![Page 1: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/1.jpg)
Protecting the irreplaceable | f-secure.com
T-110.6220: Malware Analysis and Antivirus Technolo giesWindows Kernel MalwareKimmo Kasslin, 31.3.2010
![Page 2: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/2.jpg)
Agenda
• Definition of kernel-mode malware
• History
• Trend and present situation
• Techniques
• Evolution
• The average Joe• The average Joe
• Haxdoor, Rustock, Srizbi, Mebroot, TDL3
• Conclusions
PUBLIC
![Page 3: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/3.jpg)
Definition
“Kernel malware is malicious software that runs fully or partially at the most privileged execution level, ring 0, having full access to memory, all CPU instructions, and all hardware.”
• Can be divided into two subcategories
• Full-Kernel malware
• Semi-Kernel malware
PUBLIC
![Page 4: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/4.jpg)
History
• Kernel malware is not new – it has just been rare
• WinNT/Infis
• Discovered in November 1999
• Full-Kernel malware
• Payload – PE EXE file infector
• Virus.Win32.Chatter• Virus.Win32.Chatter
• Discovered in January 2003
• Semi-Kernel malware
• Payload – PE SYS file infector
• Mostly proof of concepts
PUBLIC
![Page 5: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/5.jpg)
32000
37000
Unique malicious drivers
Increase of Kernel-Mode Malware
2800
15500
2006 2007 2008 2009
No. samples
PUBLIC
![Page 6: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/6.jpg)
Situation in 2008 and Today
• Growth of kernel malware has been steady
• More main stream malware is utilizing kernel-mode techniques
• Storm, Srizbi, Pandex, various banking trojans and password stealers
• Over half of the biggest spam botnets are kernel malware! [1]
• Number 1 – Srizbi, 315.000 bots
• Number 3 – Rustock, 150.000 bots• Number 3 – Rustock, 150.000 bots
• Number 4 – Pandex, 125.000 bots
• Number 5 – Storm/Peacomm, 85.000 bots
• Malware is moving to kernel to protect themselves against security products and against other malware
• 2009 – 2010: No dramatic change in numbers, malware starting to utilize more advanced techniques
PUBLIC
1. Steward, Joe. (2008). Top Spam Botnets Exposed. http://www.secureworks.com/research/threats/topbotnets/
![Page 7: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/7.jpg)
Key Techniques
• Majority of existing kernel malware is semi-kernel malware where their function is to hide and protect the main payload that executes in user mode
• Implementing a full-kernel malware can vary from hard to impossible depending on its features
• Basic downloader does following tasks when it executes:
• Allocates memory for storing temporary data
• Accesses internet to download the new payload
• Stores the file on the file system
• Modifies the registry to add a launch point
• Executes the new payload
PUBLIC
![Page 8: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/8.jpg)
Executing Code in Ring 0
• The only documented way to execute third party KM code is to load a kernel-mode driver
• They are loaded at boot time if they have an entry in HKLM\System\CurrentControlSet\Services
• Type = SERVICE_KERNEL_DRIVER (0x1) or SERVICE_FILE_SYSTEM_DRIVER (0x2)
• Start = SERVICE_BOOT_START (0x0) or SERVICE_SYSTEM_START • Start = SERVICE_BOOT_START (0x0) or SERVICE_SYSTEM_START (0x1) or SERVICE_AUTO_START (0x2)
• They can also be installed and loaded at run time
• CreateService + StartService Windows APIs
• There is also an undocumented way to do this
• ntdll!ZwSetSystemInformation
PUBLIC
![Page 9: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/9.jpg)
Demo – Executing a Driver
Welcome to Ring 0!Welcome to Ring 0!
PUBLIC
![Page 10: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/10.jpg)
Executing Code in Ring 0
• There are other undocumented ways of executing third party code in Ring 0
• Code injection into system address space
• Exploits
• Call gates
• Both ways require write access to system address space from Ring 3
• \Device\PhysicalMemory• \Device\PhysicalMemory
• ntdll!ZwSystemDebugControl
• Microsoft fixed this problem in Windows Server 2003 SP1 and later operating systems versions [2]
PUBLIC
2. Ionescu, Alex. (2006). Subverting Windows 2003 SP1 Kernel Integrity Protection
![Page 11: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/11.jpg)
Kernel-Mode Support Routines
• Windows kernel provides an API for kernel-mode drivers to do basic tasks
• ExAllocatePoolWithTag / ExFreePoolWithTag
• ZwCreateFile / ZwWriteFile / ZwClose
• ZwCreateKey / ZwSetValueKey / ZwClose
• Only a subset of Native API functions exported by ntdll.dll are available for driversdrivers
• The solution - use ntdll.dll to get correct index to nt!KiServiceTable and fetch the pointer
• Read index from ntdll.dll in user mode and pass it to the driver
• Driver loads the ntdll.dll file into kernel memory and reads index from it
PUBLIC
![Page 12: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/12.jpg)
Demo – Finding Unexported Functions
Some Ring 0 tricks…Some Ring 0 tricks…
PUBLIC
![Page 13: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/13.jpg)
Kernel-Mode Support Routines
PUBLIC
![Page 14: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/14.jpg)
Executing Code in Ring 3
• Sometimes it is not feasible for kernel malware to execute all code in Ring 0
• Launching of new processes
• Complex libraries
• Information stealing and encryption
• Two different approaches
• Injecting payload into target process context• Injecting payload into target process context
• Queuing an user-mode Asynchronous Procedure Call
PUBLIC
![Page 15: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/15.jpg)
Executing Code in Ring 3
• pMdl = IoAllocateMdl(pPayloadBuf, dwBufSize, FALSE, FALSE, NULL);
• // Lock the pages in memory
• __try {
• MmProbeAndLockPages(pMdl, KernelMode, IoWriteAccess);
• }
• __except (EXCEPTION_EXECUTE_HANDLER){}
• // Map the pages into the specified process
• KeStackAttachProcess(pTargetProcess, &ApcState);
PUBLIC
• KeStackAttachProcess(pTargetProcess, &ApcState);
• MappedAddress = MmMapLockedPagesSpecifyCache(pMdl,
• UserMode, MmCached, NULL, FALSE, NormalPagePriority);
• KeUnstackDetachProcess(&ApcState);
• // Initialize APC
• KeInitializeEvent(pEvent, NotificationEvent, FALSE);
• KeInitializeApc(pApc, pTargetThread, OriginalApcEnvironment,
• &MyKernelRoutine, NULL, MappedAddress, UserMode, (PVOID)NULL);
• // Schedule APC
• KeInsertQueueApc(pApc, pEvent, NULL, 0)
![Page 16: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/16.jpg)
Rootkit techniques:hooking the handler table
![Page 17: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/17.jpg)
Rootkit techniques:inline hooking
![Page 18: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/18.jpg)
Rootkit techniques: in-memory data structure manipulation
![Page 19: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/19.jpg)
Demo – Hiding Processes
I am invisible!I am invisible!
PUBLIC
![Page 20: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/20.jpg)
Evolution – The Average Joe
• A simple piece of code whose purpose is to perform a specific task on behalf of the main malware component
• No code obfuscation or packing
• Usually a rootkit that hides
• Files/Directories
• Registry keys/values• Registry keys/values
• Network connections
• Uses System Service Table and IRP handler hooks
• Easy to find and remove by modern AV solutions
PUBLIC
![Page 21: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/21.jpg)
Evolution – Haxdoor
• Backdoor with rootkit and spying capabilities
• August 2003: First variant found
• 2005 – 2006: Active distribution through spam
• Has three components – EXE (installer), DLL (payload), SYS (rootkit)
• Uses the driver to make its detection and removal more difficult
• Hides its process and files• Hides its process and files
• Protects its own threads and processes against termination
• Protects its own files against any access
• Injects the main payload into newly created processes
• First widely utilized kernel-mode malware
• Sold as a package including Trojan generator & management console, prices ranging from $250 to $2500
PUBLIC
![Page 22: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/22.jpg)
Haxdoor – Level of Stealth
• Rootkit binaries as files on disk• Registry launch points (not hidden!)
Persistent System
Changes
Persistent System
Changes
• Hooks in System Service TableChanges to Changes to • Hooks in System Service TableChanges to Live OS
Changes to Live OS
• Hooks in browser for network trafficVolatile
Changes to Live OS
Volatile Changes to
Live OS
![Page 23: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/23.jpg)
Demo – Haxdoor
Don’t mess with me!Don’t mess with me!
PUBLIC
![Page 24: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/24.jpg)
Evolution – Rustock
• Spambot and backdoor with rootkit capabilities
• Rustock.A was found in 27th May 2006
• Rustock.B was found in 3rd July 2006
• Rustock.C becomes publicly known 6th May 2008
• Consists of a single kernel-mode driver
• EXE file loads the driver and deletes itself• EXE file loads the driver and deletes itself
• SYS file carries the main payload inside an encrypted user-mode DLL
• The driver loads the main payload and acts as a rootkit to complicate its detection/removal and to bypass personal firewalls
• The most powerful and stealthiest rootkit seen by that time
PUBLIC
![Page 25: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/25.jpg)
Rustock – Details
• Rustock introduced new techniques to the stealth malware scene
• Consists of a single driver which starts early during the boot process
• Obvious traces of the loaded driver are removed from the memory
• Driver is stored in a “hidden” and protected NTFS Alternate Data Stream
• Driver uses obfuscation and a polymorphic packer
• Hooks INT 0x2E and SYSENTER handler functions to control system calls• Hooks INT 0x2E and SYSENTER handler functions to control system calls
• System Service Table hooks are present only when needed
• Has an advanced rootkit anti-detection engine
• Bypasses filter drivers by communicating directly to the lowest level device
• Bypasses NDIS hooks by getting original pointers from ndis.sys file
• Uses APC mechanism to execute the DLL in user mode
• Tunnels network traffic from the DLL directly to the NDIS layer
PUBLIC
![Page 26: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/26.jpg)
Rustock – System Call Hooking
System Service Dispatcher
Int 0x2e / Sysenter
Service Descriptor Table
Service Table
NtOpenKey()
_KTHREAD…
Service Descriptor Table
Service Table
NtOpenKeyHook()
…
![Page 27: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/27.jpg)
Rustock – Level of Stealth
• Driver file in Alternate Data Stream• Registry launch point
Persistent System
Changes
Persistent System
Changes
• Int 0x2e / Sysenter hookChanges to Changes to • Int 0x2e / Sysenter hook• Function pointer hook in IofCallDriver
Changes to Live OS
Changes to Live OS
• Multiple System Service Table hooksVolatile
Changes to Live OS
Volatile Changes to
Live OS
![Page 28: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/28.jpg)
Demo – Rustock
Hide’n SeekHide’n Seek
PUBLIC
![Page 29: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/29.jpg)
Evolution – Srizbi
• Spambot and backdoor with rootkit capabilities
• Emerged in April 2007
• Consists of a single kernel-mode driver
• EXE file loads the driver and deletes itself
• First complex full-kernel malware!
• Implements a fully blown spam client with a HTTP based C&C • Implements a fully blown spam client with a HTTP based C&C infrastructure
• Uses low-level NDIS hooks and private TCP/IP stack to send/receive packets
• Has complex code to bypass memory hooks
• The first malware to bypass virtually every personal firewall!
• Basic rootkit – easy to detect and remove by modern AV software
PUBLIC
![Page 30: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/30.jpg)
Srizbi – Level of Stealth
• Driver file on disk• Registry launch point
Persistent System
Changes
Persistent System
Changes
• Hooks in System Service Changes to Changes to • Hooks in System Service Table
Changes to Live OS
Changes to Live OS
• NoneVolatile
Changes to Live OS
Volatile Changes to
Live OS
![Page 31: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/31.jpg)
Demo – Srizbi
Spam from the kernel!Spam from the kernel!
PUBLIC
![Page 32: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/32.jpg)
![Page 33: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/33.jpg)
Evolution – Mebroot
• Downloader and backdoor with rootkit capabilities
• First variant found in November 2007
• Consists of a custom MBR (loader) and a custom kernel-mode driver
• EXE file replaces the MBR and writes the driver to raw disk sectors located in unpartitioned slack space at the end of the disk
• The most advanced and stealthiest malware seen so far!
• Uses MBR as its launch point
• All non-volatile data is stored in physical sectors outside of the file system
• Driver uses polymorphic packer and advanced code obfuscation
• Uses NDIS hooks and private TCP/IP stack to send/receive packets
• Utilizes “code pullout” technique to bypass memory hooks
• Active Anti-Removal protection
• Totally generic and open malware platform (MAOS)
PUBLIC
![Page 34: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/34.jpg)
Mebroot – Architecture
Mebroot
Bootkit
Update Module
Torpig/Sinowal/Anserin
Password Stealer
Banking TrojanMebroot
C&CTCP/IP Stack
MBR
Malware Operating System (MAOS)
Module
API
Banking Trojan
System Fingerprinting
…
C&C Stack
Adapted from Andreas Greulich, MELANI/GovCERT.ch
![Page 35: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/35.jpg)
Mebroot – Level of Stealth
• Master Boot Record (MBR)• Sectors from unpartitioned disk space• Encrypted UM plugins stored in system32
Persistent System
Changes
Persistent System
Changes
Changes to Changes to • Object header for device objects
Changes to Live OS
Changes to Live OS
• A single IRP handler function for hiding sectors
• Hooks for network traffic in browser
Volatile Changes to
Live OS
Volatile Changes to
Live OS
![Page 36: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/36.jpg)
Demo – Mebroot
Infecting the MBR!Infecting the MBR!
PUBLIC
![Page 37: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/37.jpg)
Evolution – TDL3
• TDL3 is the latest advanced rootkit seen in the wild
• Started spreading late 2009
• Suspected to be the latest version of the TDSS family (a.k.a. Alureon)
• Kernel-mode backdoor
• User-mode payload hijacks search engine results
• Interesting features
• Active HIPS evasion
• Device object hooking
• Hidden, private file system in disk slack space
![Page 38: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/38.jpg)
TDL3 – Private Filesystem
• 38
tdlcmd.dll
config.ini
rsrc.dat
...• Encrypted with RC4, accessible to applications
• Early variants: CreateFile(“\\?\globalroot\device\Ide\Ideport2\seenvbnx\seenvbnx\config.ini”)
• Later variants: NtCreateFile(“\seenvbnx\config.ini”)
...
![Page 39: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/39.jpg)
TDL3 – Level of Stealth
• Infected driver• Sectors in unpartitioned disk space
Persistent System
Changes
Persistent System
Changes
• Hijacking device objectChanges to Changes to • Hijacking device object• Image load notify routine
Changes to Live OS
Changes to Live OS
• Hooks for network traffic in browserVolatile
Changes to Live OS
Volatile Changes to
Live OS
![Page 40: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/40.jpg)
Demo – TDL3
Infecting boot drivers!Infecting boot drivers!
PUBLIC
![Page 41: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/41.jpg)
Conclusions
• Kernel malware is a threat that has to be taken seriously
• Wide distribution – Srizbi and Pandex spam runs, Mebroot drive-by-downloads from high volume web sites in Italy and other parts of Europe
• Today’s kernel-mode malware is robust and effective
• Biggest spam botnets are kernel-mode malware
• Rustock, Srizbi and Mebroot are written by professional developers• Rustock, Srizbi and Mebroot are written by professional developers
• Detection and removal is becoming very challenging
• How do you fight against someone who does not follow common software development practices and rules?
• Prevention is a solution but how about false positives?
• Enforcing digital signatures for drivers helps but how about stolen private keys?
PUBLIC
![Page 42: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/42.jpg)
Additional Information
• Kasslin, K. (2006). Kernel malware: The attack from within.
• http://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf
• Florio, E.; Pathak P. (2006). Raising the bar: Rustock and advances in rootkits
• http://www.virusbtn.com/virusbulletin/archive/2006/09/vb200609-rustock
• Kasslin, K.; Florio E. (2007). Spam from the kernel.
• http://www.virusbtn.com/virusbulletin/archive/2007/11/vb200711-srizbi
• Kasslin, K.; Florio E. (2008). Your computer is now stoned (…again!).• Kasslin, K.; Florio E. (2008). Your computer is now stoned (…again!).
• http://www.virusbtn.com/virusbulletin/archive/2008/04/vb200804-MBR-rootkit
• Kasslin, K.; Florio E. (2008). Your computer is now stoned (…again!). The rise of MBR rootkits.
• http://www.f-secure.com/weblog/archives/Kasslin-Florio-VB2008.pdf
PUBLIC
![Page 44: T-110.6220 Kernel Malware...Protecting the irreplaceable | f-secure.com T-110.6220: Malware Analysis and Antivirus Technologies Windows Kernel Malware Kimmo Kasslin, 31.3.2010 Agenda](https://reader033.vdocuments.us/reader033/viewer/2022050218/5f642fb0a88b4769306b1aa5/html5/thumbnails/44.jpg)