SlideShare a Scribd company logo
Bootkits: Past, Present
& Future
Alexander Matrosov
@matrosov
Eugene Rodionov
@vxradius
David Harley
@DavidHarleyBlog
Agenda
 Modern Bootkits History
 Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild
 Legacy BIOS Bootkit Classification
 UEFI Bootkits
 Bootkit Implementation Strategies
 Attacks against Secure Boot
 Forensic Software
 HiddenFsReader
 CHIPSEC
Modern Bootkit History
20072007 20082008 20092009 20102010 20112011 20122012 2013201320052005 20142014
eEye BootRoot
Mebroot
Vbootkit
Mebratix
Mebrootv2
Olmarik(TDL4)
Olmasco(TDL4-based)
Vbootkit x64
Vbootkit x64
Rovnix
Evil Core
Stoned
Bootkit
Mebromi
DeepBoot
Stoned
Bootkit x64
Gapz
VGA
Bootkit
Dream
Boot
OldBoot(AndroidBootkit)
Microsoft x64 platform gains popularity
Secure Boot implemented in
Windows 8
In the Wild
Proof of Concept
Legacy BIOS vs. UEFI
 No more MBR and VBR/IPL code
 Different hard drive partitioning
scheme: GPT (GUID Partition Table)
 Secure Boot technology is
implemented in Windows 8
BIOS
BIOS boot code
bootmgr
Load kernel and boot start drivers
winload.efi
MBR (Master Boot Record)
VBR/IPL
(Volume Boot Record/ Initial Program Loader)
Load kernel and boot start drivers
winload.efi
UEFI boot loader (bootmgfw.efi)
UEFI boot code
UEFI
The Target of Modern Bootkits (MBR/VBR)
Classification of MBR/VBR Bootkits
Bootkits
MBR VBR/IPL
MBR Code
modification
Partition Table
modification
IPL Code
modification
BIOS Parameter
Block modification
TDL4 Olmasco Rovnix Gapz
IPL Code Modification: Rovnix
 Win64/Rovnix overwrites bootstrap code of the active partition
MBR VBR Bootstrap Code File System Data
VBR
Malicious
Code
File System Data
Bootstrap
Code
MBR
NTFS bootstrap code
(15 sectors)
Before Infecting
After Infecting
Malicious
Unsigned
Driver
Compressed
Data
“Hasta La Vista, Bootkit: Exploiting the VBR”
http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Gapz VBR Bootkit
Main features:
 Relies on Microsoft Windows VBR layout
 The infections result in modifying only 4 bytes of VBR
 The patched bytes might differ on various installations
jmp
BIOS
Parameter
Block (BPB)
VBR code Text Strings
0x55
0xAA
0x000 0x003 0x054 0x19C 0x1FE 0x200
transfer control
“Mind the Gapz: The most complex bootkit ever analyzed?”
http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
Gapz BPB Layout
struct BIOS_PARAMETER_BLOCK
{
WORD BytesPerSector;
BYTE SecPerCluster;
WORD ReservedSectors;
BYTE Reserved[5];
BYTE MediaDescriptorID;
WORD Reserved2;
WORD SectorsPerTrack;
WORD NumberOfHeads;
DWORD HiddenSectors;
DWORD Reserved3[2];
LONGLONG TotalSectors;
LONGLONG StartingCluster;
LONGLONG MFTMirrStartingCluster;
DWORD ClustersPerMFTRecord;
DWORD ClustersPerIndexBuffer;
LONGLONG VolumeSerialNumber;
DWORD Reserved4;
};
Gapz
MBR NTFS File SystemIPLVBR
NTFS Volume
0x200 0x1E00
Number of
“Hidden Sectors”
MBR NTFS File SystemIPL
Infected
VBR
NTFS Volume
0x200 0x1E00
Hard Drive
Modified value of number of “Hidden Sectors”
Bootkit
before infection
after infection
Modern Bootkits ComparisonFunctionality Gapz
Olmarik
(TDL4)
Rovnix
(Cidox)
Goblin
(XPAJ)
Olmasco
(MaxSS)
MBR modification     
VBR modification     
Hidden file system
type
FAT32 custom
FAT16
modification
custom
(TDL4 based)
custom
Crypto
implementation
AES-256,
RC4, MD5,
SHA1, ECC
XOR/RC4
Custom
(XOR+ROL)

RC6
modification
Compression
algorithm
  aPlib aPlib 
Custom TCP/IP
network stack
implementation
    
HiddenFsReader as a Forensic Tool (MBR/VBR)
HiddenFsReader as a Forensic Tool (MBR/VBR)
Bootkits: Past, Present & Future - Virus Bulletin
In The Beginning…
In 1998-99 CIH (Chernobyl) virus
written by a student of Taipei Tatung
Institute of Technology in Taiwan
infected ~60 million PCs
CIH (Chernobyl) erased BIOS ‘ROM’ boot
block and boot sectors on a hard drive
causing ~1B US dollars in damage
• Mebromi malware includes BIOS
infector & MBR bootkit components
• Patches BIOS ROM binary injecting
malicious ISA Option ROM with
legitimate BIOS image mod utility
• Triggers SW SMI 0x29/0x2F to erase
SPI flash then write patched BIOS binary
Signed BIOS Updates Are Rare
• No concept of Secure or Verified Boot
• Wonder why TDL4 and likes flourished?
No Signature Checks of OS
boot loaders (MBR/VBR)
UEFI BIOS Firmware
SEC
Pre-EFI Init
(PEI)
Driver Exec Env
(DXE)
Boot Dev Select
(BDS)
Runtime / OS
S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init
S-CRTM: Measure DXE/BDS
Early CPU/PCH Init
Memory (DIMMs, DRAM) Init, SMM Init
Continue initialization of platform & devices
Enum FV, dispatch drivers (network, I/O, service..)
Produce Boot and Runtime Services
Boot Manager (Select Boot Device)
EFI Shell/Apps; OS Boot Loader(s)
ExitBootServices. Minimal UEFI services (Variable)
ACPI, UEFI SystemTable, SMBIOS table
CPU Reset
UEFI Bootkits
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders
System Firmware (SEC/PEI)
DXE
Driver
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
DXE
Driver
UEFI
OROM
UEFI
OROM
OS Kernel / Drivers
HDD
Malware
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders
System Firmware (SEC/PEI)
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
OS Kernel / Drivers
Malware
DXE
Driver
DXE
Driver
UEFI
OROM
UEFI
OROM
HDD
UEFI Bootkits
Replacing Windows Boot Manager
EFI System Partition (ESP) on Fixed Drive
ESPEFIMicrosoftBootbootmgfw.efi
UEFI technology: say hello to the Windows 8 bootkit! by ITSEC
Replacing Fallback Boot Loader
ESPEFIBootbootx64.efi
UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB
Adding New Boot Loader (bootkit.efi)
Modified BootOrder / Boot#### EFI variables
UEFI Bootkits
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders
System Firmware (SEC/PEI)
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
OS Kernel / Drivers
Malware
DXE
Driver
DXE
Driver
UEFI
OROM
UEFI
OROM
HDD
UEFI Bootkits
Adding/Replacing DXE Driver
Stored on Fixed Drive
Not embedded in Firmware Volume (FV) in ROM
Modified DriverOrder + Driver#### EFI variables
UEFI Bootkits
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders
System Firmware (SEC/PEI)
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
OS Kernel / Drivers
Malware
DXE
Driver
DXE
Driver
UEFI
OROM
UEFI
OROM
HDD
UEFI Bootkits
Patching UEFI “Option ROM”
UEFI DXE Driver in Add-On Card (Network, Storage..)
Non-Embedded in FV in ROM
Mac EFI Rootkits by @snare, Black Hat USA 2012
UEFI Bootkits
Replacing OS Loaders (winload.efi, winresume.efi)
Patching GUID Partition Table (GPT)
UEFI Bootkits
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders
System Firmware (SEC/PEI)
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
OS Kernel / Drivers
Malware
DXE
Driver
DXE
Driver
UEFI
OROM
UEFI
OROM
HDD
UEFI Bootkits
What about Secure Boot?
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders (winload.efi, winresume.efi)
System Firmware (SEC/PEI)
UEFI
OROM
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
Signed
BIOS
Update
UEFI
OROM
UEFI
App
UEFI
App
DXE
Driver
DXE
Driver
OS Kernel / Early Launch Anti-Malware (ELAM)
UEFI
Secure
Boot
OS Driver OS Driver
Windows 8.1
Secure
Boot
Secure Boot on MS Windows 8.1
Hardware
I/O Memory Network Graphics
UEFI DXE Core / Dispatcher
UEFI OS Loaders
System Firmware (SEC/PEI)
DXE
Driver
UEFI
Boot Loader
Bootx64.efi
Bootmgfw.efi
Signed
BIOS
Update
DXE
Driver
OS Kernel
OS Driver OS Exploit
Modify Secure
Boot FW or
config in ROM
Secure Boot bypass possible?
First Public Windows 8 Secure Boot Bypass (Aug 2013)
A Tale Of One Software Bypass Of Windows 8 Secure Boot
Bootkits: Past, Present & Future - Virus Bulletin
BIOS Attack Surface
System
FW/BIOS
SPI Flash
Protection
BIOS
Update
SMRAM
Protection
Hardware
Config.
SMI
Handlers
Secure
Boot
BIOS
Settings
(NVRAM,
Variables)
…
Summary of Attacks Against BIOS and Secure Boot
Bootkits: Past, Present & Future - Virus Bulletin
From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed
Patch attempts to enable BIOS write protection (sets
BIOS_CONTROL[BLE]). Picked up by Subzero
CHIPSEC
Platform Security
Assessment Framework
https://github.com/chipsec/chipsec
@CHIPSEC
CHIPSEC: Platform Security Assessment Framework
CHIPSEC: Platform Security Assessment Framework
chipsec_main.py runs modules (see modules dir below)
chipsec_util.py runs manual utilities (see utilcmd dir below)
/chipsec
/cfg platform specific configuration
/hal all the HW stuff you can interact with
/helper support for OS/environments
/modules modules (tests/tools/PoCs) go here
/utilcmd utility commands for chipsec_util
Known Threats and CHIPSEC modules
Issue CHIPSEC Module References
SMRAM Locking common.smm CanSecWest 2006
BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008
SMRR Configuration common.smrr ITL 2009
CanSecWest 2009
BIOS Protection common.bios_wp BlackHat USA 2009
CanSecWest 2013
Black Hat 2013
NoSuchCon 2013
Flashrom
SPI Controller Locking common.spi_lock Flashrom
Copernicus
BIOS Interface Locking common.bios_ts PoC 2007
Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec
Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
BIOS/Firmware Forensics
Live system firmware analysis
chipsec_util spi info
chipsec_util spi dump rom.bin
chipsec_util spi read 0x700000 0x100000 bios.bin
chipsec_util uefi var-list
chipsec_util uefi var-read db
D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin
Offline system firmware analysis
chipsec_util uefi keys PK.bin
chipsec_util uefi nvram vss bios.bin
chipsec_util uefi decode rom.bin
chipsec_util decode rom.bin
How to dump BIOS firmware directly from chip?
How to dump BIOS firmware directly from chip?
DEMO TIME
Bootkits: Past, Present & Future - Virus Bulletin
Thank you for your attention!
Eugene Rodionov
@vxradius
Alexander Matrosov
@matrosov
David Harley
@DavidHarleyBlog

More Related Content

What's hot

Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Linux Administration
Linux AdministrationLinux Administration
Linux Administration
Harish1983
 
System security
System securitySystem security
System security
ReachLocal Services India
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Info hiding
Info hidingInfo hiding
Info hiding
Muna AlKhayat
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
sdavis532
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Password Attack
Password Attack Password Attack
Password Attack
Sina Manavi
 
Security models
Security models Security models
Security models
LJ PROJECTS
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdf
MeshalALshammari12
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Data recovery
Data recoveryData recovery
Data recovery
Ravi Malik
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
steganography
steganographysteganography
steganography
shiveverma
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Computer forensics and steganography
Computer forensics and steganographyComputer forensics and steganography
Computer forensics and steganography
Xavier Prathap
 

What's hot (20)

Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Linux Administration
Linux AdministrationLinux Administration
Linux Administration
 
System security
System securitySystem security
System security
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Info hiding
Info hidingInfo hiding
Info hiding
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Password Attack
Password Attack Password Attack
Password Attack
 
Security models
Security models Security models
Security models
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdf
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
steganography
steganographysteganography
steganography
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Computer forensics and steganography
Computer forensics and steganographyComputer forensics and steganography
Computer forensics and steganography
 

Similar to Bootkits: Past, Present & Future - Virus Bulletin

Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Slimline Open Firmware
Slimline Open FirmwareSlimline Open Firmware
Slimline Open Firmware
Heiko Joerg Schick
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
Alea Soluciones, S.L.
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
Jonathan MICHEL-VILLAZ
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Nicolas Collery
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Piotr Król
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
Omkar Rane
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
RuggedBoardGroup
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
Moabi.com
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Grub2 Booting Process
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting Process
Mike Wang
 

Similar to Bootkits: Past, Present & Future - Virus Bulletin (20)

Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Slimline Open Firmware
Slimline Open FirmwareSlimline Open Firmware
Slimline Open Firmware
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Upgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
 
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Grub2 Booting Process
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting Process
 

More from ESET

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity students
ESET
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity training
ESET
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
ESET
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
ESET
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
ESET
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
ESET
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
ESET
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET
 
Shopping Online
Shopping OnlineShopping Online
Shopping Online
ESET
 
Banking Online
Banking OnlineBanking Online
Banking Online
ESET
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
ESET
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
ESET
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasures
ESET
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to Enterprises
ESET
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large Businesses
ESET
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESET
ESET
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
ESET
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platforms
ESET
 

More from ESET (20)

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity students
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity training
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Shopping Online
Shopping OnlineShopping Online
Shopping Online
 
Banking Online
Banking OnlineBanking Online
Banking Online
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasures
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business Products
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to Enterprises
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large Businesses
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESET
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platforms
 

Recently uploaded

leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 

Recently uploaded (20)

leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 

Bootkits: Past, Present & Future - Virus Bulletin

  • 1. Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
  • 2. Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
  • 3. Modern Bootkit History 20072007 20082008 20092009 20102010 20112011 20122012 2013201320052005 20142014 eEye BootRoot Mebroot Vbootkit Mebratix Mebrootv2 Olmarik(TDL4) Olmasco(TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit Dream Boot OldBoot(AndroidBootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
  • 4. Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code bootmgr Load kernel and boot start drivers winload.efi MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) Load kernel and boot start drivers winload.efi UEFI boot loader (bootmgfw.efi) UEFI boot code UEFI
  • 5. The Target of Modern Bootkits (MBR/VBR)
  • 6. Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
  • 7. IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
  • 8. Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
  • 9. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 10. Gapz MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
  • 11. Modern Bootkits ComparisonFunctionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
  • 12. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 13. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 15. In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
  • 16. • Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary Signed BIOS Updates Are Rare • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished? No Signature Checks of OS boot loaders (MBR/VBR)
  • 17. UEFI BIOS Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset
  • 18. UEFI Bootkits Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi DXE Driver UEFI OROM UEFI OROM OS Kernel / Drivers HDD Malware
  • 19. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 20. Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables UEFI Bootkits
  • 21. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 22. Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables UEFI Bootkits
  • 23. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 24. Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012 UEFI Bootkits
  • 25. Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT) UEFI Bootkits
  • 26. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 28. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders (winload.efi, winresume.efi) System Firmware (SEC/PEI) UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update UEFI OROM UEFI App UEFI App DXE Driver DXE Driver OS Kernel / Early Launch Anti-Malware (ELAM) UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
  • 29. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update DXE Driver OS Kernel OS Driver OS Exploit Modify Secure Boot FW or config in ROM Secure Boot bypass possible?
  • 30. First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
  • 32. BIOS Attack Surface System FW/BIOS SPI Flash Protection BIOS Update SMRAM Protection Hardware Config. SMI Handlers Secure Boot BIOS Settings (NVRAM, Variables) … Summary of Attacks Against BIOS and Secure Boot
  • 34. From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
  • 36. CHIPSEC: Platform Security Assessment Framework
  • 37. CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
  • 38. Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
  • 39. BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
  • 40. How to dump BIOS firmware directly from chip?
  • 41. How to dump BIOS firmware directly from chip?
  • 44. Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog