SlideShare a Scribd company logo
1 of 38
Download to read offline
Modern Bootkit Trends:
     Bypassing Kernel-Mode Signing Policy

Aleksandr Matrosov
Eugene Rodionov
Agenda

 Evolution of payloads and rootkits
 Bypassing code integrity checks
 Attacking Windows Bootloader
 Modern Bootkit details:
   Win64/Olmarik
   Win64/Rovnix


 What Facilitates Bootkit Attack Vector
Evolution of Rootkits
Evolution of Rootkit Installation

 Malicious           Exploit            Bypass              Escape
 Web-site          Vulnerability       ASLR/DEP            Sandbox




             Execute          Download         Escalate
             Payload           Rootkit       Local Privilege




                              Kernel-Mode
                                Exploit
                                                         Install Rootkit
Evolution of Rootkit Features

                              x86


        Dropper                                         Rootkit
    bypassing HIPS/AV                                  self-defense
    privilege escalation                             surviving reboot
     installing rootkit
           driver                      Kernel mode   injecting payload
                           User mode
Evolution of Rootkit Features

                              x86
                              x64


        Dropper                                           Rootkit
                                                          Rootkit
    bypassing HIPS/AV                                   self-defense
                                                        self-defense
    privilege escalation                               surviving reboot
                                                       surviving reboot
     installing rootkit                              bypassing signature
           driver                                     injecting payload
                                                            check
                                                           Rootkit
                                                          bypassing
                                                       MS PatchGuard
                                       Kernel mode
                           User mode




                                                      injecting payload
Obstacles for 64-bit Rootkits

o Kernel-Mode Code Signing Policy:
     It is “difficult” to load unsigned kernel-mode driver



o Kernel-Mode Patch Protection (Patch Guard):
     SSDT (System Service Dispatch Table)
     IDT (Interrupt Descriptor Table)
     GDT (Global Descriptor Table)
     MSRs (Model Specific Registers)
Bypassing Code Integrity Checks
Subverting KMCSP
o Abusing vulnerable, signed, legitimate kernel-mode
 driver
o Switching off kernel-mode code signing checks by
 altering BCD data:
    abusing WinPE Mode
    disabling signing check
    enabling test signing
o Patching Bootmgr and OS loader
Bypassing Integrity Checks

                Bypassing Integrity Check Techniques



         USER-MODE                           KERNEL-MODE


         TESTSIGNING ON                    System Boot Modification

                                                        MBR
     DISABLE INTEGRITY CHECKS
                                                (Master Boot Record)

                                                        VBR
                                                (Volume Boot Record)
Attacking Windows Bootloader
Boot Process


                                                                          First
      BIOS                         Boot            Full Kernel
                  MBR                                                   User-Mode
 Initialization                   Loader          Initialization
                                                                         Process


                                 Early Kernel
                                 Initialization




                        BIOS Services                              Kernel Services

                                   Hardware
Boot Process with Bootkit Infection

              load malicious
                MBR/VBR




                            NT kernel
                           modifications



                                           load rootkit
                                              driver
Code Integrity Check



                                        Non boot-start
                        OS kernel
                                      kernel-mode drivers

                         OS kernel
 Bootmgr   OS loader
                       dependencies

                        Boot-start
                         drivers
Evolution of Bootkits




o Bootkit PoC evolution:       o Bootkit Threats evolution:
      eEye Bootroot (2005)          Win32/Mebroot (2007)
      Vbootkit (2007)               Win32/Mebratix (2008)
      Vbootkit v2 (2009)            Win32/Mebroot v2 (2009)
      Stoned Bootkit (2009)         Win64/Olmarik (2010/11)
      Evilcore x64 (2011)           Win64/Rovnix (2011)
Win64/Olmarik
TDL4 Installation on x64
                                                        Prepare hidden FS
                                                             image




                                                          Write FS image,
                              fail                     patch MBR and Adjust   success
                                                     SE_SHUTDOWN_PRIVILEGE


                     Exploitation
          success
                      MS10-092
                                       fail                                          Call
                                                                              ZwRaiseHardError
                                                                               to create BSOD

                                 Copy itself into
                                %TMP% directory
     Restart
     Dropper
                                     Create
                               manifest requesting
                                admin privilege




                         Call
           success
                     ShellExecute
                                                             Report to C&C

                                              fail
BCD Elements determining KMCSP
(before KB2506014)


BCD option                                             Description
BcdLibraryBoolean_DisableIntegrityCheck       disables kernel-mode code integrity
(0x16000020)                                  checks

BcdOSLoaderBoolean_WinPEMode                  instructs kernel to be loaded in
(0x26000022)                                  preinstallation mode, disabling
                                              kernel-mode code integrity checks
                                              as a byproduct
BcdLibraryBoolean_AllowPrereleaseSignatures   enables test signing
(0x16000049)
Abusing Win PE mode: TDL4 modules


Module name                                  Description
mbr (infected)            infected MBR loads ldr16 module and restores original
                          MBR in memory
ldr16                     hooks 13h interrupt to disable KMCSP and substitute
                          kdcom.dll with ldr32 or ldr64
ldr32                     reads TDL4’s kernel-mode driver from hidden file
                          system and maps it into kernel-mode address space
ldr64                     implementation of ldr32 module functionality for 64-bit
                          OS




  int 13h – service provided by BIOS to communicate with IDE HDD controller
Abusing Win PE mode: Workflow
  Load infected MBR                                                          Continue kernel
                          Infected mbr is
                                                                              initialization
                              loaded
                           and executed

                                                                                                     Load ”drv32”
                                                                              Call                    or “drv64"
     Load “ldr16” from
                                                                     KdDebuggerInitialize1
     hidden file system
                                “ldr16” is                           from loaded kdcom.dll
                                  loaded
                              and executed
                                                                                           substitute
        Hook BIOS int 13h                                                                   kdcom.dll
                                                                  Load ntoskrnl.exe,       with”ldr32”
           handler and                                            hal.dll,kdcom.dll,b       or “ldr64"
         restore original        Original mbr is
                                                                   ootvid.dll ant etc
              MBR                    loaded
                                 and executed

                                                                                           distrort
                                                                                        /MININT option

                Load VBR                                        Load winload.exe
                                      VBR is loaded
                                      and executed

                                                                                        Substitute
                                                                                      EmsEnabled
                                                                                   option with WinPe
                 Load bootmgr                                   read bcd
                                            Bootmgr is loaded
                                              and executed
MS Patch (KB2506014)

o BcdOsLoaderBoolean_WinPEMode option no longer
 influences kernel-mode code signing policy

o Size of the export directory of kdcom.dll has been
 changed
Win64/Rovnix
Win64/Rovnix: Installation
                                                           Check if
                                      success               already
                                                           infected



                                 Check OS
       Windows XP                                          Windows 2000
                                  Version


                                Vista/Win7

                                                                                             fail
                    success     Check Admin
                                                 fail
                                 Privileges

         Determine OS
         Digit Capacity


                                                Call ShellExecuteEx
      Install Corresponding
                                                 API with “runas”
       Kernel-mode Driver



      Overwrite Bootstrap
     Code of Active Partition
                                                                      Self Delete and Exit


     Initiate System Reboot
Win64/Rovnix: Bootkit Overview
                       real mode
         Load MBR



                                   real mode
                    Load VBR

                                                    real mode/
                                 Load             protected mode
                               bootstrap
                                 code
                                                                 real mode/
                                                               protected mode
                                                Load
                                               bootmgr
       Target of
     Win64Rovnix
                                                                                  real mode/
                                                              Load              protected mode
                                                         winload.exe or
                                                         winresume.exe


                                                                          Load kernel
                                                                            and boot
                                                                          start drivers
Win64/Rovnix: Infected Partition Layout

o Win64/Rovnix overwrites bootstrap code of the
 active partition
o The malicious driver is written either:
   before active partition, in case there is enough space
   to the end of the hard drive, otherwise

    MBR   VBR      Bootstrap Code               File System Data

                                                                   Before Infecting

                             Compressed                            After Infecting
                                Data

                                                                      Malicious
                Malicious   Bootstrap
    MBR VBR                               File System Data            Unsigned
                 Code         Code
                                                                       Driver
                  NTFS bootstrap code
                      (15 sectors)
Win64/Rovnix: Bootkit Details
    Load MBR                                                                                  Continue kernel
                         MBR is                                                                initialization
                         loaded
                      and executed


                                                                                                                  Map malicious driver into
                                                                                      Load ntoskrnl.exe,         kernel-mode address space
        Load VBR                                                                      hal.dll,kdcom.dll,b
                            VBR is loaded                                              ootvid.dll ant etc
                            and executed



                                                                                                                      Hook
                                                                                                            BlImgAllocateImageBuffer
           Load malicious
           bootstrap code                                                     Load winload.exe
                                   Malicious bootstrap
                                          code is
                                   loaded and executed

                                                                                               Bootloader parameters
               Hook BIOS int 13h                                                                 are read from BCD
                  handler and
                                                                           Read BCD
                restore original       Original bootstrap
                bootstrap code          code is restored


                                                                                           Restore bootmgr,
                                                                                         hook int1 handler and
                                                                                          copy itself over IDT
                       Load bootmgr                                Patch bootmgr
                                             Bootmgr is loaded
                                            and receives control
Win64/Rovnix: Loading Unsigned Driver

o Insert malicious driver in BootDriverList of
 KeLoaderBlock structure
o When kernel receives control it calls entry point of
 each module in the BootDriverList

                         KeLoaderBlock




             Malicious
                                         Ntoskrnl.exe
              Driver
Win64/Rovnix: Abusing Debugging Facilities

Win64/Rovnix:
o hooks Int 1h
   tracing
   handles hardware breakpoints (DR0-DR7)
o overwrites the last half of IDT (Interrupt Descriptor Table)
   is not used by OS

  As a result the malware is able to:
    set up hooks without patching bootloader components
    retain control after switching into protected mode
Win64/Rovnix: Abusing Debugging Facilities

Win64/Rovnix:
o hooks Int 1h
   tracing
   handles hardware breakpoints (DR0-DR7)
o overwrites the last half of IDT (Interrupt Descriptor Table)
   is not used by OS

  As a result the malware is able to:
    set up hooks without patching bootloader components
    retain control after switching into protected mode
Olmarik vs Rovnix

Characteristics         Win64/Olmarik              Win64/Rovnix
Privilege escalation         MS10-092                        
Reboot technique         ZwRaiseHardError API        ExitWindowsEx API
MBR/VBR infection               MBR                VBR (bootstrap code)
                                                Inserting into boot driver list
Loading driver           ZwCreateDriver API
                                                of KeLoaderBlock structure
                           KeInitializeApc/          KeInitializeApc/
Payload injection
                       KeInstertQueueApc APIs    KeInstertQueueApc APIs
                         Kernel-mode hooks,
Self-defense
                          MBR monitoring                     
Number of modules                10                           2
Stability of code                                    
Threat complexity                                    
Bootkit Attack Vector
Modern Bootkits’ Approaches

o Hooking BIOS 13h     Interrupt Handler
    Win64/Olmarik


o Tracing Bootloader     Components
    Win64/Rovnix
    “Deep Boot” (PoC)


o Stealing   a Processor’s Core
   “EvilCore” (PoC)
Tracing Bootloader Components
o Microsoft Windows Bootloader Components:
  Component Name              Processor Execution Mode
  Bootstrap code                        real mode
  Bootmgr                        real mode/protected mode
  Winload.exe/Winresume.exe          protected mode


o Surviving processor’s execution mode switching
    Malware has to retain control after execution mode
    switching
    IDT and GDT are most frequently abused data
    structures
What Facilitates the Attack Vector?

o Untrusted platform problem
    BIOS controls boot process, but who controls it?
    The trust of trust is below point of attack
              Point of
               Attack
                                                                Non boot-start
                                                OS kernel
                                                              kernel-mode drivers

   Pre boot                                      OS kernel
                         Bootmgr   OS loader
   firmware                                    dependencies

                                                Boot-start
                                                 drivers


                     The Root
                      of Trust
How to Defend Against the Attack?


oTo resist bootkit attacks we need the root of trust
 be above point of attack:
     TPM
     UEFI Secure Boot
                Point of
                 Attack
                                                                      Non boot-start
                                                      OS kernel
                                                                    kernel-mode drivers

     Pre boot                                          OS kernel
                            Bootmgr      OS loader
     firmware                                        dependencies

                                                      Boot-start
                           The Root of                 drivers
                              Trust
Conclusion

 Bootkits  ability to bypass KMCSP

 Return of old-school techniques  MBR infections

 Win64/Olmarik (TDL4)  1st widely spread Win64
 rootkit

 Win64/Rovnix  debugging facilities to subvert
 KMCSP

 Untrusted platform facilitates bootkit techniques
References

 “The Evolution of TDL: Conquering x64”
http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf

 “Defeating x64: The Evolution of the TDL Rootkit”
http://www.eset.com/us/resources/white-papers/TDL4-CONFidence-2011.pdf

 “Hasta La Vista, Bootkit: Exploiting the VBR”
http://blog.eset.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr




 Follow ESET Threat Blog
http://blog.eset.com
Thank you for your attention ;)


Aleksandr Matrosov
matrosov@eset.sk
@matrosov



Eugene Rodionov
rodionov@eset.sk
@vxradius

More Related Content

What's hot

Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
Utkarsh Mankad
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
Kan-Ru Chen
 
Medooze MCU Video Multiconference Server Installation and configuration guide...
Medooze MCU Video Multiconference Server Installation and configuration guide...Medooze MCU Video Multiconference Server Installation and configuration guide...
Medooze MCU Video Multiconference Server Installation and configuration guide...
sreeharsha43
 
Red hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-usRed hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-us
Duong Hieu
 

What's hot (20)

Android Custom Kernel/ROM design
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM design
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
 
101 1.2 boot the system
101 1.2 boot the system101 1.2 boot the system
101 1.2 boot the system
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
 
Init of Android
Init of AndroidInit of Android
Init of Android
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
Windows 8 Client Part 1 "The OS internals for IT-Pro's"
Windows 8 Client Part 1 "The OS internals for IT-Pro's"Windows 8 Client Part 1 "The OS internals for IT-Pro's"
Windows 8 Client Part 1 "The OS internals for IT-Pro's"
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Medooze MCU Video Multiconference Server Installation and configuration guide...
Medooze MCU Video Multiconference Server Installation and configuration guide...Medooze MCU Video Multiconference Server Installation and configuration guide...
Medooze MCU Video Multiconference Server Installation and configuration guide...
 
Genode Architecture
Genode ArchitectureGenode Architecture
Genode Architecture
 
Genode Components
Genode ComponentsGenode Components
Genode Components
 
LCA13: Android Kernel Upstreaming: Overview & Status
LCA13: Android Kernel Upstreaming: Overview & StatusLCA13: Android Kernel Upstreaming: Overview & Status
LCA13: Android Kernel Upstreaming: Overview & Status
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
 
LCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure boot
 
Getting started with LinuxBoot Firmware on AArch64 Server
Getting started with LinuxBoot Firmware on AArch64 Server Getting started with LinuxBoot Firmware on AArch64 Server
Getting started with LinuxBoot Firmware on AArch64 Server
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
Red hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-usRed hat enterprise_linux-5.5-release_notes-en-us
Red hat enterprise_linux-5.5-release_notes-en-us
 

Viewers also liked

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 

Viewers also liked (16)

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 

Similar to Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
Scientia Groups
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
Norman Mayes
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
Denis Gundarev
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a032
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorImplements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Takuya ASADA
 
Implements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVeImplements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVe
Takuya ASADA
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
vivekbhat
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualization
rsnarayanan
 

Similar to Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy (20)

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting Scenarios
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
Hypervisor and VDI security
Hypervisor and VDI securityHypervisor and VDI security
Hypervisor and VDI security
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorImplements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
 
Implements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVeImplements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVe
 
Boot process
Boot processBoot process
Boot process
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
 
Rovnix
RovnixRovnix
Rovnix
 
Hyper V R2 Deep Dive
Hyper V R2 Deep DiveHyper V R2 Deep Dive
Hyper V R2 Deep Dive
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualization
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 

Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy

  • 1. Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy Aleksandr Matrosov Eugene Rodionov
  • 2. Agenda  Evolution of payloads and rootkits  Bypassing code integrity checks  Attacking Windows Bootloader  Modern Bootkit details:  Win64/Olmarik  Win64/Rovnix  What Facilitates Bootkit Attack Vector
  • 4. Evolution of Rootkit Installation Malicious Exploit Bypass Escape Web-site Vulnerability ASLR/DEP Sandbox Execute Download Escalate Payload Rootkit Local Privilege Kernel-Mode Exploit Install Rootkit
  • 5. Evolution of Rootkit Features x86 Dropper Rootkit bypassing HIPS/AV self-defense privilege escalation surviving reboot installing rootkit driver Kernel mode injecting payload User mode
  • 6. Evolution of Rootkit Features x86 x64 Dropper Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot installing rootkit bypassing signature driver injecting payload check Rootkit bypassing MS PatchGuard Kernel mode User mode injecting payload
  • 7. Obstacles for 64-bit Rootkits o Kernel-Mode Code Signing Policy:  It is “difficult” to load unsigned kernel-mode driver o Kernel-Mode Patch Protection (Patch Guard):  SSDT (System Service Dispatch Table)  IDT (Interrupt Descriptor Table)  GDT (Global Descriptor Table)  MSRs (Model Specific Registers)
  • 9. Subverting KMCSP o Abusing vulnerable, signed, legitimate kernel-mode driver o Switching off kernel-mode code signing checks by altering BCD data: abusing WinPE Mode disabling signing check enabling test signing o Patching Bootmgr and OS loader
  • 10. Bypassing Integrity Checks Bypassing Integrity Check Techniques USER-MODE KERNEL-MODE TESTSIGNING ON System Boot Modification MBR DISABLE INTEGRITY CHECKS (Master Boot Record) VBR (Volume Boot Record)
  • 12. Boot Process First BIOS Boot Full Kernel MBR User-Mode Initialization Loader Initialization Process Early Kernel Initialization BIOS Services Kernel Services Hardware
  • 13. Boot Process with Bootkit Infection load malicious MBR/VBR NT kernel modifications load rootkit driver
  • 14. Code Integrity Check Non boot-start OS kernel kernel-mode drivers OS kernel Bootmgr OS loader dependencies Boot-start drivers
  • 15. Evolution of Bootkits o Bootkit PoC evolution: o Bootkit Threats evolution:  eEye Bootroot (2005)  Win32/Mebroot (2007)  Vbootkit (2007)  Win32/Mebratix (2008)  Vbootkit v2 (2009)  Win32/Mebroot v2 (2009)  Stoned Bootkit (2009)  Win64/Olmarik (2010/11)  Evilcore x64 (2011)  Win64/Rovnix (2011)
  • 17. TDL4 Installation on x64 Prepare hidden FS image Write FS image, fail patch MBR and Adjust success SE_SHUTDOWN_PRIVILEGE Exploitation success MS10-092 fail Call ZwRaiseHardError to create BSOD Copy itself into %TMP% directory Restart Dropper Create manifest requesting admin privilege Call success ShellExecute Report to C&C fail
  • 18. BCD Elements determining KMCSP (before KB2506014) BCD option Description BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity (0x16000020) checks BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in (0x26000022) preinstallation mode, disabling kernel-mode code integrity checks as a byproduct BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing (0x16000049)
  • 19. Abusing Win PE mode: TDL4 modules Module name Description mbr (infected) infected MBR loads ldr16 module and restores original MBR in memory ldr16 hooks 13h interrupt to disable KMCSP and substitute kdcom.dll with ldr32 or ldr64 ldr32 reads TDL4’s kernel-mode driver from hidden file system and maps it into kernel-mode address space ldr64 implementation of ldr32 module functionality for 64-bit OS int 13h – service provided by BIOS to communicate with IDE HDD controller
  • 20. Abusing Win PE mode: Workflow Load infected MBR Continue kernel Infected mbr is initialization loaded and executed Load ”drv32” Call or “drv64" Load “ldr16” from KdDebuggerInitialize1 hidden file system “ldr16” is from loaded kdcom.dll loaded and executed substitute Hook BIOS int 13h kdcom.dll Load ntoskrnl.exe, with”ldr32” handler and hal.dll,kdcom.dll,b or “ldr64" restore original Original mbr is ootvid.dll ant etc MBR loaded and executed distrort /MININT option Load VBR Load winload.exe VBR is loaded and executed Substitute EmsEnabled option with WinPe Load bootmgr read bcd Bootmgr is loaded and executed
  • 21. MS Patch (KB2506014) o BcdOsLoaderBoolean_WinPEMode option no longer influences kernel-mode code signing policy o Size of the export directory of kdcom.dll has been changed
  • 23. Win64/Rovnix: Installation Check if success already infected Check OS Windows XP Windows 2000 Version Vista/Win7 fail success Check Admin fail Privileges Determine OS Digit Capacity Call ShellExecuteEx Install Corresponding API with “runas” Kernel-mode Driver Overwrite Bootstrap Code of Active Partition Self Delete and Exit Initiate System Reboot
  • 24. Win64/Rovnix: Bootkit Overview real mode Load MBR real mode Load VBR real mode/ Load protected mode bootstrap code real mode/ protected mode Load bootmgr Target of Win64Rovnix real mode/ Load protected mode winload.exe or winresume.exe Load kernel and boot start drivers
  • 25. Win64/Rovnix: Infected Partition Layout o Win64/Rovnix overwrites bootstrap code of the active partition o The malicious driver is written either:  before active partition, in case there is enough space  to the end of the hard drive, otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap MBR VBR File System Data Unsigned Code Code Driver NTFS bootstrap code (15 sectors)
  • 26. Win64/Rovnix: Bootkit Details Load MBR Continue kernel MBR is initialization loaded and executed Map malicious driver into Load ntoskrnl.exe, kernel-mode address space Load VBR hal.dll,kdcom.dll,b VBR is loaded ootvid.dll ant etc and executed Hook BlImgAllocateImageBuffer Load malicious bootstrap code Load winload.exe Malicious bootstrap code is loaded and executed Bootloader parameters Hook BIOS int 13h are read from BCD handler and Read BCD restore original Original bootstrap bootstrap code code is restored Restore bootmgr, hook int1 handler and copy itself over IDT Load bootmgr Patch bootmgr Bootmgr is loaded and receives control
  • 27. Win64/Rovnix: Loading Unsigned Driver o Insert malicious driver in BootDriverList of KeLoaderBlock structure o When kernel receives control it calls entry point of each module in the BootDriverList KeLoaderBlock Malicious Ntoskrnl.exe Driver
  • 28. Win64/Rovnix: Abusing Debugging Facilities Win64/Rovnix: o hooks Int 1h  tracing  handles hardware breakpoints (DR0-DR7) o overwrites the last half of IDT (Interrupt Descriptor Table)  is not used by OS As a result the malware is able to:  set up hooks without patching bootloader components  retain control after switching into protected mode
  • 29. Win64/Rovnix: Abusing Debugging Facilities Win64/Rovnix: o hooks Int 1h  tracing  handles hardware breakpoints (DR0-DR7) o overwrites the last half of IDT (Interrupt Descriptor Table)  is not used by OS As a result the malware is able to:  set up hooks without patching bootloader components  retain control after switching into protected mode
  • 30. Olmarik vs Rovnix Characteristics Win64/Olmarik Win64/Rovnix Privilege escalation MS10-092  Reboot technique ZwRaiseHardError API ExitWindowsEx API MBR/VBR infection MBR VBR (bootstrap code) Inserting into boot driver list Loading driver ZwCreateDriver API of KeLoaderBlock structure KeInitializeApc/ KeInitializeApc/ Payload injection KeInstertQueueApc APIs KeInstertQueueApc APIs Kernel-mode hooks, Self-defense MBR monitoring  Number of modules 10 2 Stability of code   Threat complexity  
  • 32. Modern Bootkits’ Approaches o Hooking BIOS 13h Interrupt Handler  Win64/Olmarik o Tracing Bootloader Components  Win64/Rovnix  “Deep Boot” (PoC) o Stealing a Processor’s Core  “EvilCore” (PoC)
  • 33. Tracing Bootloader Components o Microsoft Windows Bootloader Components: Component Name Processor Execution Mode Bootstrap code real mode Bootmgr real mode/protected mode Winload.exe/Winresume.exe protected mode o Surviving processor’s execution mode switching  Malware has to retain control after execution mode switching  IDT and GDT are most frequently abused data structures
  • 34. What Facilitates the Attack Vector? o Untrusted platform problem  BIOS controls boot process, but who controls it?  The trust of trust is below point of attack Point of Attack Non boot-start OS kernel kernel-mode drivers Pre boot OS kernel Bootmgr OS loader firmware dependencies Boot-start drivers The Root of Trust
  • 35. How to Defend Against the Attack? oTo resist bootkit attacks we need the root of trust be above point of attack:  TPM  UEFI Secure Boot Point of Attack Non boot-start OS kernel kernel-mode drivers Pre boot OS kernel Bootmgr OS loader firmware dependencies Boot-start The Root of drivers Trust
  • 36. Conclusion  Bootkits  ability to bypass KMCSP  Return of old-school techniques  MBR infections  Win64/Olmarik (TDL4)  1st widely spread Win64 rootkit  Win64/Rovnix  debugging facilities to subvert KMCSP  Untrusted platform facilitates bootkit techniques
  • 37. References  “The Evolution of TDL: Conquering x64” http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  “Defeating x64: The Evolution of the TDL Rootkit” http://www.eset.com/us/resources/white-papers/TDL4-CONFidence-2011.pdf  “Hasta La Vista, Bootkit: Exploiting the VBR” http://blog.eset.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr  Follow ESET Threat Blog http://blog.eset.com
  • 38. Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius