n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Defeating x64: The Evolution of the TDL Rootkit
1. Defeating x64: The Evolution of the TDL
Rootkit
Aleksandr Matrosov
Eugene Rodionov
2. Who we are?
Malware researchers at ESET
- rootkits analysis
- developing cleaning tools
- tracking new rootkit techniques
- research cybercrime groups
http://www.joineset.com/
3. Agenda
Evolution of TDL rootkits
Installation on x86 vs. x64
TDL bootkit or how to bypass driver signature
check
How to debug bootkit with Bochs emulator
Kernel-mode hooks
TDL hidden file system layout
Payload injection
TdlFsReader as a forensic tool
5. Evolution of rootkits features
x86
Dropper Rootkit
bypassing HIPS/AV self-defense
privilege escalation surviving reboot
installing rootkit
driver Kernel mode injecting payload
User mode
6. Evolution of rootkits features
x86
x64
Dropper Rootkit
Rootkit
bypassing HIPS/AV self-defense
self-defense
privilege escalation surviving reboot
surviving reboot
installing rootkit bypassing signature
driver injecting payload
check
Rootkit
bypassing
MS PatchGuard
Kernel mode
User mode
injecting payload
7. Obstacles for 64-bit rootkits
o Kernel-Mode Code Signing Policy
It is “difficult” to load unsigned kernel-mode
driver
o Kernel-Mode Patch Protection (Patch Guard):
SSDT (System Service Dispatch Table)
IDT (Interrupt Descriptor Table)
GDT ( Global Descriptor Table)
MSRs (Model Specific Registers)
8. Evolution of TDL rootkits
TDL3/TDL3+ TDL4
Kernel-mode code Base independent piece of PE image in the hidden
representation code in hidden file system file system
Surviving after reboot Infecting disk Infecting MBR of the disk
miniport/random kernel-mode
driver
Self-defense Kernel-mode hooks, registry Kernel-mode hooks, MBR
monitoring monitoring
Injecting payload into tdlcmd.dll cmd.dll/cmd64.dll
processes in the system
x64 support
Complexity
9. Evolution of TDL rootkits
TDL3/TDL3+ TDL4
Bypassing HIPS AddPrintProcessor AddPrintProvidor,
AddPrintProvidor ZwConnectPort
Privilege Escalation
MS10-092
Installation mechanism by loading kernel-mode driver by loading kernel-mode
driver
overwriting MBR of the
disk
Number of installed 4 10
modules
14. Dropped modules
Dropped modules Description
mbr original contents of the infected hard drive boot sector
ldr16 16-bit real-mode loader code
ldr32 fake kdcom.dll for x86 systems
ldr64 fake kdcom.dll for x64 systems
drv32 the main bootkit driver for x86 systems
drv64 the main bootkit driver for x64 systems
cmd.dll payload to inject into 32-bit processes
cmd64.dll payload to inject into 64-bit processes
cfg.ini configuration information
bckfg.tmp encrypted list of C&C URLs
15. Installation on x86
Adjust
fail SeLoadDriver success
privilege
Copy itself into
Check OS
WinXP Vista/Win7 PrintProcessor
version
director
Set IMAGE_FILE_DLL
Exploitation success flag in the PE header
Fail fail
install MS10-092
Copy itself into Call
%TMP% directory AddPrintProvidorW
API
Create Call
manifest requesting DeletePrintProvidorW
admin privilege API
Call
ShellExecute
16. Installation on x64
Prepare hidden FS
image
Write FS image,
fail patch MBR and Adjust success
SE_SHUTDOWN_PRIVILEGE
Exploitation
success
MS10-092
fail Call
ZwRaiseHardError
to create BSOD
Copy itself into
%TMP% directory
Restart
Dropper
Create
manifest requesting
admin privilege
Call
success
ShellExecute
Report to C&C
fail
18. Types of integrity checks
o PnP Device Installation Signing Requirements
o Kernel-Mode Code Signing Policy
Enforced on 64-bit version of Windows Vista and later
versions
64-bit Windows Vista and 32-bit Windows Vista
later and later
Boot-start driver
Non boot-start PnP driver
Non boot-start, non-PnP
driver
(except stream protected media
drivers)
19. Subverting KMCSP
o Abusing vulnerable signed legitimate kernel-mode
driver
o Switching off kernel-mode code signing checks by
altering BCD data:
abusing WinPe Mode
disabling signing check
patching Bootmgr and OS loader
20. Boot process of Windows OS
real mode real mode
Load MBR Load MBR
real mode real mode
Load VBR Load VBR
real mode/ real mode/
protected mode protected mode
Load
Load ntldr
bootmgr
real mode/
Load kernel Load protected mode
and boot winload.exe or
start drivers winresume.exe
Load kernel
Boot Process of pre Boot Process of post and boot
Windows Vista OS Windows Vista OS start drivers
MBR – Master Boot Record
VBR – Volume Boot Record
21. Code integrity check
Non boot-start
OS kernel
kernel-mode drivers
OS kernel
Bootmgr OS loader
dependencies
Boot-start
drivers
22. Boot Configuration Data (BCD)
BCD
BCD BCD
Object1 Object2
BCD BCD BCD
Element1 Element2 Element3
Windows boot
Inheritable
manager
Windows boot
BCD Object Application
loader
Device Ntldr
23. BCD Elements determining KMCSP
(before KB2506014)
BCD option Description
BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity
(0x16000020) checks
BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in
(0x26000022) preinstallation mode, disabling
kernel-mode code integrity checks
as a byproduct
BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing
(0x16000049)
24. BCD Elements determining KMCSP
(before KB2506014)
BCD option Description
BcdLibraryBoolean_DisableIntegrityCheck disables kernel-mode code integrity
(0x16000020) checks
BcdOSLoaderBoolean_WinPEMode instructs kernel to be loaded in
(0x26000022) preinstallation mode, disabling
kernel-mode code integrity checks
as a byproduct
BcdLibraryBoolean_AllowPrereleaseSignatures enables test signing
(0x16000049)
25. Abusing Win PE mode: TDL4 modules
Module name Description
mbr (infected) infected MBR loads ldr16 module and restores original
MBR in memory
ldr16 hooks 13h interrupt to disable KMCSP and substitute
kdcom.dll with ldr32 or ldr64
ldr32 reads TDL4’s kernel-mode driver from hidden file
system and maps it into kernel-mode address space
ldr64 implementation of ldr32 module functionality for 64-bit
OS
int 13h – service provided by BIOS to communicate to IDE HDD controller
26. Abusing Win PE mode: workflow
Load infected MBR Continue kernel
Infected mbr is
initialization
loaded
and executed
Load ”drv32”
Call or “drv64"
Load “ldr16” from
KdDebuggerInitialize1
hidden file system
“ldr16” is from loaded kdcom.dll
loaded
and executed
substitute
Hook BIOS int 13h kdcom.dll
Load ntoskrnl.exe, with”ldr32”
handler and hal.dll,kdcom.dll,b or “ldr64"
restore original Original mbr is
ootvid.dll ant etc
MBR loaded
and executed
distrort
/MININT option
Load VBR Load winload.exe
VBR is loaded
and executed
Substitute
EmsEnabled
option with WinPe
Load bootmgr read bcd
Bootmgr is loaded
and executed
27. MS Patch (KB2506014)
o BcdOsLoaderBoolean_WinPEMode option no longer
influences kernel-mode code signing policy
o Size of the export directory of kdcom.dll has been
changed
28. MS Patch (KB2506014)
o BcdOsLoaderBoolean_WinPEMode option no longer
influences kernel-mode code signing policy
o Size of the export directory of kdcom.dll has been
changed
29. MS Patch (KB2506014)
o BcdOsLoaderBoolean_WinPEMode option no longer
influences kernel-mode code signing policy
o Size of the export directory of kdcom.dll has been
changed
37. Storage Device Stack
Disk PDO Disk PDO
(Partition 1) (Partition 2)
Hard drive
Disk Upper
Upper Filter
Filter
driver object
Disk class Disk FDO
driver object (Partition 0)
Hard drive
Disk Lower
Lower Filter
Filter
driver object
Hard drive
port/miniport Disk PDO
driver object
38. Stealing Miniport Driver Object
Disk PDO Disk PDO
(Partition 1) (Partition 1)
Hard drive
Disk Upper
Upper Filter
Filter
driver object
Disk class Disk FDO Before Infection
driver object (Partition 0)
After Infection
Hard drive
Disk Lower
Lower Filter
Filter
driver object
Hard drive
Fake
port/miniport
Disk PDO
driver object
TDL4 “Real”
driver object Disk PDO
Stolen Objects
41. Filtering Disk Read/Write Requests
o Filtered requests:
IOCTL_ATA_PASS_THROUGH_DIRECT
IOCTL_ATA_PASS_THROUGH;
IRP_MJ_INTERNAL_DEVICE_CONTROL
o To protect:
Infected MBR;
Hidden file system from being read or overwritten
SCSI
request
block
Bootkit driver hooks
Infected MBR or hidden file
Otherwise
system is read/written
Bootkit driver: Bootkit driver:
Counterfeit data and call corresponding
complete request miniport’s handler
43. TDL’s hidden storage
o Reserve space in the end of the hard drive (not visible
at file system level analysis)
o Encrypted contents (stream cipher: RC4, XOR-ing)
o Implemented as a hidden volume in the system
o Can be accessed by standard APIs (CreateFile,
ReadFile, WriteFile, SetFilePointer, CloseHandle)
49. Injecting workflow
Set
Exit from work item
ImageLoadNotifyRoutine
On loading kernel32.dll Go back in the context of System process
Queue special kernel-mode Detach from target process
APC
Initialize IAT and call payload’s entry point
In the context of the target process
Queue user-mode APC
Queue work item
Allocate user-mode buffer with code
In the context of System process
and path to the payload
Attach to target process
Map image of the payload
In the context of the target process
51. How to remove TDL
o Defeat self defense:
Disable WORK_ITEM checking infected MBR and
kernel-mode hooks
Remove hooks of storage miniport device object
o Restore original MBR
56. How to debug TDL4 with WinDbg
o Patch ldr16 to disable kdcom.dll
substitution
o Reboot the system and attach to it with
WinDbg
oManually load drv32/drv64
“TDL4 Analysis Paper: a brief introduction and How to Debug It”, Andrea Allievi
http://www.aall86.altervista.org/TDLRootkit/TDL4_Analysis_Paper.pdf
62. Conclusion
o Win64/Olmarik (TDL4) is the first widely spread rootkit
targeting Win x64
o Return to old-school techniques of infecting MBR
o The only possible way of debugging bootkit is to use
emulators (Bochs, QEMU)
o TDL4 is highly resistant to forensic analysis
o TdlFsReader will be shared amongst malware
researchers
63. References
“The Evolution of TDL: Conquering x64”
http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf
“Rooting about in TDSS”
http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf
“TDL3: The Rootkit of All Evil?”
http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf
Follow ESET Threat Blog
http://blog.eset.com