Documentos de Académico
Documentos de Profesional
Documentos de Cultura
06 April, 2011
F-Secure Confidential
Brain
Brain is the first known PC virus Discovered in 1986 Boot sector virus First versions only infected 360k floppies Stealth features Hides infected boot sector by hooking sector read interrupt Marks sectors in FAT bad but after all hiding efforts, some variants change floppy label to Brain
06 April, 2011
F-Secure
06 April, 2011
F-Secure
06 April, 2011
F-Secure
Demo: Brain
PUBLIC
06 April, 2011
F-Secure Confidential
06 April, 2011
F-Secure Confidential
06 April, 2011
F-Secure Confidential
Definition
Kernel malware is malicious software that runs fully or partially at the most privileged execution level, ring 0, having full access to memory, all CPU instructions, and all hardware. Can be divided into two subcategories Full-Kernel malware Semi-Kernel malware
History
Kernel malware is not new it has just been rare WinNT/Infis Discovered in November 1999 Full-Kernel malware Payload PE EXE file infector Virus.Win32.Chatter Discovered in January 2003 Semi-Kernel malware Payload PE SYS file infector Mostly proof of concepts
15500
Key Techniques
Majority of existing kernel malware is semi-kernel malware where their function is to hide and protect the main payload that executes in user mode Implementing a full-kernel malware can vary from hard to impossible depending on its features Basic downloader does following tasks when it executes: Allocates memory for storing temporary data Accesses internet to download the new payload Stores the file on the file system Modifies the registry to add a launch point Executes the new payload
2. Ionescu, Alex. (2006). Subverting Windows 2003 SP1 Kernel Integrity Protection
Copyright F-Secure 2010. All rights reserved.
PUBLIC
PUBLIC
KeUnstackDetachProcess(&ApcState); // Initialize APC KeInitializeEvent(pEvent, NotificationEvent, FALSE); KeInitializeApc(pApc, pTargetThread, OriginalApcEnvironment, &MyKernelRoutine, NULL, MappedAddress, UserMode, (PVOID)NULL); // Schedule APC KeInsertQueueApc(pApc, pEvent, NULL, 0)
Copyright F-Secure 2010. All rights reserved.
PUBLIC
Evolution Haxdoor
Backdoor with rootkit and spying capabilities August 2003: First variant found 2005 2006: Active distribution through spam Has three components EXE (installer), DLL (payload), SYS (rootkit) Uses the driver to make its detection and removal more difficult Hides its process and files Protects its own threads and processes against termination Protects its own files against any access Injects the main payload into newly created processes First widely utilized kernel-mode malware Sold as a package including Trojan generator & management console, prices ranging from $250 to $2500
Demo: Haxdoor
PUBLIC
Evolution Rustock
Spambot and backdoor with rootkit capabilities Rustock.A was found in 27th May 2006 Rustock.B was found in 3rd July 2006 Rustock.C becomes publicly known 6th May 2008 Consists of a single kernel-mode driver EXE file loads the driver and deletes itself SYS file carries the main payload inside an encrypted user-mode DLL The driver loads the main payload and acts as a rootkit to complicate its detection/removal and to bypass personal firewalls The most powerful and stealthiest rootkit seen by that time
Rustock Details
Rustock introduced new techniques to the stealth malware scene Consists of a single driver which starts early during the boot process Obvious traces of the loaded driver are removed from the memory Driver is stored in a hidden and protected NTFS Alternate Data Stream Driver uses obfuscation and a polymorphic packer Hooks INT 0x2E and SYSENTER handler functions to control system calls System Service Table hooks are present only when needed Has an advanced rootkit anti-detection engine Bypasses filter drivers by communicating directly to the lowest level device Bypasses NDIS hooks by getting original pointers from ndis.sys file Uses APC mechanism to execute the DLL in user mode Tunnels network traffic from the DLL directly to the NDIS layer
Copyright F-Secure 2010. All rights reserved.
PUBLIC
NtOpenKey()
NtOpenKeyHook()
Demo: Rustock
PUBLIC
Mebroot
The first complex MBR rootkit with malicious payload First variant found in November 2007 MBR technique based on BootRoot project (BlackHat USA 2005)
Consists of a custom MBR (loader) and a custom kernel-mode driver EXE file replaces the MBR and writes the driver to raw disk sectors located in unpartitioned slack space at the end of the disk
The most advanced and stealthiest malware seen so far! Uses MBR as its launch point All non-volatile data is stored in physical sectors outside of the file system Driver uses polymorphic packer and advanced code obfuscation Uses NDIS hooks and private TCP/IP stack to send/receive packets Utilizes code pullout technique to bypass memory hooks Active Anti-Removal protection Totally generic and open malware platform (MAOS)
32
06 April, 2011
F-Secure
Mebroot Architecture
Mebroot MBR Bootkit Mebroot C&C Password Stealer Torpig/Sinowal/Anserin
TCP/IP Stack
Update Module
Banking Trojan
System Fingerprinting
34
06 April, 2011
F-Secure
35
06 April, 2011
F-Secure
Infected MBR loads and runs ldr16 which hooks INT13. Original MBR is then called.
16-bit 16-bit
MBR
MBR Boot sector
Boot sector
INT13 Ntldr
INT13 hook patches the real mode Ntldr to disable its code integrity checks and to hook its protected mode part.
Ntldr
Ntldr ldr32
32-bit 32-bit
Ntoskrnl.exe ldrdrv
Ntldr
Ntoskrnl.exe
ldrdrv loads Mebroot driver from raw sectors and executes it.
Mebroot Driver
36
06 April, 2011
F-Secure
Demo: Mebroot
PUBLIC
TDL (Alureon)
TDL is the latest advanced rootkit seen in the wild TDL3 started spreading late 2009 TDL4 was found during summer 2010 Kernel-mode backdoor User-mode payload hijacks search engine results Interesting features in TDL4 Hidden, private file system in disk slack space MBR infection 64-bit support
38
06 April, 2011
F-Secure
39
06 April, 2011
F-Secure Confidential
40
06 April, 2011
F-Secure
41
06 April, 2011
F-Secure
Encryption is done in 0x200 blocks with RC4, key is the sector as a DWORD.
42
06 April, 2011
F-Secure
16-bit
Infected MBR decrypts and runs ldr16 which hooks INT13. Original MBR is then called. INT13 hook tricks boot into Windows PE mode by modifying BCD (BcdLibraryBoolean_EmsEnabled BcdOSLoaderBoolean_WinPEMode) and patching winload.exe (/MININT IN/MINT)
64-bit
43
06 April, 2011
F-Secure
Conclusions
Kernel malware is a threat that has to be taken seriously Wide distribution Srizbi and Pandex spam runs, Mebroot drive-bydownloads from high volume web sites in Italy and other parts of Europe Todays kernel-mode malware is robust and effective Biggest spam botnets are kernel-mode malware Rustock, Mebroot and TDL are written by professional developers Detection and removal is becoming very challenging How do you fight against someone who does not follow common software development practices and rules? Enforcing digital signatures for drivers helps but how about stolen private keys (think about Stuxnet)
Additional Information
Kasslin, K. (2006). Kernel malware: The attack from within.
http://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf
Florio, E.; Pathak P. (2006). Raising the bar: Rustock and advances in rootkits
http://www.virusbtn.com/virusbulletin/archive/2006/09/vb200609-rustock
Kasslin, K.; Florio E. (2008). Your computer is now stoned (again!). The rise of MBR rootkits.
http://www.f-secure.com/weblog/archives/Kasslin-Florio-VB2008.pdf