Bootkits step by-step-slides-final-v1-release

IBM Security Systems | © 2014 IBM Corporation
BOOTKITS STEP-BY-STEP
AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
Eric Koeppen
IBM X-Force Advanced Research
erkoeppe[at]us[dot]ibm[dot]com
@PorkChop
(v1)

AGENDA
 Introduction
 Snapshot of Boot Process for various OSes
 A Look at Low-Level Technologies
– Case studies as examples of exploitation
– Advice for detection and prevention
 Conclusion

INTRODUCTION
BOOTKITS STEP-BY-STEP:

DEFINITION
 For the purposes of this presentation, we will define
Bootkit as any malware (rootkit) that is persistent
and exists below the level of the operating system
kernel environment (ring 0).

INTRODUCTION
 Purpose: To look at how Bootkits achieve persistence
and to give advice in regards to detection &
prevention.
 Scope is limited to x86 and x64 compatible
architectures.
 Scope does not include Virtualization technology.
 More details can be found in the forthcoming
companion white paper

THE BOOT PROCESS

BOOT PROCESSES > WINDOWS XP > BIOS
BIOS Boot Process for Windows XP
POST BIOS MBR/VBR NTLDR
(using ntdetect.com)
NT Kernel

BOOT PROCESSES > WIN VISTA & LATER > BIOS
BIOS Boot Process for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows
8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2
POST BIOS MBR/VBR
Windows
Boot Mgr
Boot Conf
Data (BCD)
Win Loader
(winload.exe)
OS

BOOT PROCESSES > WINDOWS VISTA SP 1 & LATER > UEFI
UEFI Boot Process for Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2,
Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2
POST UEFI
MBR/VBR
or GPT
Windows
Boot Mgr
Boot Conf
Data (BCD)
Win Loader
(winload.exe)
OS

BOOT PROCESSES > WINDOWS 8 & LATER > SECURE BOOT
Secure Boot Process for Windows 8, Windows 8.1, Windows Server 2012, Windows Server
2012 R2, and Windows RT.
POST UEFI MBR/VBR
or GPT
Verified
Boot Mgr
Verified OS
Loader
OS

BOOT PROCESSES > MAC > EFI BOOT
EFI Boot Process for Mac.
BootROM
POST Hw Init
Boot Loader
(boot.efi)
EFI
OS Select

BOOT PROCESSES > LINUX > BIOS
BIOS Boot Process for Linux
POST BIOS MBR/VBR
or GPT
Boot Loader
(LILO or Grub)
Linux Kernel

BOOT PROCESSES > LINUX > UEFI
UEFI Boot Process for Linux
POST UEFI MBR/VBR
or GPT
Boot
Loader
Linux
Kernel
Boot MGR
Data

BOOT PROCESSES > LINUX > SECURE BOOT
Secure Boot Process for Linux
POST UEFI MBR/VBR
or GPT
Signed
Boot
Loader
Linux
Kernel
Signed
Boot
MGR

A LOOK AT LOW-LEVEL TECHNOLOGIES

 Basic Input/Output System (BIOS)
– Firmware interface used to boot older machines.
– Stored on nonvolatile ROM chip on mobo
– Made of modules compressed with LZH
• Each Module has 8 bit checksum for verification
– Some modules uncompressed:
• Bootblock that handles POST & emergency boot
• Decompression routine
– Modifying module without updating checksum
makes system unbootable
LOW-LEVEL TECHNOLOGIES > BIOS

Persistent BIOS Infection by Core @ Cansec West 09
– Used 2 techniques for flashing the BIOS:
1. BIOS Building tool such as Pinczakko’s method
2. Patch & update checksums
– Three steps for flashing BIOS
1. Dump BIOS with flashrom
2. Patch & update checksums
3. Re-flash
LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION

 Four ways to avoid this attack:
1.Stop initial access with common methods (AV,
firewalls, etc) to avoid BIOS modification
2.Enable flash write protection on motherboard
3.Use digitally signed BIOS firmware
4.Don’t download BIOS updates from untrusted
sources
LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION

 Unified Extensible Firmware Interface (UEFI)
– Designed as a BIOS replacement
– Larger, more powerful, and more modular
– Basically bare-bones Operating System
– Allows pre-OS networking
– Some versions provide pre-OS AV
– Provides 2 types of Services:
1. Boot services: only available at boot time
2. Runtime services: available while OS is running
LOW-LEVEL TECHNOLOGIES > UEFI

Dreamboot - Presented by Sebastian Kaczmarek @
Hack in the Box, Amsterdam 2013
– Finds boot loader on hardware & patches it
– Hijacks kernel entry point call in loader to redirect
control flow
– Deactivates kernel protections (once it gets around
PatchGuard)
– Hides payload in ntoskrnl relocation table
LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION

 Countermeasures:
– Prevent initial infection through normal means
(AV, IPS, HIPS, secure use policies)
– Secure Boot means that the boot loader signature
will have to match the stored key.
– Intel TXT’s “Late Launch” can help prevent loading
modified software.
– Bitlocker in TPM mode will provide encryption to
make patching the boot loader more difficult, it
stores software measurements and won’t even
boot if they don’t match up.
LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION

 Secure Boot (UEFI)
– UEFI option where all applications and services
must have a valid digital signature
– Secure Boot Keys stored in UEFI firmware
– Offers protection that makes compromise more
difficult
LOW-LEVEL TECHNOLOGIES > SECURE BOOT

Setup For Failure: Defeating Secure Boot Presented by
Corey Kallenberg and Mitre research team at Hack In
the Box, Amsterdam 2014
– Found that Secure Boot doesn’t always run the
signature check on all target EFI executables,
especially Option ROMs (such as for graphics cards)
– Found a way to manually modify the Setup variable
that determines how lax the signature checking policy
is; making it so that all target EFI executables can be
run without signature check.
LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION

– Make sure the UEFI version follows the spec in regards
to variable protection, the UEFI spec does not allow
this exploit
– BIOS_CNTL & SMM BIOS Write Enable protection
– Intel Protected Range SPI Flash Protections
• Flash Configuration Lockdown (HSFS.FLOCKDN) Bit
– Setting SMM BIOS Write Protection (SMM_BWP) Bit
– Common Security measures to prevent initial infection
LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION

 Mac EFI
– Does basic hardware initialization
– Selects Operating System to load
– Modular: comprised of core components, apps,
drivers, bootloader
– Lots of jump tables with function pointers
– Core components reside on Mac BootROM
– Used on all Intel Macs
LOW-LEVEL TECHNOLOGIES > MAC EFI

DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS
presented by Snare at Black Hat 2012
– Lists 3 valid options for persistence:
1. Patch or replace the bootloader
/System/Library/CoreServices/boot.eﬁ
2. Write to PCI device expansion ROM - writeable
from OS via device firmware updates and/or
flashrom application
3. Flash the firmware - also flashrom, but Firmware
Volume signature gets checked by BootROM &
new macs write protect flash
LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION

– EFI password can prevent changing boot target,
but can be bypassed
– UEFI Secure Boot would be nice but unsupported
– Use normal measures to prevent initial infection.
– Restrict physical access and consider blocking ports
to avoid “Evil Maid” scenario
LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION

 System Management Mode (SMM)
– Most privileged execution mode on x86/x64
architectures
– Has access to all of system memory
• Not subject to standard OS memory protections
such as page tables
– Stored in system firmware (BIOS or UEFI)
– Can be accessed via System Management
Interrupts (SMI) handlers
LOW-LEVEL TECHNOLOGIES > SMM

A Real SMM Rootkit: Reversing and Hooking BIOS
SMI Handlers Phrack article by Filip Wecherowski
– Modified System Management Interrupt (SMI)
handler to create I/O Trap based keylogger
– Only applies to Asus motherboards AMIBIOS
LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION

– Common methods (AV, IPS, HIPS, good security
policies, educated users, etc) to prevent initial
infection.
– Author wrote simple C program to detect keylogger.
Reads the Root Complex Base Address Register
(RCBA). Tests keyboard controller port to see if I/O
Trap is enabled.
– SMM Transfer Monitor (STM) to sandbox the existing
SMM handler by virtualizing it using VT-x and VT-d
technologies. Unfortunately it’s not available yet.
LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION

 Intel Active Management Technology (AMT)
– Allows for remote system administration
• Doesn’t require Powered-On state or Installed OS
– Stores various data in firmware memory
• System parameters (OEM-defined, setup, etc)
• Configuration details (including startup hdw)
• Credentials (passwords, certificates)
• Network configuration
• Security configuration (ACLs, Defense policies)
– Provides Direct Memory Access (DMA)
• Independent of CPU
LOW-LEVEL TECHNOLOGIES > INTEL AMT

Evaluating “Ring -3” Rootkits presented by
Patrick Stewin of Berlin Institute of Technology
– AMT disabled by default
– Some AMT code runs even if AMT is disabled
– Leverages exploit from Tereshkin BH 09 based on calculating
the re-mapped memory address and hooking function that runs
periodically regardless of whether AMT is enabled or not.
– Only works on old Q35 chipset, not Q45.
– May require a BIOS downgrade, doesn’t require consent
– Resides completely in ARC4 execution environment
– Keylogger with covert communications channel
– Working versions for Linux and Windows
LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION

 Countermeasures
– Replacing BIOS with UEFI Secure Boot
– Intel Trusted Execution Technology (TXT)
– Upgrading chipset to Q45 or later
– Common security practices
LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION

 Trusted Platform Module (TPM)
– Standard for a secure, dedicated microprocessor
designed to secure hardware by integrating
cryptographic keys into devices.
– Developed by the Trusted Computing Group (TCG)
for the purposes of:
• Key Generation
• System Hashing
• Binding – encryption with factory burned key
• Sealing – machine-state-dependent decryption
LOW-LEVEL TECHNOLOGIES > TPM

Thoughts about Trusted Computing presented by
Joanna Rutkowska of Invisible Things Labs
– Evil Maid Scenario – physical access allowing
malicious user to grab keys
LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION

– Restrict physical access and consider blocking ports
to avoid “Evil Maid” scenario
LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION

 Intel Trusted Execution Technology (TXT)
– Relies heavily on TPM for basic services
• Secure Storage
– Provides trusted mechanism for securely loading &
executing system software
• Stores software metrics
• Called “Late Launch”
– AMD’s version implemented with SKINT instruction
LOW-LEVEL TECHNOLOGIES > INTEL TXT

Invisible Things Labs 2011 whitepaper
– Exploiting flaw in SINIT Authenticated Code
Module (ACM), when executed by SENTER
instruction to cause an overwrite when adding a
maliciously crafted ACPI DMAR table
• Requires execution prior to SENTER instruction
• Requires some TXT heap manipulation
• Causes TXT, LCP bypass & hijacks SMM
• Advisories issued to customers to install updates
LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION

 Countermeasures
– Intel update fixes SINIT overflow
– Intel processor microcode update to prevent
rollback and running buggy modules
– Coordinating with OEM vendors to ensure that
above fixes get disseminated
– Launch Control Policy (LCP) code moved to
beginning of SINIT code to offer blacklisting
without the need for BIOS and microcode updates
LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION

 Master Boot Record (MBR)
– Boot sector at the beginning of storage devices
– Stores partition information
– Stores code for loading OS
– Maximum addressable storage space = 2 TB
– Typically 512 bytes in size
LOW-LEVEL TECHNOLOGIES > MBR

Stoned Bootkit presented by Peter Kleissner at Black
Hat 2009 (and many more)
– Replaces MBR with its own
– Patches ntoskrnl.exe
LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION

– Common practices will completely mitigate this
particular malware and go a long way towards any
future MBR attacks
– Full disk encryption using BitLocker in TPM mode
– UEFI Secure Boot
LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION

 Volume Boot Record (VBR)
– First sector of an individual partition on a
partitioned storage device
– Loaded the same way as MBR
LOW-LEVEL TECHNOLOGIES > VBR

Reconstructing Gapz: Position-Independent Code
Analysis Problem presented by Aleksandr Matrosov
and Eugene Rodionov at RECon 2013
– Relies on Windows VBR format
– Hooks Int 13h
– Patches 4 bytes in VBR to modify number of
“Hidden Sectors”
– Also patches Bootmgr and Winload.exe
LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION

– UEFI Secure Boot
– Switching to GPT
– BitLocker in TPM mode
– Common security practices to prevent initial
infection
LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION

 GUID Partition Table (GPT)
– Replacement for MBR
– Allows storages devices larger than 2 TB
– Not being targeted yet
LOW-LEVEL TECHNOLOGIES > GPT

 NT Loader (NTLDR)
– Boot loader for all legacy releases of NT-based
versions of Windows, including Windows XP
– Works with ntldr file stored on bootable media
– Loads boot.ini for specific boot options
– Runs ntdetect.com to gather information about
the computer’s hardware
– Passes that info to ntoskrnl.exe in order to load the
NT Kernel
LOW-LEVEL TECHNOLOGIES > NTLDR

 Windows Boot Manager (Bootmgr.exe)
– Replaces NTLDR
– bootmgr is a hidden system file stored in the
System Reserved Volume
– Locates the active partition
– Reads Boot Configuration Database (BCD) file
• For boot-time configuration data
– Passes data from BCD to Windows Loader
(winload.exe)
LOW-LEVEL TECHNOLOGIES > BOOTMGR

Vboot Kit (1 & 2) from Nitin & Vipin Kumar of NVLABs
– Not really persistent, runs from CD
– Used cdrom to hook INT 13 (Win Vista)
– When bootmgr.exe loaded, hook runs payload
– Patches bootmgr.exe in 3 places in memory
– Bypassed checksums, digital signatures, & DEP
– Gains control when winload.exe runs
LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION

 Countermeasures
– Don’t allow physical access to machine
– Turn off cdrom boot in BIOS if not using
– Find a better way to prevent in-memory
modification between loading executable into
memory and execution
– Bitocker Drive Encryption (BDE) in TPM Mode:
Measurements will be off in TPM, so it declines
unsealing Volume Master Key (VMK), thus
preventing boot
LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION

CONCLUSION
 Everything has potential for vulnerabilities
 New technologies such as UEFI Secure Boot, TPM,
TXT offer a lot of mitigation
 Intel should do everyone a favor and release STM
 Common security practices such as Antivirus,
Intrusion Detection, Intrusion Prevention, Host-
Based Intrusion Prevention, timely patches, and solid
secure use policies can all help with detection and
prevention.

REFERENCES
 Complete Bibliography will be included in the
forthcoming whitepaper
 Presentations referenced are all available on the web
sites for the conferences mentioned

Thank You!
Eric Koeppen
IBM X-Force Advanced Research
erkoeppe[at]us[dot]ibm[dot]com
@PorkChop

Bootkits step by-step-slides-final-v1-release

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Bootkits step by-step-slides-final-v1-release

Similar to Bootkits step by-step-slides-final-v1-release (20)

Recently uploaded

Recently uploaded (20)

Bootkits step by-step-slides-final-v1-release