Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu.
The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages.
This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu.
The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages.
This presentation will take an in-depth look at challenges related to reversing object-oriented code with respect to modern malware and demonstrate approaches and tools employed for reversing object-oriented code.
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
The DRM and KMS APIs have won in the Linux graphics ecosystem. Long gone are the days when KMS meant only a handful of desktop graphics drivers. As a side effect, new problems have been uncovered, and API extensions are being designed to address advanced use cases. Atomic updates is the latest significant of such extensions.
While the userspace API extension is simple, a lot of work went under the hood and the in-kernel KMS helpers went through major changes that are not trivial to implement in drivers. This talk will present KMS atomic updates and explain how to update KMS drivers to take advantage of the new API, using the Renesas rcar-du-drm driver as an example.
Laurent Pinchart, Ideas on Board
The lecture by Norman Feske for Summer Systems School'12.
Genode Compositions
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
The lecture by Norman Feske for Summer Systems School'12.
Genode Components
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
The exploding popularity of Embedded/IoT computing facilitate this security problems using low or non-existent security policies and exploits countermeasures. So why not explore some security measures that are widely available in the Linux world? We will focus on memory corruption techniques.
The Linux kernel was always focused on security features and giving bad times to the exploiters. This talk will introduce some common exploits and techniques, showing the mitigations employed by the kernel. By focusing on the major threats that affects modern Linux boxes, we will see which are the main features that can give problems to the system administator and how a preliminary penetration test can be done, ensuring that the system is in a sane state. The talk will also focus on problematics of embedded/IoT Unix systems, showing how some recent attacks gained control over a big network of devices and how a simple embedded system can be analyzed, hunting for bugs. Talk outline: Penetration testing, Linux, netfilter/bpf, memory corruption, ASLR, Spectre/Meltdown.
All about the Linux boot process. Presented at linux.conf.au on January 25, 2018. Video at https://archive.org/details/lca2018-Linux_the_first_second . Associated blog posting at https://opensource.com/article/18/1/analyzing-linux-boot-process
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
Festi botnet analysis and investigationAlex Matrosov
The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems.
The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of:
- Updating configuration data from the C&C (command and control server);
- Downloading additional dedicated plugins.
In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers.
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
The DRM and KMS APIs have won in the Linux graphics ecosystem. Long gone are the days when KMS meant only a handful of desktop graphics drivers. As a side effect, new problems have been uncovered, and API extensions are being designed to address advanced use cases. Atomic updates is the latest significant of such extensions.
While the userspace API extension is simple, a lot of work went under the hood and the in-kernel KMS helpers went through major changes that are not trivial to implement in drivers. This talk will present KMS atomic updates and explain how to update KMS drivers to take advantage of the new API, using the Renesas rcar-du-drm driver as an example.
Laurent Pinchart, Ideas on Board
The lecture by Norman Feske for Summer Systems School'12.
Genode Compositions
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
The lecture by Norman Feske for Summer Systems School'12.
Genode Components
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
The exploding popularity of Embedded/IoT computing facilitate this security problems using low or non-existent security policies and exploits countermeasures. So why not explore some security measures that are widely available in the Linux world? We will focus on memory corruption techniques.
The Linux kernel was always focused on security features and giving bad times to the exploiters. This talk will introduce some common exploits and techniques, showing the mitigations employed by the kernel. By focusing on the major threats that affects modern Linux boxes, we will see which are the main features that can give problems to the system administator and how a preliminary penetration test can be done, ensuring that the system is in a sane state. The talk will also focus on problematics of embedded/IoT Unix systems, showing how some recent attacks gained control over a big network of devices and how a simple embedded system can be analyzed, hunting for bugs. Talk outline: Penetration testing, Linux, netfilter/bpf, memory corruption, ASLR, Spectre/Meltdown.
All about the Linux boot process. Presented at linux.conf.au on January 25, 2018. Video at https://archive.org/details/lca2018-Linux_the_first_second . Associated blog posting at https://opensource.com/article/18/1/analyzing-linux-boot-process
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
Festi botnet analysis and investigationAlex Matrosov
The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems.
The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of:
- Updating configuration data from the C&C (command and control server);
- Downloading additional dedicated plugins.
In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers.
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin:
- Automatic type REconstruction for C++ objects.
- C-tree graph visualization – a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works.
- Navigation through virtual function calls in HexRays Pseudocode window.
- Object Explorer – useful interface for navigation through virtual tables (VTBL) structures.
In this presentation authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (ZeroNigths edition) will be released with new features developed specially for ZeroNights conference. New features will be committed GitHub from the stage
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Most nefarious activities carried out by malware—such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud, require code injection.
This session exposes additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process.
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and сonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin:
- Automatic type REconstruction for C++ objects.
- C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works.
- Navigation through virtual function calls in HexRays Pseudocode window.
- Object Explorer - useful interface for navigation through virtual tables (VTBL) structures.
In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Have a quick overview of most of the embedded linux components and their details. How ti build Embedded Linux Hardware & Software, and developing Embedded Products
LAS16-403: GDB Linux Kernel Awareness
Speakers: Peter Griffin
Date: September 29, 2016
★ Session Description ★
The presentation will look at the ways in which GDB can be enhanced when debugging the Linux kernel to give it better knowledge of the underlying operating system to enable a better debugging experience. It will also provide a status of the current work being undertaken in this area by the ST landing team, a demo and potential future work.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-403
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-403/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
DPDK Summit 2015 in San Francisco.
Intel's presentation by Keith Wiles.
For additional details and the video recording please visit www.dpdksummit.com.
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
Similar to Advanced Evasion Techniques by Win32/Gapz (20)
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
6. Gapz Known Droppers
Detection Name Compilation Date LPE Exploits Bootkit
Technique
Win32/Gapz.A
11/09/2012
30/10/2012
CVE-2011-3402
CVE-2010-4398
COM Elevation
VBR
Win32/Gapz.B
06/11/2012
CVE-2011-3402
COM Elevation
no bootkit
Win32/Gapz.C 19/04/2012
CVE-2010-4398
CVE-2011-2005
COM Elevation
MBR
9. PowerLoader Based Droppers
Price for Power Loader is about $500 for one builder kit with C&C panel
PowerLoader
(Agent.UAW)
Gapz
Redyms
Agent.UMT
PowerLoader
code inject
Carberp
10. Gapz Dropper Execution Stages
Injecting into
explorer.exe
(entry point)
Local Privilege
Escalation
(icmnf)
Infecting the
system
(isyspf)
stage 1 stage 2
11. Bypassing HIPS with explorer.exe Code Injection
opens shared sections from
BaseNamedObjects mapped
into explorer.exe and writes
shellcode
12. Bypassing HIPS with explorer.exe Code Injection
The dropper searches for the
window “Shell_TrayWnd”
13. Bypassing HIPS with explorer.exe Code Injection
The dropper calls GetWindowLong() so as to get the address of
the routine related to the “Shell_TrayWnd” window handler
The dropper calls SetWindowLong() to modify “Shell_TrayWnd”
window-related data
14. Bypass HIPS with explorer.exe Code Injection
calls SendNotifyMessage() to trigger shellcode execution in
explorer.exe address space
arbitrary code execution in WndProc() of “Shell_TrayWnd”:
23. Gapz Bootkit Workflow
Hook
Archx86TransferTo32BitApplicationAsm
in bootmgr
Hook
OslArchTransferToKernel
in winload.exe
Hook
IoInitSystem
in kernel image
Int 13h handler
is hooked
Bootmgr loads
winload.exe
Winload.exe loads
kernel image
Bootkit loads malicious
kernel-mode code and runs
it in a new system thread
24. Gapz VBR Bootkit
Gapz VBR bootkit features:
Relies on Microsoft Windows VBR layout
The infections results in modifying only 4 bytes of VBR
The patched bytes might differ on various installations
jmp
BIOS
Parameter
Block (BPB)
VBR code Text Strings
0x55
0xAA
0x000 0x003 0x054 0x19C 0x1FE 0x200
transfer control
25. Gapz BPB Layout
struct BIOS_PARAMETER_BLOCK
{
WORD BytesPerSector;
BYTE SecPerCluster;
WORD ReservedSectors;
BYTE Reserved[5];
BYTE MediaDescriptorID;
WORD Reserved2;
WORD SectorsPerTrack;
WORD NumberOfHeads;
DWORD HiddenSectors;
DWORD Reserved3[2];
LONGLONG TotalSectors;
LONGLONG StartingCluster;
LONGLONG MFTMirrStartingCluster;
DWORD ClustersPerMFTRecord;
DWORD ClustersPerIndexBuffer;
LONGLONG VolumeSerialNumber;
DWORD Reserved4;
};
26. Gapz BPB Layout
struct BIOS_PARAMETER_BLOCK
{
WORD BytesPerSector;
BYTE SecPerCluster;
WORD ReservedSectors;
BYTE Reserved[5];
BYTE MediaDescriptorID;
WORD Reserved2;
WORD SectorsPerTrack;
WORD NumberOfHeads;
DWORD HiddenSectors;
DWORD Reserved3[2];
LONGLONG TotalSectors;
LONGLONG StartingCluster;
LONGLONG MFTMirrStartingCluster;
DWORD ClustersPerMFTRecord;
DWORD ClustersPerIndexBuffer;
LONGLONG VolumeSerialNumber;
DWORD Reserved4;
};
27. Gapz BPB Modification
MBR NTFS File SystemIPLVBR
NTFS Volume
0x200 0x1E00
Number of
“Hidden Sectors”
MBR NTFS File SystemIPL
Infected
VBR
NTFS Volume
0x200 0x1E00
Hard Drive
Modified value of number of “Hidden Sectors”
Bootkit
before infection
after infection
29. Gapz Rootkit Overview
Gapz rootkit functionality is implemented as
position independent kernel-mode code for
both x86 and x64 platforms
Gapz rootkit capabilities:
Hidden storage implementation
User-mode payload injection
Covert network communication channel
C&C server authentication mechanism
30. Gapz Rootkit Overview
Gapz rootkit functionality is implemented as
position independent kernel-mode code for
both x86 and x64 platforms
Gapz rootkit capabilities:
Hidden storage implementation
User-mode payload injection
Covert network communication channel
C&C server authentication mechanism
31. Gapz Kernel-mode Code Organization
struct GAPZ_BASIC_BLOCK_HEADER
{
// A constant which is used to obtain addresses
// of the routines implemented in the block
unsigned int ProcBase;
unsigned int Reserved[2];
// Offset to the next block
unsigned int NextBlockOffset;
// Offset of the routine performing block initialization
unsigned int BlockInitialization;
// Offset to configuration information
// from the end of the kernel-mode module
// valid only for the first block
unsigned int CfgOffset;
// Set to zeroes
unsigned int Reserved1[2];
};
32. Gapz Kernel-mode Code Blocks
Block # Implemented Functionality
1 General API, gathering information on the hard drives, CRT string routines and etc.
2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc.
3 Hooking engine, disassembler engine.
4 Hidden Storage implementation.
5 Hard disk driver hooks, self-defense.
6 Payload manager.
7 Payload injector into processes’ user-mode address space.
8 Network communication: Data link layer.
9 Network communication: Transport layer.
10 Network communication: Protocol layer.
11 Payload communication interface.
12 Main routine.
33. Gapz Hidden Storage Implementation
Gapz implements modified FAT32 hidden volume
based on FullFat project
Length of file name in FAT directory entry is 32 bytes
The hidden volume is stored in the file with name:
“??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”
The contents of the volume is encrypted with
AES-256 in CBC mode:
The sector LBA is used as IV
34. Gapz Hidden Storage Implementation
Gapz implements modified FAT32 hidden volume
based on FullFat project
Length of file name in FAT directory entry is 32 bytes
The hidden volume is stored in the file with name:
“??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”
The contents of the volume is encrypted with
AES-256 in CBC mode:
The sector LBA is used as IV
35. Gapz Hidden Storage Implementation
Gapz implements modified FAT32 hidden volume
based on FullFat project
Length of file name in FAT directory entry is 32 bytes
The hidden volume is stored in the file with name:
“??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”
The contents of the volume is encrypted with
AES-256 in CBC mode:
The sector LBA is used as IV
37. Gapz Self-Defence Mechanisms
Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and
IRP_MJ_DEVICE_CONTROL handlers to monitor:
IOCTL_SCSI_PASS_THROUGH
IOCTL_SCSI_PASS_THROUGH_DIRECT
IOCTL_ATA_PASS_THROUGH
IOCTL_ATA_PASS_THROUGH_DIRECT
Gapz protects:
MBR/VBR from being read/overwritten
its image on the hard drive from being overwritten
38. Gapz Hooking Engine Implementation
Gapz hooking engine is based on the ”Hacker
Disassembler Engine”
Tries to avoid patching the very first bytes of the routine
being hooked (nop; mov edi, edi; etc.):
39. Gapz Hooking Engine Implementation
Gapz hooking engine is based on the ”Hacker
Disassembler Engine”
Tries to avoid patching the very first bytes of the routine
being hooked (nop; mov edi, edi; etc.):
40. Gapz Code Injection Functionality
Allocate
memory buffer
in target process
address space
Write payload
and loader code
into allocated
buffer
Create remote
thread in the
target process
Loader code
DLL loader
(load/unload DLL modules)
Command executer
(call specific handler in DLL payload
and pass necessary parameters)
EXE loader 1
(run EXE modules)
EXE loader 2
(run EXE modules)
41. Gapz Payload Loader Code: DLL Loader & Command Executer
Map image into address
space
Fix relocations and
initialize IAT
Load or unload?
Execute export #1
Execute export #2
Release image memory
unload load
42. Gapz Payload Loader Code: EXE Loaders
Drop payload image into
%TEMP% directory
Execute CreateProcessW
API
EXE Loader 1
Create legitimate suspended
process
(via CreateProcessAsUser)
Overwrite process image with the
malicious one
Set process thread context
according to malicious image
Resume process thread
EXE Loader 2
43. Gapz Network Protocol Implementation
svchost.exe
overlord32(64).dll
Win32/Gapz
kernel-mode module
TCP/IP protocol stack
implementation
Message to be sent to
C&C Server
user mode
kernel mode
C&C Server
Send using Win32
socket implementation
Send directly using
NDIS miniport driver
44. Gapz Network Protocol Architecture
Gapz implementation OSI Model
HTTP protocol
(block #10)
TCP/IP protocol
(block #9)
NDIS miniport wrapper
(block #8)
Application/Presentation
Layer
Network/Transport
Layer
Data Link Layer
45. Gapz Network Protocol Implementation: NDIS
Gapz network protocol stack relies on miniport adapter driver:
Miniport adapter driver
Intermediate driver
Protocol driver
(tcpip.sys)
Filter driver
.........
At the level of
protocol or intermediate
drivers Win32/Gapz’s network
packet is “invisible”
Win32/Gapz communicates
directly to miniport adapter
Win32/Gapz
Network
packet
46. Gapz C&C Communication Protocol
Gapz communicates to C&C servers over HTTP protocol
Capabilities of the protocol:
00 - download payload
01 - send bot information to C&C
02 - request payload download information
03 - report on running payload
04 - update payload download URL
The requests corresponding to commands 0x01, 0x02 and 0x03 are
performed by the POST method of the HTTP protocol.
47. Gapz C&C Communication Protocol: HTTP Request
Message HeaderHTTP Header Request specific data
HTTP header HTTP body
struct MESSAGE_HEADER
{
// Output of PRNG
unsigned char random[128];
// a DWORD from configuration file
unsigned int reserved;
// A binary string which is used to
authenticate C&C servers
unsigned char auth_str[64];
};
48. Gapz C&C Communication Protocol: HTTP Request
Message HeaderHTTP Header Request specific data
HTTP header HTTP body
struct MESSAGE_HEADER
{
// Output of PRNG
unsigned char random[128];
// a DWORD from configuration file
unsigned int reserved;
// A binary string which is used to
authenticate C&C servers
unsigned char auth_str[64];
};
49. Gapz C&C Communication Protocol: C&C Reply
Encrypted rc4
key K1
HTTP Header
Reply specific
data
HTTP message header HTTP message body
Authentication
string
rc4 encrypted data with key k1
Decrypt key K1
Decrypt authentication string and reply-specific
data using key K1
Check authentication string
Process reply-specific
data
Reject reply-specific
data
matchdoesn’t match
52. Gapz User-mode Payload Functionality
The module
overlord32(64).dll
is essential part of
the Gapz bootkit
Overlord32(64).dll
is injected into
svchost.exe
process
Overlord32(64).dll
dispatches the
requests from
kernel-mode
Cmd # Command Description
0
gather information about all the network adapters installed in the system and their
properties and send it to kernel-mode module
1 gather information on the presence of particular software in the system
2 check internet connection by trying to reach update.microsoft.com
3 send & receive data from a remote host using Windows sockets
4 get the system time from time.windows.com
5 get the host IP address given its domain name (via Win32 API gethostbyname)
6
get Windows shell (by means of querying “Shell” value of
“SoftwareMicrosoftWindows NTCurrentVersionWinlogon” registry key)
53. Gapz User-mode Payload Interface
Gapz impersonates the handler of the payload requests in the null.sys
driver to communicate with the injected payload:
Win32/Gapz module
DriverNull
DRIVER_OBJECT
DriverNull
Driver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload = NULL
DriverUnload rotuine
IRP_MJ_DEVICE_CONTROL
handler
DriverNull
DRIVER_OBJECT
DriverNull
Driver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload DriverUnload rotuine
IRP_MJ_DEVICE_CONTROL
handler
Gapz’s hook
jmp gapz_hook
Payload
interface
before patching after patching
54. Gapz User-mode Payload Interface
Gapz impersonates the handler of the payload requests in the null.sys
driver to communicate with the injected payload:
Win32/Gapz module
DriverNull
DRIVER_OBJECT
DriverNull
Driver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload = NULL
DriverUnload rotuine
IRP_MJ_DEVICE_CONTROL
handler
DriverNull
DRIVER_OBJECT
DriverNull
Driver Image
IRP_MJ_DEVICE_CONTROL
DriverUnload DriverUnload rotuine
IRP_MJ_DEVICE_CONTROL
handler
Gapz’s hook
jmp gapz_hook
Payload
interface
before patching after patching
62. Conclusion
The most complex != The stealthiest (detection)
Gapz employs a new VBR-based bootkit technique
Gapz implements:
network communication protocol stack
crypto library
hidden FAT volume
HiddenFsReader is capable of dumping contents of the
hidden volume
63. References
Gapz and Redyms droppers based on Power Loader code
http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
Mind the Gapz: The most complex bootkit ever analyzed?
http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
http://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf
Defeating Anti-Forensics in Contemporary Complex Threats
http://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf
Bootkit Threats: In-Depth Reverse Engineering & Defense
http://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
64.
65. Thank you for your attention!
Aleksandr Matrosov
matrosov@eset.sk
@matrosov
Eugene Rodionov
rodionov@eset.sk
@vxradius
