Init of Android
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Viewers also liked (20)
Similar to Defeating x64: Modern Trends of Kernel-Mode Rootkits (20)
Recently uploaded (20)
Defeating x64: Modern Trends of Kernel-Mode Rootkits
- 1. Defeating x64: Modern Trends of Kernel-Mode Rootkits <br />AleksandrMatrosov<br />Eugene Rodionov<br />
- 2. Who we are?<br /><ul><li> Malware researchers at ESET</li></ul> - rootkits analysis<br /> - development of cleaning tools<br /> - tracking new rootkit techniques<br /> - investigation of cybercrime groups <br />http://www.joineset.com/<br />
- 3. Agenda<br /><ul><li> Evolution of payloads and rootkits
- 4. Bypassing code integrity checks
- 5. Attacking Windows Bootloader
- 6. Modern Bootkitdetails:
- 7. Win64/Olmarik
- 8. Win64/Rovnix
- 9. How to debug bootkit with Bochs emulator
- 10. HiddenFsReader as a forensic tool</li></li></ul><li> Evolution of Rootkits<br />
- 11. Evolution of Rootkit Installation<br />exploit<br />payload<br />dropper<br />rootkit<br />
- 12. Evolution of Rootkit Installation<br />Malicious <br />Web-site<br />Exploit<br />Vulnerability<br />Bypass<br />ASLR/DEP<br />Escape<br />Sandbox<br />Execute<br />Payload<br />Download<br />Rootkit<br />Escalate<br />Local Privilege<br />Install Rootkit<br />Kernel-Mode<br />Exploit<br />
- 13. Evolution of Rootkit Features<br />x86<br />x64<br />Dropper<br />Rootkit<br />Rootkit<br />Rootkit<br />bypassing HIPS/AV <br />self-defense<br />self-defense<br />privilege escalation <br />surviving reboot<br />surviving reboot<br />bypassing signature check <br />installing rootkit driver <br />injecting payload<br />bypassing <br />MS PatchGuard<br />injecting payload<br />Kernel mode<br />User mode<br />
- 14. Obstacles for 64-bit Rootkits<br /><ul><li> Kernel-Mode Code Signing Policy:
- 15. It is “difficult” to load unsigned kernel-mode driver
- 16. Kernel-Mode Patch Protection (Patch Guard):
- 17. SSDT (System Service Dispatch Table)
- 18. IDT (Interrupt Descriptor Table)
- 19. GDT ( Global Descriptor Table)
- 20. MSRs (Model Specific Registers)</li></li></ul><li>Bypassing Code Integrity Checks<br />
- 21. Types of Integrity Checks<br /><ul><li>PnP Device Installation Signing Requirements
- 22. Kernel-Mode Code Signing Policy
- 23. Enforced on 64-bit version of Windows Vista and later versions</li></li></ul><li>Subverting KMCSP<br /><ul><li> Abusing vulnerable signed legitimate kernel-mode driver
- 24. Switching off kernel-mode code signing checks by altering BCD data:
- 25. abusing WinPe Mode
- 26. disabling signing check
- 27. enabling test signing
- 28. Patching Bootmgr and OS loader</li></li></ul><li>Bypassing Integrity Checks<br />
- 29. Attacking Windows Bootloader<br />
- 30. Boot Process<br />CPU in Real Mode<br />CPU in Protected Mode<br />Full Kernel<br />Initialization<br />MBR<br />First <br />User-Mode Process<br />BIOS<br />Initialization<br />Boot<br />Loader<br />Early Kernel<br />Initialization<br />Kernel Services<br />BIOS Services<br />Hardware<br />
- 31. Boot Process of Windows OS<br />
- 32. Boot Process with BootkitInfection<br />load malicious MBR/VBR<br />NT kernel modifications<br />load rootkit driver <br />
- 33. Code Integrity Check<br />
- 34. Evolution of Bootkits<br />?<br />2010<br />2011<br />2007<br />1987<br /><ul><li>BootkitPoC evolution:
- 35. eEyeBootroot (2005)
- 36. Vbootkit (2007)
- 37. Vbootkit v2 (2009)
- 38. Stoned Bootkit (2009)
- 39. Evilcore x64 (2011)
- 40. Bootkit Threats evolution:
- 41. Win32/Mebroot (2007)
- 42. Win32/Mebratix(2008)
- 43. Win32/Mebrootv2 (2009)
- 44. Win64/Olmarik (2010/11)
- 45. Win64/Rovnix (2011)</li></li></ul><li>Win64/Olmarik<br />
- 46.
- 47. Installation on x86 vs. x64<br />
- 48. TDL4 Installation on x86<br />
- 49. TDL4 Installation on x64<br />
- 50. Boot Configuration Data (BCD)<br />
- 51. BCD Elements determining KMCSP <br />(before KB2506014)<br />
- 52. Abusing Win PE mode: TDL4 modules<br />int 13h – service provided by BIOS to communicate with IDE HDD controller<br />
- 53. Abusing Win PE mode: Workflow<br />
- 54. MS Patch (KB2506014)<br /><ul><li>BcdOsLoaderBoolean_WinPEModeoption no longer influences kernel-mode code signing policy
- 55. Size of the export directory of kdcom.dll has been changed</li></li></ul><li>Bypassing KMCSP: Another Attempt<br />Patch Bootmgrand OS loader (winload.exe) to disable KMCSP:<br />
- 56. Bypassing KMCSP: Result<br />Bootmgr fails to verify OS loader’s integrity<br />MS10-015<br />kills TDL3 <br />
- 57. TDL4 Hidden File Systems<br />
- 58. TDL’s Hidden Storage<br /><ul><li> Reserve space in the end of the hard drive (not visible at file system level analysis)
- 59. Encrypted contents (stream cipher: RC4, XOR-ing)
- 60. Implemented as a hidden volume in the system
- 61. Can be accessed by standard APIs (CreateFile, ReadFile, WriteFile, SetFilePointer, CloseHandle)</li></li></ul><li>TDL4 File System Layout<br />
- 62. Debugging Bootkitwith WinDbg<br />
- 63. WinDbg and kdcom.dll<br />WinDbg<br />KDCOM.DLL<br />NTOSKRNL<br />KdDebuggerInitialize<br />RETURN_STATUS<br />Data packet<br />KdSendPacket<br />RETURN_CONTROL<br />Data Packet<br />KdReceivePacket<br />KD_RECV_CODE_OK<br />
- 64. TDL4 and kdcom.dll<br />original routine<br />modified routine<br />
- 65. TDL4 and kdcom.dll<br />original export table<br />modified export table<br />
- 66. How to Debug TDL4 with WinDbg<br /><ul><li>Patch ldr16 to disable kdcom.dll substitution
- 67. Reboot the system and attach to it with WinDbg
- 68. Manually load drv32/drv64</li></ul>“TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi<br />http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf<br />
- 69. Debugging Bootkitswith Bochs<br />
- 70. DEMO<br />
- 71. Win64/Rovnix<br />
- 72. Win64/Rovnix: Installation<br />
- 73. Win64/Rovnix: Bootkit Overview<br />
- 74. NTFS Bootstrap Code<br /> NTFS Boot Sector (Volume Boot Record)<br />JMP<br />[3 b]<br />Extended BPB (EBPB)<br />[48 b]<br />Signature<br />[2 b]<br />Boot Code<br />[426 b]<br />OEM ID<br />[8 b]<br />BIOS Parameter Block (BPB)<br />[25 b]<br />
- 75. NTFS Bootstrap Code<br />
- 76. Win64/Rovnix:Infected Partition Layout<br /><ul><li>Win64/Rovnix overwrites bootstrap code of the active partition
- 77. The malicious driver is written either:
- 78. before active partition, in case there is enough space
- 79. in the end of the hard drive, otherwise</li></li></ul><li>Win64/Rovnix: BootkitDetails<br />
- 80. Win64/Rovnix: Loading Unsigned Driver<br /><ul><li>Insert malicious driver in BootDriverList of KeLoaderBlock structure
- 81. When kernel receives control it calls entry point of each module in the BootDriverList</li></li></ul><li>Win64/Rovnix: Abusing Debugging Facilities<br />Win64/Rovnix:<br /><ul><li>hooks Int 1h
- 82. tracing
- 83. handles hardware breakpoints (DR0-DR7)
- 84. overwrites the last half of IDT (Interrupt Descriptor Table)
- 85. is not used by OS</li></ul>As a result the malware is able to:<br /><ul><li>set up hooks without patching bootloadercomponents
- 86. retain control after switching into protected mode</li></li></ul><li>DEMO<br />
- 87. Olmarik vsRovnix<br />
- 88. What Facilitates the Attack Vector?<br /><ul><li> Untrusted platform problem
- 89. BIOS controls boot process, but who controls it?
- 90. The trust anchor is below point of attack</li></li></ul><li>HiddenFsReader as a Forensic Tool<br />
- 91. HiddenFsReader as a Forensic Tool<br />Retrieves content of the malware hidden file system. <br />Supported malware: TDL3/TDL3+,TDL4; <br />ZeroAccess (will be added soon)<br />http://eset.ru/tools/TdlFsReader.exe<br />http://www.youtube.com/watch?v=iRpp6vn2DAE<br />
- 92. HiddenFsReader (HFR) Architecture<br />HiddenFileReader<br />HiddenFsRecognizer<br />HiddenFsDecryptor<br />User mode<br />Kernel mode<br />SelfDefenceDisabler<br />LowLevelHddReader<br />
- 93. Conclusion<br /><ul><li>The bootkit technique allows malware to bypass KMCSP
- 94. Return to old-school techniques of infecting MBR
- 95. Win64/Olmarik(TDL4) is the first widely spread rootkit targeting Win x64
- 96. Win64/Rovnix relies on debugging facilities of the platform to subvert KMCSP
- 97. The only possible way of debugging bootkits is to use emulators (Bochs, QEMU)
- 98. The untrusted platform facilitates bootkit techniques
- 99. HiddenFsReaderis shared amongst malware researchers </li></li></ul><li>References<br /><ul><li> “The Evolution of TDL: Conquering x64”</li></ul>http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf<br /><ul><li> “Defeating x64: The Evolution of the TDL Rootkit”</li></ul>http://www.eset.com/us/resources/white-papers/TDL4-CONFidence-2011.pdf<br /><ul><li> “Hasta La Vista, Bootkit: ExploitingtheVBR”</li></ul>http://blog.eset.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr<br /><ul><li> Follow ESET Threat Blog</li></ul>http://blog.eset.com<br />
- 100. Questions<br />
- 101. Thank you for your attention ;)<br />AleksandrMatrosov<br />matrosov@eset.sk<br />@matrosov<br />Eugene Rodionov<br />rodionov@eset.sk<br />@vxradius<br />
