Bootkit Threats: In Depth Reverse Engineering & Defense. Eugene Rodionov Aleksandr Matrosov

Similar documents
BOOTKITS: PAST, PRESENT & FUTURE Eugene Rodionov ESET, Canada Alexander Matrosov Intel, USA David Harley ESET North America, UK

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Hi and welcome to the Microsoft Virtual Academy and

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Session ID: Session Classification:

ERNW Newsletter 42 / December 2013

The PC Boot Process - Windows XP.

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Hotpatching and the Rise of Third-Party Patches

Security Policy for FIPS Validation

UEFI Implications for Windows Server

VBootKit Attacking Windows 7 via Boot Sectors

Trustworthy Computing

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Frontiers in Cyber Security: Beyond the OS

MBR and EFI Disk Partition Systems

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Introducing Ring -3 Rootkits

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Hardware Backdooring is practical. Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian)

Patterns for Secure Boot and Secure Storage in Computer Systems

Hardware Enabled Zero Day Protection

Storm Worm & Botnet Analysis

Proactive Rootkit Protection Comparison Test

Windows Kernel Internals for Security Researchers

Implementation and Implications of a Stealth Hard-Drive Backdoor

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

How To Stop A Malicious Process From Running On A Hypervisor

Hypervisor-Based, Hardware-Assisted System Monitoring

Process Description and Control william stallings, maurizio pizzonia - sistemi operativi

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Virtual Machine Security

UEFI on Dell BizClient Platforms

Guardian: Hypervisor as Security Foothold for Personal Computers

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Mount & Boot Center. Contents

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Inside Windows Rootkits

Computer Security DD2395

PC Boot Considerations for Devices >8GB

A+ Practical Applications Solution Key

HP Z220, Z420, Z620, and Z820 Workstations Microsoft Windows XP Installation Reference Guide

Chapter 5: Fundamental Operating Systems

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Example of Standard API

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

Application research and analysis based on Bitlocker-Data protection & Secure Start-up of Windows 7

ZeroAccess. James Wyke. SophosLabs UK

Self Protection Techniques in Malware

GPT hard Disk Drives. For HP Desktops. Abstract. Why GPT? April Table of Contents:

University of Rochester Sophos SafeGuard Encryption for Windows Support Guide

USB Bare Metal Restore: Getting Started

An Implementation Of Multiprocessor Linux

UNCLASSIFIED Version 1.0 May 2012

Introduction to BitLocker FVE

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Dual-boot Windows 10 alongside Windows 8

HP Compaq dc7800p Business PC with Intel vpro Processor Technology and Virtual Appliances

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Lecture Overview. INF3510 Information Security Spring Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

File Disinfection Framework (FDF) Striking back at polymorphic viruses

Attacking Hypervisors via Firmware and Hardware

Windows8 Internals, Sixth Edition, Part 1


Windows Server Virtualization & The Windows Hypervisor

OS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

Spyware Analysis. Security Event - April 28, 2004 Page 1

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

Chapter 5 Cloud Resource Virtualization

Supply Chain (In-) Security

Storage Class Memory Support in the Windows Operating System Neal Christiansen Principal Development Lead Microsoft

Introduction. Current personal firewalls are focused on combating usermode malware. Overview. What about protection against rootkits?

Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XR and Windows 2000

Ovation Security Center Data Sheet

Network Incident Report

LSN 10 Linux Overview

Penetration Testing Windows Vista TM BitLocker TM

Windows Internals, Fifth Edition

BM482E Introduction to Computer Security

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Windows 8: Redmond s Safest Operating System Ever?

[CEH]: Ethical Hacking and Countermeasures

Sandbox Roulette: Are you ready for the gamble?

Installing and Upgrading to Windows XP

Technical Brief Distributed Trusted Computing

CPS221 Lecture: Operating System Structure; Virtual Machines

Windows Phone 8 Security Overview

DELL. Unified Server Configurator: IT and Systems Management Overview. A Dell Technical White Paper

Full Disk Encryption Agent Reference

Fine-grained covert debugging using hypervisors and analysis via visualization

CORPORATE AV / EPP COMPARATIVE ANALYSIS

A Tale of One Software Bypass of Windows 8 Secure Boot. Yuriy Bulygin Andrew Furtak Oleksandr Bazhaniuk

Transcription:

Bootkit Threats: In Depth Reverse Engineering & Defense Eugene Rodionov Aleksandr Matrosov

Outline of The Presentation Bootkit technology Why? How? Bootkit design principles Architecture Analysis instrumentation Rovnix bootkit in-depth analysis Infected VBR analysis Infection strategy Bootkit remediation techniques

Bootkit technology

Bootkit evolution over time o Bootkit PoC evolution: eeye Bootroot (2005) Vbootkit (2007) Vbootkit v2 (2009) Stoned Bootkit (2009) Evilcore x64 (2011) o Bootkit Threats evolution: Win32/Mebroot (2007) Win32/Mebratix (2008) Win32/Mebroot v2 (2009) Win64/Olmarik (2010/11) Win64/Olmasco (2011) Win64/Rovnix (2011/2012)

Why? Why there is a return to bootkit technology nowadays Microsoft kernel-mode code signing policy loading unsigned kernel-mode driver High level of stealth there are no malicious files in the file system High degree of survival difficult to detect and remove Ability to disable security software the malware is launched before security software

How? Bootkits in the wild: Infecting: MBR (Master Boot Record) VBR (Volume Boot Record) Proof of Concept Bootkits: Infecting UEFI

Bootkit design principles

Boot process Description of OS boot process: protected mode without paging BIOS initialization MBR VBR bootmgr winload.exe Kernel initialization real mode bootmgr interface protected mode with paging BIOS interface

Bootkit Architecture Locating & loading loader code Starter Loader Locating & loading driver Hooking system routines, maintaining hidden storage and injecting payload Driver Payload Performing malicious activities

Injecting Payload Process1 Process2 Process3 ProcessN Injection approach APC routines Patching entry point of the executable user-mode kernel-mode Payload1 Payload2 Payload3 PayloadN Kernelmode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN

Hidden Storage Architecture Applications Malware payload user-mode address space kernel-mode address space OS File system driver Malicious kernel-mode driver File system interface Physical storage interface OS storage device driver stack Hard drive Hidden FS area

Bootkit Analysis Instrumentation

Debugging bootkit with Bochs./configure --enable-debugger

Debugging bootkit with Bochs IDA Pro debugger Bochs internal debugger interface Bochs Core CPU memory devices Operation System

LIVE DEMO

Rovnix Reverse Engineering

Interesting Carberp sample (October 2011)

Interesting Carberp sample (October 2011)

Rovnix Kit Hidden File Systems Comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification polymorphic VBR Malware driver storage Driver encryption algorithm custom (ROR + XOR) custom (ROR + XOR) custom (ROR + XOR) Hidden file system FAT16 modification File system encryption algorithm RC6 modification FAT16 modification RC6 modification

Rovnix Architecture Dropper Infected VBR Kernel-mode driver x86 Payload x86 Kernel-mode driver x64 Payload x64

Installation Into the System Check administrative privileges Check OS version Locate free space on the hard drive to store kernel-mode driver & hidden FS image Store the driver & hidden FS image in the located area. Overwrite bootstrap code of the active partition with malicious one

Callgraph of Bootkit Installation Routine

VBR Code Information VBR is responsible for loading OS boot components (bootmgr, BCD, etc.). VBR Bootstrap code (IPL) Partition data 1 sector NTFS bootstrap code (15 sectors) NTFS Boot Sector (Volume Boot Record) JMP OEM ID BIOS Parameter Block (BPB) Extended BPB (EBPB) Boot Code Signature [3 b] [8 b] [25 b] [48 b] [426 b] [2 b]

Rovnix Polymorphic VBR Polymorphic decryptor Encrypted malicious VBR Polymorphic decryptor Basic block 1 Basic block 2 Basic block 3 Compressed original VBR... Basic block N...

Rovnix Polymorphic VBR Polymorphic decryptor Encrypted malicious VBR Polymorphic decryptor Basic block 1 Basic block 2 Basic block 3 Compressed original VBR... Basic block N...

Decrypted VBR code Hook BIOS int 13h handler intercept hard drive I/O requests patch bootmgr system module Hook BIOS int 15h handler intercept memory map requests protect its memory location Decompress & Restore Original VBR continue normal boot process

Hooking BIOS int 15h Handler Used by operating system to query system address map. System memory Abused by malicious VBR to protect its memory region from allocation by OS Protected memory Malicious VBR Interrupt vectors Int 15h handler address Int 13h handler address

Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn t used by OS)

Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn t used by OS)

Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn t used by OS)

Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware: detects execution mode switching operation in bootmgr patches bootmgr right before switching into protected mode copies itself over the last half of IDT (which isn t used by OS)

Loading Kernel-mode Driver To be able to load unsigned kernel-mode driver Rovnix: Waits until kernel-mode memory manager is properly initialized: Sets up hardware breakpoint Allocates memory buffer in kernel-mode address space to store the driver: Calls BlAllocateAlignedDescriptor system routine to allocate memory buffer Inserts corresponding structure in BootDriverList of KeLoaderBlock. The driver receives control during boot start drivers initialization

LIVE DEMO

Hidden Storage Layout Rovnix bootkit employs modification of FAT16 for hidden partition Hidden partition & kernel-mode driver are written either: before first partition on the disk if there is more than 2000 (1 Mb) free sectors In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed Data After Infecting MBR VBR Malicious Code Bootstrap Code File System Data Hidden Partition Malicious Unsigned Driver NTFS bootstrap code (15 sectors)

Hidden Storage Layout Rovnix bootkit employs modification of FAT16 for hidden partition Hidden partition & kernel-mode driver are written either: before first partition on the disk if there is more than 2000 (1 Mb) free sectors In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed Data After Infecting MBR VBR Malicious Code Bootstrap Code File System Data Hidden Partition Malicious Unsigned Driver NTFS bootstrap code (15 sectors)

Self-defense Mechanisms To be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: \Device\ Harddisk0\DR0 DriverObject Storage miniport driver object Attached to... Attached to MajorFunction IRP_MJ_INTERNAL_DEVICE_CONTROL Lowest device object

Self-defense Mechanisms To be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: \Device\ Harddisk0\DR0 DriverObject Storage miniport driver object Attached to... Attached to MajorFunction IRP_MJ_INTERNAL_DEVICE_CONTROL Lowest device object

Hidden File System Reader

Hidden File System Reader

LIVE DEMO

Bootkit countermeasures

Problem Description Untrusted platform problem: protected mode without paging BIOS initialization MBR VBR bootmgr winload.exe Kernel initialization real mode bootmgr interface protected mode with paging BIOS interface Point of Attack OS kernel Non boot-start kernel-mode drivers Pre boot firmware Bootmgr OS loader OS kernel dependencies Boot-start drivers

Bootkits & GPT Disks There is no MBR & VBR code which is executed in GPT disks Bootkits in-the-wild aren t applicable to GPT disks Protective MBR Primary GUID partition Table Primary GUID partitions Backup GUID partition Table Primary GUID Partition Table Header GUID Partition entry 1 GUID Partition entry 1 GUID Partition entry 1 GUID Partition entry 1... GUID Partition entry 1 GUID Partition Table Entry Partition type GUID Unique partition GUID First LBA Last LBA Attributes flags Partition name

Bootkits & GPT Disks UEFI Firmware UEFI Boot Manager Windows Boot Manager (bootmgr.efi) Windows OS Loader (winload.efi) OS Kernel (ntoskrnl.exe)

Windows 8 Security Features Security enhancements introduced in Windows 8: Secure boot technology Employing UEFI secure boot in conjunction with TPM Early anti-malware launch module Allows antimalware software start before any other thirdparty components

Secure Boot Secure boot prevents running an unknown OS loader: UEFI will verify OS loader The key for verification is stored inside TPM Trust anchor TPM OS kernel Non boot-start kernel-mode drivers UEFI Bootmgr OS loader OS kernel dependencies Boot-start drivers

Early antimalware launch module Antimalware component receives control before any other third-party software at boot time. Windows OS loader Kernel initialization Early antimalware module Third-party drivers

Conclusion Bootkit technology allows malware to load unsigned kernel-mode driver and achieve high degree of stealth in the system The main target of bootkit infection are MBR & VBR Rovnix is a first known bootkit infecting VBR The most interesting features of the latest modification of Rovnix bootkit are: Polymorphic infected VBR Hidden Storage There are additional security features introduced in Windows 8 OS: Early antimalware launch module Secure Boot

References Rovnix Reloaded: new step of evolution http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution TDL4 reloaded: Purple Haze all in my brain http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain Bootkit Threat Evolution in 2011 http://blog.eset.com/2012/01/03/bootkit-threat-evolution-in-2011-2 The Evolution of TDL: Conquering x64 http://go.eset.com/us/resources/white-papers/the_evolution_of_tdl.pdf Modern bootkit trends: bypassing kernel-mode signing policy http://www.virusbtn.com/conference/vb2011/abstracts/lastminute1.xml King of Spam: Festi botnet analysis http://blog.eset.com/2012/05/11/king-of-spam-festi-botnet-analysis

Moscow, Russia 19-20 November cfp@zeronights.ru

Thank you for your attention! Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information