Escape<br />Sandbox<br />Execute<br />Payload<br />Download<br />Rootkit<br />Escalate<br />Local Privilege<br />Install Rootkit<br />Kernel-Mode<br />Exploit<br />
  13. 13. Evolution of Rootkit Features<br />x86<br />x64<br />Dropper<br />Rootkit<br />Rootkit<br />Rootkit<br />bypassing HIPS/AV <br />self-defense<br />self-defense<br />privilege escalation <br />surviving reboot<br />surviving reboot<br />bypassing signature check <br />installing rootkit driver <br />injecting payload<br />bypassing <br />MS PatchGuard<br />injecting payload<br />Kernel mode<br />User mode<br />
  14. 14. Obstacles for 64-bit Rootkits<br /><ul><li> Kernel-Mode Code Signing Policy:
  15. 15. It is “difficult” to load unsigned kernel-mode driver
  16. 16. Kernel-Mode Patch Protection (Patch Guard):
  17. 17. SSDT (System Service Dispatch Table)
  18. 18. IDT (Interrupt Descriptor Table)
  19. 19. GDT ( Global Descriptor Table)
  20. 20. MSRs (Model Specific Registers)</li></li></ul><li>Bypassing Code Integrity Checks<br />
  21. 21. Types of Integrity Checks<br /><ul><li>PnP Device Installation Signing Requirements
  22. 22. Kernel-Mode Code Signing Policy
  23. 23. Enforced on 64-bit version of Windows Vista and later versions</li></li></ul><li>Subverting KMCSP<br /><ul><li> Abusing vulnerable signed legitimate kernel-mode driver
  24. 24. Switching off kernel-mode code signing checks by altering BCD data:
  25. 25. abusing WinPe Mode
  26. 26. disabling signing check
  27. 27. enabling test signing
  28. 28. Patching Bootmgr and OS loader</li></li></ul><li>Bypassing Integrity Checks<br />
  29. 29. Attacking Windows Bootloader<br />
  30. 30. Boot Process<br />CPU in Real Mode<br />CPU in Protected Mode<br />Full Kernel<br />Initialization<br />MBR<br />First <br />User-Mode Process<br />BIOS<br />Initialization<br />Boot<br />Loader<br />Early Kernel<br />Initialization<br />Kernel Services<br />BIOS Services<br />Hardware<br />
  31. 31. Boot Process of Windows OS<br />
  32. 32. Boot Process with BootkitInfection<br />load malicious MBR/VBR<br />NT kernel modifications<br />load rootkit driver <br />
  33. 33. Code Integrity Check<br />
  34. 34. Evolution of Bootkits<br />?<br />2010<br />2011<br />2007<br />1987<br /><ul><li>BootkitPoC evolution:
  35. 35. eEyeBootroot (2005)
  36. 36. Vbootkit (2007)
  37. 37. Vbootkit v2 (2009)
  38. 38. Stoned Bootkit (2009)
  39. 39. Evilcore x64 (2011)
  40. 40. Bootkit Threats evolution:
  41. 41. Win32/Mebroot (2007)
  42. 42. Win32/Mebratix(2008)
  43. 43. Win32/Mebrootv2 (2009)
  44. 44. Win64/Olmarik (2010/11)
  45. 45. Win64/Rovnix (2011)</li></li></ul><li>Win64/Olmarik<br />
  46. 46.
  47. 47. Installation on x86 vs. x64<br />
  48. 48. TDL4 Installation on x86<br />
  49. 49. TDL4 Installation on x64<br />
  50. 50. Boot Configuration Data (BCD)<br />
  51. 51. BCD Elements determining KMCSP <br />(before KB2506014)<br />
  52. 52. Abusing Win PE mode: TDL4 modules<br />int 13h – service provided by BIOS to communicate with IDE HDD controller<br />
  53. 53. Abusing Win PE mode: Workflow<br />
  54. 54. MS Patch (KB2506014)<br /><ul><li>BcdOsLoaderBoolean_WinPEModeoption no longer influences kernel-mode code signing policy
  55. 55. Size of the export directory of kdcom.dll has been changed</li></li></ul><li>Bypassing KMCSP: Another Attempt<br />Patch Bootmgrand OS loader (winload.exe) to disable KMCSP:<br />
  56. 56. Bypassing KMCSP: Result<br />Bootmgr fails to verify OS loader’s integrity<br />MS10-015<br />kills TDL3 <br />
  57. 57. TDL4 Hidden File Systems<br />
  58. 58. TDL’s Hidden Storage<br /><ul><li> Reserve space in the end of the hard drive (not visible at file system level analysis)
  59. 59. Encrypted contents (stream cipher: RC4, XOR-ing)
  60. 60. Implemented as a hidden volume in the system
  61. 61. Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)</li></li></ul><li>TDL4 File System Layout<br />
  62. 62. Debugging Bootkitwith WinDbg<br />
  63. 63. WinDbg and kdcom.dll<br />WinDbg<br />KDCOM.DLL<br />NTOSKRNL<br />KdDebuggerInitialize<br />RETURN_STATUS<br />Data packet<br />KdSendPacket<br />RETURN_CONTROL<br />Data Packet<br />KdReceivePacket<br />KD_RECV_CODE_OK<br />
  64. 64. TDL4 and kdcom.dll<br />original routine<br />modified routine<br />
  65. 65. TDL4 and kdcom.dll<br />original export table<br />modified export table<br />
  66. 66. How to Debug TDL4 with WinDbg<br /><ul><li>Patch ldr16 to disable kdcom.dll substitution
  67. 67. Reboot the system and attach to it with WinDbg
  68. 68. Manually load drv32/drv64</li></ul>“TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi<br />http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf<br />
  69. 69. Debugging Bootkitswith Bochs<br />
  70. 70. DEMO<br />
  71. 71. Win64/Rovnix<br />
  72. 72. Win64/Rovnix: Installation<br />
  73. 73. Win64/Rovnix: Bootkit Overview<br />
  74. 74. NTFS Bootstrap Code<br /> NTFS Boot Sector (Volume Boot Record)<br />JMP<br />[3 b]<br />Extended BPB (EBPB)<br />[48 b]<br />Signature<br />[2 b]<br />Boot Code<br />[426 b]<br />OEM ID<br />[8 b]<br />BIOS Parameter Block (BPB)<br />[25 b]<br />
  75. 75. NTFS Bootstrap Code<br />
  76. 76. Win64/Rovnix:Infected Partition Layout<br /><ul><li>Win64/Rovnix overwrites bootstrap code of the active partition
  77. 77. The malicious driver is written either:
  78. 78. before active partition, in case there is enough space
  79. 79. in the end of the hard drive, otherwise</li></li></ul><li>Win64/Rovnix: BootkitDetails<br />
  80. 80. Win64/Rovnix: Loading Unsigned Driver<br /><ul><li>Insert malicious driver in BootDriverList of KeLoaderBlock structure
  81. 81. When kernel receives control it calls entry point of each module in the BootDriverList</li></li></ul><li>Win64/Rovnix: Abusing Debugging Facilities<br />Win64/Rovnix:<br /><ul><li>hooks Int 1h
  82. 82. tracing
  83. 83. handles hardware breakpoints (DR0-DR7)
  84. 84. overwrites the last half of IDT (Interrupt Descriptor Table)
  85. 85. is not used by OS</li></ul>As a result the malware is able to:<br /><ul><li>set up hooks without patching bootloadercomponents
  86. 86. retain control after switching into protected mode</li></li></ul><li>DEMO<br />
  87. 87. Olmarik vsRovnix<br />
  88. 88. What Facilitates the Attack Vector?<br /><ul><li> Untrusted platform problem
  89. 89. BIOS controls boot process, but who controls it?
  90. 90. The trust anchor is below point of attack</li></li></ul><li>HiddenFsReader as a Forensic Tool<br />
  91. 91. HiddenFsReader as a Forensic Tool<br />Retrieves content of the malware hidden file system. <br />Supported malware: TDL3/TDL3+,TDL4; <br />ZeroAccess (will be added soon)<br />http://eset.ru/tools/TdlFsReader.exe<br />http://www.youtube.com/watch?v=iRpp6vn2DAE<br />
  92. 92. HiddenFsReader (HFR) Architecture<br />HiddenFileReader<br />HiddenFsRecognizer<br />HiddenFsDecryptor<br />User mode<br />Kernel mode<br />SelfDefenceDisabler<br />LowLevelHddReader<br />
  93. 93. Conclusion<br /><ul><li>The bootkit technique allows malware to bypass KMCSP
  94. 94. Return to old-school techniques of infecting MBR
  95. 95. Win64/Olmarik(TDL4) is the first widely spread rootkit targeting Win x64
  96. 96. Win64/Rovnix relies on debugging facilities of the platform to subvert KMCSP
  97. 97. The only possible way of debugging bootkits is to use emulators (Bochs, QEMU)
  98. 98. The untrusted platform facilitates bootkit techniques
  99. 99. HiddenFsReaderis shared amongst malware researchers </li></li></ul><li>References<br /><ul><li> “The Evolution of TDL: Conquering x64”</li></ul>http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf<br /><ul><li> “Defeating x64: The Evolution of the TDL Rootkit”</li></ul>http://www.eset.com/us/resources/white-papers/TDL4-CONFidence-2011.pdf<br /><ul><li> “Hasta La Vista, Bootkit: ExploitingtheVBR”</li></ul>http://blog.eset.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr<br /><ul><li> Follow ESET Threat Blog</li></ul>http://blog.eset.com<br />
  100. 100. Questions<br />
  101. 101. Thank you for your attention ;)<br />AleksandrMatrosov<br />matrosov@eset.sk<br />@matrosov<br />Eugene Rodionov<br />rodionov@eset.sk<br />@vxradius<br />

×