SlideShare una empresa de Scribd logo

Bootkit threats: in-depth reverse engineering & defense

Alex Matrosov
Alex Matrosov

Although bootkit technology isn’t new, it plays an important role nowadays in attack scenarios against the Microsoft Windows 64-bit platform. Currently more and more sophisticated threats rely on bootkit components to bypass OS security mechanisms and load kernel-mode driver into the system by stealth. Such notorious in-the-wild threats like Win64/Olmarik (TDL4), Win64/Olmasco (MaxSS) and Win64/Rovnix employ bootkit technology so as to be loaded before the operating system is and, thus, are able to bypass Microsoft’s Kernel-Mode Code Signing Policy. In this presentation we are going to perform in-depth, low-level reverse engineering of the latest modification of the Win64/Rovnix bootkit. The malware is chosen in preference to others due to its noteworthy implementation details (tracing the OS bootloader and kernel, for instance) and its somewhat unusual approach to installing the bootkit component in the system – that is, patching OS bootstrap code. We will start with an overview of bootkit design principles: main modules, their interconnection with each other, ways to receive control before OS kernel and which hooks are necessary to setup in a preboot environment in order to disable security mechanisms so as to be able to load a payload module. We will also enumerate major obstacles that bootkit have to deal with to successfully stay active in the system until the payload receives control. Furthermore, we will concentrate on Win64/Rovnix bootkit implementation details, namely: infected VBR layout, tracing the OS kernel using debugging registers, surviving execution mode switching and loading a kernel-mode driver into system address space. We will look at the OS boot loader and kernel internals that are abused by the bootkit. There will be some live demos of debugging Win64/Rovnix with the disassembler IDA Pro and the Bochs emulator. In the end of the talk, some bootkit prevention techniques are considered. We will analyze implementation details of new features appearing in the Windows 8 operating system such as Secure Boot and the early anti-malware launch module, which are intended to protect the system from bootkit threats.

Tecnología
1 de 56
Descargar para leer sin conexión
Bootkit Threats: In Depth Reverse Engineering & Defense Eugene Rodionov Aleksandr Matrosov
Outline of The Presentation  Bootkit technology  Why? How?  Bootkit design principles  Architecture  Analysis instrumentation  Rovnix bootkit in-depth analysis  Infected VBR analysis  Infection strategy  Bootkit remediation techniques
Bootkit technology
Bootkit evolution over time o Bootkit PoC evolution: o Bootkit Threats evolution:  eEye Bootroot (2005)  Win32/Mebroot (2007)  Vbootkit (2007)  Win32/Mebratix (2008)  Win32/Mebroot v2 (2009)  Vbootkit v2 (2009)  Win64/Olmarik (2010/11)  Stoned Bootkit (2009) Win64/Olmasco (2011)  Evilcore x64 (2011)  Win64/Rovnix (2011/2012)
Why? Why there is a return to bootkit technology nowadays  Microsoft kernel-mode code signing policy • loading unsigned kernel-mode driver  High level of stealth • there are no malicious files in the file system  High degree of survival • difficult to detect and remove  Ability to disable security software • the malware is launched before security software
How? Bootkits in the wild:  Infecting:  MBR (Master Boot Record)  VBR (Volume Boot Record) Proof of Concept Bootkits:  Infecting UEFI
Bootkit design principles
Boot process Description of OS boot process: protected mode without paging BIOS Kernel MBR VBR bootmgr winload.exe initialization initialization protected mode real mode with paging bootmgr interface BIOS interface
Bootkit Architecture • Locating & • Locating & loading loading loader driver code Starter Loader Driver Payload • Hooking system routines, maintaining • Performing hidden storage and injecting payload malicious activities
Injecting Payload Process1 Process2 Process3 ProcessN Injection approach Payload1 Payload2 Payload3 PayloadN  APC routines  Patching entry point of the user-mode executable kernel-mode Kernel- mode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN
Hidden Storage Architecture Applications Malware payload user-mode address space kernel-mode address space Malicious kernel-mode driver File system interface OS File system driver Physical storage interface OS storage device driver stack Hidden FS Hard drive area
Bootkit Analysis Instrumentation
Debugging bootkit with Bochs ./configure --enable-debugger
Debugging bootkit with Bochs IDA Pro debugger Bochs internal debugger interface Bochs Core CPU Operation memory System devices
LIVE DEMO
Rovnix Reverse Engineering
Interesting Carberp sample (October 2011)
Interesting Carberp sample (October 2011)
Rovnix Kit Hidden File Systems Comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
Rovnix Architecture Dropper Infected VBR Kernel-mode driver x86 Payload x86 Kernel-mode driver x64 Payload x64
Installation Into the System Check administrative privileges Check OS version Locate free space on the hard drive to store kernel-mode driver & hidden FS image Store the driver & hidden FS image in the located area. Overwrite bootstrap code of the active partition with malicious one
Callgraph of Bootkit Installation Routine
VBR Code Information VBR is responsible for loading OS boot components (bootmgr, BCD, etc.). VBR Bootstrap code (IPL) Partition data NTFS bootstrap code 1 sector (15 sectors) NTFS Boot Sector (Volume Boot Record) JMP OEM BIOS Extended Boot Signature ID Parameter BPB (EBPB) Code Block (BPB) [3 b] [2 b] [8 b] [25 b] [48 b] [426 b]
Rovnix Polymorphic VBR Polymorphic Polymorphic decryptor decryptor Basic block 1 Encrypted malicious Basic block 2 VBR Basic block 3 ... Compressed ... original VBR Basic block N
Rovnix Polymorphic VBR Polymorphic Polymorphic decryptor decryptor Basic block 1 Encrypted malicious Basic block 2 VBR Basic block 3 ... Compressed ... original VBR Basic block N
Decrypted VBR code Hook BIOS int 13h handler intercept hard drive I/O requests patch bootmgr system module Hook BIOS int 15h handler intercept memory map requests protect its memory location Decompress & Restore Original VBR continue normal boot process
Hooking BIOS int 15h Handler Used by operating system to System memory query system address map. Protected Abused by malicious VBR to memory Malicious VBR protect its memory region from allocation by OS Interrupt vectors Int 15h handler address Int 13h handler address
Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
Loading Kernel-mode Driver To be able to load unsigned kernel-mode driver Rovnix: • Waits until kernel-mode memory manager is properly initialized:  Sets up hardware breakpoint • Allocates memory buffer in kernel-mode address space to store the driver:  Calls BlAllocateAlignedDescriptor system routine to allocate memory buffer • Inserts corresponding structure in BootDriverList of KeLoaderBlock.  The driver receives control during boot start drivers initialization
LIVE DEMO
Hidden Storage Layout • Rovnix bootkit employs modification of FAT16 for hidden partition • Hidden partition & kernel-mode driver are written either:  before first partition on the disk – if there is more than 2000 (1 Mb) free sectors  In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
Hidden Storage Layout • Rovnix bootkit employs modification of FAT16 for hidden partition • Hidden partition & kernel-mode driver are written either:  before first partition on the disk – if there is more than 2000 (1 Mb) free sectors  In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
Self-defense Mechanisms To be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: DriverObject Device Storage miniport Harddisk0DR0 driver object Attached to MajorFunction ... IRP_MJ_INTERNAL_DEVICE_CONTROL Attached to Lowest device object
Self-defense Mechanisms To be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: DriverObject Device Storage miniport Harddisk0DR0 driver object Attached to MajorFunction ... IRP_MJ_INTERNAL_DEVICE_CONTROL Attached to Lowest device object
Hidden File System Reader
Hidden File System Reader
LIVE DEMO
Bootkit countermeasures
Problem Description  Untrusted platform problem: protected mode without paging BIOS Kernel MBR VBR bootmgr winload.exe initialization initialization protected mode real mode with paging bootmgr interface BIOS interface Point of Attack Non boot-start OS kernel kernel-mode drivers Pre boot OS kernel Bootmgr OS loader firmware dependencies Boot-start drivers
Bootkits & GPT Disks There is no MBR & VBR code which is executed in GPT disks  Bootkits in-the-wild aren’t applicable to GPT disks Protective MBR Primary GUID Partition Primary GUID Table Header GUID Partition Table Entry partition Table GUID Partition entry 1 GUID Partition entry 1 Partition type GUID GUID Partition entry 1 Unique partition GUID Primary GUID First LBA GUID Partition entry 1 partitions Last LBA ... Attributes flags Backup GUID Partition name GUID Partition entry 1 partition Table
Bootkits & GPT Disks UEFI Firmware UEFI Boot Manager Windows Boot Manager (bootmgr.efi) Windows OS Loader (winload.efi) OS Kernel (ntoskrnl.exe)
Windows 8 Security Features Security enhancements introduced in Windows 8: • Secure boot technology  Employing UEFI secure boot in conjunction with TPM • Early anti-malware launch module  Allows antimalware software start before any other third- party components
Secure Boot Secure boot prevents running an unknown OS loader:  UEFI will verify OS loader  The key for verification is stored inside TPM Trust anchor TPM Non boot-start OS kernel kernel-mode drivers OS kernel UEFI Bootmgr OS loader dependencies Boot-start drivers
Early antimalware launch module Antimalware component receives control before any other third-party software at boot time. Early Windows OS Kernel Third-party antimalware loader initialization drivers module
Conclusion  Bootkit technology allows malware to load unsigned kernel-mode driver and achieve high degree of stealth in the system  The main target of bootkit infection are MBR & VBR  Rovnix is a first known bootkit infecting VBR  The most interesting features of the latest modification of Rovnix bootkit are:  Polymorphic infected VBR  Hidden Storage  There are additional security features introduced in Windows 8 OS:  Early antimalware launch module  Secure Boot
References  Rovnix Reloaded: new step of evolution http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution  TDL4 reloaded: Purple Haze all in my brain http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain  Bootkit Threat Evolution in 2011 http://blog.eset.com/2012/01/03/bootkit-threat-evolution-in-2011-2  The Evolution of TDL: Conquering x64 http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  Modern bootkit trends: bypassing kernel-mode signing policy http://www.virusbtn.com/conference/vb2011/abstracts/LastMinute1.xml  King of Spam: Festi botnet analysis http://blog.eset.com/2012/05/11/king-of-spam-festi-botnet-analysis
Moscow, Russia 19-20 November cfp@zeronights.ru
Thank you for your attention! Aleksandr Matrosov Eugene Rodionov matrosov@eset.sk rodionov@eset.sk @matrosov @vxradius

Recomendados

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 

Recomendados

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
42054960
4205496042054960
42054960andres castillo
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Más contenido relacionado

Destacado

Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 

Destacado (14)

Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Último

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Bootkit threats: in-depth reverse engineering & defense

  • 1. Bootkit Threats: In Depth Reverse Engineering & Defense Eugene Rodionov Aleksandr Matrosov
  • 2. Outline of The Presentation  Bootkit technology  Why? How?  Bootkit design principles  Architecture  Analysis instrumentation  Rovnix bootkit in-depth analysis  Infected VBR analysis  Infection strategy  Bootkit remediation techniques
  • 4. Bootkit evolution over time o Bootkit PoC evolution: o Bootkit Threats evolution:  eEye Bootroot (2005)  Win32/Mebroot (2007)  Vbootkit (2007)  Win32/Mebratix (2008)  Win32/Mebroot v2 (2009)  Vbootkit v2 (2009)  Win64/Olmarik (2010/11)  Stoned Bootkit (2009) Win64/Olmasco (2011)  Evilcore x64 (2011)  Win64/Rovnix (2011/2012)
  • 5. Why? Why there is a return to bootkit technology nowadays  Microsoft kernel-mode code signing policy • loading unsigned kernel-mode driver  High level of stealth • there are no malicious files in the file system  High degree of survival • difficult to detect and remove  Ability to disable security software • the malware is launched before security software
  • 6. How? Bootkits in the wild:  Infecting:  MBR (Master Boot Record)  VBR (Volume Boot Record) Proof of Concept Bootkits:  Infecting UEFI
  • 8. Boot process Description of OS boot process: protected mode without paging BIOS Kernel MBR VBR bootmgr winload.exe initialization initialization protected mode real mode with paging bootmgr interface BIOS interface
  • 9. Bootkit Architecture • Locating & • Locating & loading loading loader driver code Starter Loader Driver Payload • Hooking system routines, maintaining • Performing hidden storage and injecting payload malicious activities
  • 10. Injecting Payload Process1 Process2 Process3 ProcessN Injection approach Payload1 Payload2 Payload3 PayloadN  APC routines  Patching entry point of the user-mode executable kernel-mode Kernel- mode driver Bootkit hidden storage Payload1 Payload2 Payload3 PayloadN
  • 11. Hidden Storage Architecture Applications Malware payload user-mode address space kernel-mode address space Malicious kernel-mode driver File system interface OS File system driver Physical storage interface OS storage device driver stack Hidden FS Hard drive area
  • 13. Debugging bootkit with Bochs ./configure --enable-debugger
  • 14. Debugging bootkit with Bochs IDA Pro debugger Bochs internal debugger interface Bochs Core CPU Operation memory System devices
  • 17.
  • 18.
  • 19.
  • 20.
  • 21. Interesting Carberp sample (October 2011)
  • 22. Interesting Carberp sample (October 2011)
  • 23. Rovnix Kit Hidden File Systems Comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
  • 24. Rovnix Architecture Dropper Infected VBR Kernel-mode driver x86 Payload x86 Kernel-mode driver x64 Payload x64
  • 25. Installation Into the System Check administrative privileges Check OS version Locate free space on the hard drive to store kernel-mode driver & hidden FS image Store the driver & hidden FS image in the located area. Overwrite bootstrap code of the active partition with malicious one
  • 26. Callgraph of Bootkit Installation Routine
  • 27. VBR Code Information VBR is responsible for loading OS boot components (bootmgr, BCD, etc.). VBR Bootstrap code (IPL) Partition data NTFS bootstrap code 1 sector (15 sectors) NTFS Boot Sector (Volume Boot Record) JMP OEM BIOS Extended Boot Signature ID Parameter BPB (EBPB) Code Block (BPB) [3 b] [2 b] [8 b] [25 b] [48 b] [426 b]
  • 28. Rovnix Polymorphic VBR Polymorphic Polymorphic decryptor decryptor Basic block 1 Encrypted malicious Basic block 2 VBR Basic block 3 ... Compressed ... original VBR Basic block N
  • 29. Rovnix Polymorphic VBR Polymorphic Polymorphic decryptor decryptor Basic block 1 Encrypted malicious Basic block 2 VBR Basic block 3 ... Compressed ... original VBR Basic block N
  • 30. Decrypted VBR code Hook BIOS int 13h handler intercept hard drive I/O requests patch bootmgr system module Hook BIOS int 15h handler intercept memory map requests protect its memory location Decompress & Restore Original VBR continue normal boot process
  • 31. Hooking BIOS int 15h Handler Used by operating system to System memory query system address map. Protected Abused by malicious VBR to memory Malicious VBR protect its memory region from allocation by OS Interrupt vectors Int 15h handler address Int 13h handler address
  • 32. Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
  • 33. Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
  • 34. Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
  • 35. Surviving Execution Mode Switching To be able to survive processor execution mode switching the malware:  detects execution mode switching operation in bootmgr  patches bootmgr right before switching into protected mode  copies itself over the last half of IDT (which isn’t used by OS)
  • 36. Loading Kernel-mode Driver To be able to load unsigned kernel-mode driver Rovnix: • Waits until kernel-mode memory manager is properly initialized:  Sets up hardware breakpoint • Allocates memory buffer in kernel-mode address space to store the driver:  Calls BlAllocateAlignedDescriptor system routine to allocate memory buffer • Inserts corresponding structure in BootDriverList of KeLoaderBlock.  The driver receives control during boot start drivers initialization
  • 38. Hidden Storage Layout • Rovnix bootkit employs modification of FAT16 for hidden partition • Hidden partition & kernel-mode driver are written either:  before first partition on the disk – if there is more than 2000 (1 Mb) free sectors  In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
  • 39. Hidden Storage Layout • Rovnix bootkit employs modification of FAT16 for hidden partition • Hidden partition & kernel-mode driver are written either:  before first partition on the disk – if there is more than 2000 (1 Mb) free sectors  In the end of the hard drive otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap Hidden MBR VBR File System Data Unsigned Code Code Partition Driver NTFS bootstrap code (15 sectors)
  • 40. Self-defense Mechanisms To be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: DriverObject Device Storage miniport Harddisk0DR0 driver object Attached to MajorFunction ... IRP_MJ_INTERNAL_DEVICE_CONTROL Attached to Lowest device object
  • 41. Self-defense Mechanisms To be able to protect VBR & Hidden file system Rovnix bootkit hooks IRP_MJ_INTERNAL_DEVICE_CONTROL handler: DriverObject Device Storage miniport Harddisk0DR0 driver object Attached to MajorFunction ... IRP_MJ_INTERNAL_DEVICE_CONTROL Attached to Lowest device object
  • 46. Problem Description  Untrusted platform problem: protected mode without paging BIOS Kernel MBR VBR bootmgr winload.exe initialization initialization protected mode real mode with paging bootmgr interface BIOS interface Point of Attack Non boot-start OS kernel kernel-mode drivers Pre boot OS kernel Bootmgr OS loader firmware dependencies Boot-start drivers
  • 47. Bootkits & GPT Disks There is no MBR & VBR code which is executed in GPT disks  Bootkits in-the-wild aren’t applicable to GPT disks Protective MBR Primary GUID Partition Primary GUID Table Header GUID Partition Table Entry partition Table GUID Partition entry 1 GUID Partition entry 1 Partition type GUID GUID Partition entry 1 Unique partition GUID Primary GUID First LBA GUID Partition entry 1 partitions Last LBA ... Attributes flags Backup GUID Partition name GUID Partition entry 1 partition Table
  • 48. Bootkits & GPT Disks UEFI Firmware UEFI Boot Manager Windows Boot Manager (bootmgr.efi) Windows OS Loader (winload.efi) OS Kernel (ntoskrnl.exe)
  • 49. Windows 8 Security Features Security enhancements introduced in Windows 8: • Secure boot technology  Employing UEFI secure boot in conjunction with TPM • Early anti-malware launch module  Allows antimalware software start before any other third- party components
  • 50. Secure Boot Secure boot prevents running an unknown OS loader:  UEFI will verify OS loader  The key for verification is stored inside TPM Trust anchor TPM Non boot-start OS kernel kernel-mode drivers OS kernel UEFI Bootmgr OS loader dependencies Boot-start drivers
  • 51. Early antimalware launch module Antimalware component receives control before any other third-party software at boot time. Early Windows OS Kernel Third-party antimalware loader initialization drivers module
  • 52. Conclusion  Bootkit technology allows malware to load unsigned kernel-mode driver and achieve high degree of stealth in the system  The main target of bootkit infection are MBR & VBR  Rovnix is a first known bootkit infecting VBR  The most interesting features of the latest modification of Rovnix bootkit are:  Polymorphic infected VBR  Hidden Storage  There are additional security features introduced in Windows 8 OS:  Early antimalware launch module  Secure Boot
  • 53. References  Rovnix Reloaded: new step of evolution http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution  TDL4 reloaded: Purple Haze all in my brain http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain  Bootkit Threat Evolution in 2011 http://blog.eset.com/2012/01/03/bootkit-threat-evolution-in-2011-2  The Evolution of TDL: Conquering x64 http://go.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf  Modern bootkit trends: bypassing kernel-mode signing policy http://www.virusbtn.com/conference/vb2011/abstracts/LastMinute1.xml  King of Spam: Festi botnet analysis http://blog.eset.com/2012/05/11/king-of-spam-festi-botnet-analysis
  • 55.
  • 56. Thank you for your attention! Aleksandr Matrosov Eugene Rodionov matrosov@eset.sk rodionov@eset.sk @matrosov @vxradius