Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.

1. Defeating x64: Modern Trends of Kernel-Mode Rootkits AleksandrMatrosov Eugene Rodionov

4. Bypassing code integrity checks

5. Attacking Windows Bootloader

6. Modern Bootkitdetails:

7. Win64/Olmarik

8. Win64/Rovnix

9. How to debug bootkit with Bochs emulator

11. Evolution of Rootkit Installation exploit payload dropper rootkit

12. Evolution of Rootkit Installation Malicious Web-site Exploit Vulnerability Bypass ASLR/DEP Escape Sandbox Execute Payload Download Rootkit Escalate Local Privilege Install Rootkit Kernel-Mode Exploit

13. Evolution of Rootkit Features x86 x64 Dropper Rootkit Rootkit Rootkit bypassing HIPS/AV self-defense self-defense privilege escalation surviving reboot surviving reboot bypassing signature check installing rootkit driver injecting payload bypassing MS PatchGuard injecting payload Kernel mode User mode

15. It is “difficult” to load unsigned kernel-mode driver

16. Kernel-Mode Patch Protection (Patch Guard):

17. SSDT (System Service Dispatch Table)

18. IDT (Interrupt Descriptor Table)

19. GDT ( Global Descriptor Table)

22. Kernel-Mode Code Signing Policy

24. Switching off kernel-mode code signing checks by altering BCD data:

25. abusing WinPe Mode

26. disabling signing check

27. enabling test signing

29. Attacking Windows Bootloader

30. Boot Process CPU in Real Mode CPU in Protected Mode Full Kernel Initialization MBR First User-Mode Process BIOS Initialization Boot Loader Early Kernel Initialization Kernel Services BIOS Services Hardware

31. Boot Process of Windows OS

32. Boot Process with BootkitInfection load malicious MBR/VBR NT kernel modifications load rootkit driver

33. Code Integrity Check

35. eEyeBootroot (2005)

36. Vbootkit (2007)

37. Vbootkit v2 (2009)

38. Stoned Bootkit (2009)

39. Evilcore x64 (2011)

40. Bootkit Threats evolution:

41. Win32/Mebroot (2007)

42. Win32/Mebratix(2008)

43. Win32/Mebrootv2 (2009)

44. Win64/Olmarik (2010/11)

47. Installation on x86 vs. x64

48. TDL4 Installation on x86

49. TDL4 Installation on x64

50. Boot Configuration Data (BCD)

51. BCD Elements determining KMCSP (before KB2506014)

52. Abusing Win PE mode: TDL4 modules int 13h – service provided by BIOS to communicate with IDE HDD controller

53. Abusing Win PE mode: Workflow

56. Bypassing KMCSP: Result Bootmgr fails to verify OS loader’s integrity MS10-015 kills TDL3

57. TDL4 Hidden File Systems

59. Encrypted contents (stream cipher: RC4, XOR-ing)

60. Implemented as a hidden volume in the system

62. Debugging Bootkitwith WinDbg

63. WinDbg and kdcom.dll WinDbg KDCOM.DLL NTOSKRNL KdDebuggerInitialize RETURN_STATUS Data packet KdSendPacket RETURN_CONTROL Data Packet KdReceivePacket KD_RECV_CODE_OK

64. TDL4 and kdcom.dll original routine modified routine

65. TDL4 and kdcom.dll original export table modified export table

67. Reboot the system and attach to it with WinDbg

68. Manually load drv32/drv64“TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf

69. Debugging Bootkitswith Bochs

70. DEMO

71. Win64/Rovnix

72. Win64/Rovnix: Installation

73. Win64/Rovnix: Bootkit Overview

74. NTFS Bootstrap Code NTFS Boot Sector (Volume Boot Record) JMP [3 b] Extended BPB (EBPB) [48 b] Signature [2 b] Boot Code [426 b] OEM ID [8 b] BIOS Parameter Block (BPB) [25 b]

75. NTFS Bootstrap Code

77. The malicious driver is written either:

78. before active partition, in case there is enough space

82. tracing

83. handles hardware breakpoints (DR0-DR7)

84. overwrites the last half of IDT (Interrupt Descriptor Table)

87. Olmarik vsRovnix

89. BIOS controls boot process, but who controls it?

91. HiddenFsReader as a Forensic Tool Retrieves content of the malware hidden file system. Supported malware: TDL3/TDL3+,TDL4; ZeroAccess (will be added soon) http://eset.ru/tools/TdlFsReader.exe http://www.youtube.com/watch?v=iRpp6vn2DAE

92. HiddenFsReader (HFR) Architecture HiddenFileReader HiddenFsRecognizer HiddenFsDecryptor User mode Kernel mode SelfDefenceDisabler LowLevelHddReader

94. Return to old-school techniques of infecting MBR

95. Win64/Olmarik(TDL4) is the first widely spread rootkit targeting Win x64

96. Win64/Rovnix relies on debugging facilities of the platform to subvert KMCSP

97. The only possible way of debugging bootkits is to use emulators (Bochs, QEMU)

98. The untrusted platform facilitates bootkit techniques

100. Questions

101. Thank you for your attention ;) AleksandrMatrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius