Ring 0/-2 Rootkits: Compromising Defenses

Video thumbnail (Frame 0) Video thumbnail (Frame 1777) Video thumbnail (Frame 2672) Video thumbnail (Frame 8278) Video thumbnail (Frame 9340) Video thumbnail (Frame 10687) Video thumbnail (Frame 12896) Video thumbnail (Frame 14403) Video thumbnail (Frame 15859) Video thumbnail (Frame 16882) Video thumbnail (Frame 17872) Video thumbnail (Frame 18622) Video thumbnail (Frame 20010) Video thumbnail (Frame 21110) Video thumbnail (Frame 24951) Video thumbnail (Frame 25648) Video thumbnail (Frame 26275) Video thumbnail (Frame 27590) Video thumbnail (Frame 28968) Video thumbnail (Frame 29953) Video thumbnail (Frame 31477) Video thumbnail (Frame 32562) Video thumbnail (Frame 33822) Video thumbnail (Frame 34962) Video thumbnail (Frame 35923) Video thumbnail (Frame 37057) Video thumbnail (Frame 40754) Video thumbnail (Frame 41774) Video thumbnail (Frame 42749) Video thumbnail (Frame 43455) Video thumbnail (Frame 44878) Video thumbnail (Frame 45508) Video thumbnail (Frame 46132)
Video in TIB AV-Portal: Ring 0/-2 Rootkits: Compromising Defenses

Formal Metadata

Ring 0/-2 Rootkits: Compromising Defenses
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Advanced malware such as TDL4, Rovnix, Gapz, Omasco, Mebromi and others have exposed in recent years various techniques used to circumvent the usual defenses and have shown how much companies are not prepared to deal with these sophisticated threats. Although the industry has implemented new protections such as Virtualized Based Security, Windows SMM Security Mitigation Table (WSMT), Kernel Code Signing, HVCI, ELAM, Secure Boot, Boot Guard, BIOS Guard, and many others, it is still unknown the professionals of the architecture of these protections, what are the components attacked by these contemporary malwares in the context of BIOS / UEFI and what are the tricks used by them. Precisely because of the lack of adequate understanding, most machines (BIOS / UEFI + operating system) remain vulnerable in the same way as a few years ago. In addition, there are a growing number of malwares that have used kernel drivers to circumvent limitations and protections in order to gain full access to the operating system and data. Exactly for these reasons, it is necessary to understand the way that malwares act as device drivers and what are the mechanisms used by these threats to infect an operating system. The purpose of this presentation is to show clearly and without too much details that often hinders understanding, how these threats act, which components are attacked, what are the techniques used by these advanced malware to subvert the system and how existing protections work .
Goodness of fit Pattern recognition Roundness (object) Rootkit Multiplication sign Ring (mathematics) Information security Formal language
Thread (computing) Length State of matter Coroutine Function (mathematics) Thermische Zustandsgleichung Programmer (hardware) Malware Mathematics Antivirus software Radical (chemistry) Semiconductor memory Kernel (computing) Military operation Process (computing) Library (computing) Physical system Information systems Electronic mailing list Thread (computing) Radical (chemistry) Process (computing) Hash function Internet service provider Information security Data structure Physical system Asynchronous Transfer Mode Booting Dataflow Slide rule Booting Functional (mathematics) Numbering scheme Module (mathematics) Proxy server Table (information) Cellular automaton Event horizon Architecture Latent heat Crash (computing) Sic Telecommunication Read-only memory Ring (mathematics) Rootkit Message passing Address space Software development kit Content (media) Mathematical analysis Code Coroutine Mathematics Kernel (computing) Event horizon Software Rootkit Personal digital assistant Network topology Device driver Table (information) Routing Library (computing)
Digital filter System call Thread (computing) Computer-generated imagery Field (computer science) Type theory Read-only memory Different (Kate Ryan album) Object (grammar) Kernel (computing) Ring (mathematics) Rootkit Software framework Data structure Key (cryptography) Information systems Point (geometry) Type theory Event horizon Doubling the cube Ring (mathematics) Computer hardware Device driver Object (grammar) Window Address space
Ocean current Digital filter Functional (mathematics) Table (information) File system Parameter (computer programming) Stack (abstract data type) Pointer (computer programming) Malware Object (grammar) Operator (mathematics) Ring (mathematics) Rootkit Logic gate Installation art Operations research Slide rule Parameter (computer programming) Coroutine Similarity (geometry) Uniform resource locator Network socket Function (mathematics) Telecommunication Device driver output Hill differential equation Object (grammar) Table (information)
Digital filter Intel Functional (mathematics) Greatest element Coroutine Parameter (computer programming) Stack (abstract data type) Mereology Field (computer science) Neuroinformatik Mathematics Object (grammar) Ring (mathematics) Rootkit Data structure Associative property Stack (abstract data type) Coroutine Greatest element Software development kit Uniform resource locator Process (computing) Pointer (computer programming) Oval Function (mathematics) Device driver Order (biology) output Formal verification Right angle Object (grammar) Local ring Reverse engineering
Slide rule Information management Intel Functional (mathematics) User interface Information and communications technology Electronic mailing list Parameter (computer programming) Parameter (computer programming) RAID Group action Control flow Complete metric space Field (computer science) Goodness of fit Function (mathematics) Ring (mathematics) Device driver Rootkit output Data structure Object (grammar)
Game controller Ring (mathematics) Device driver Rootkit Spectrum (functional analysis) Reading (process)
Menu (computing) Vector potential Derivation (linguistics) Fermat's Last Theorem Uniformer Raum Ring (mathematics) Chain Device driver Rootkit Information Object (grammar) Spectrum (functional analysis) Reverse engineering Flag
Module (mathematics) Operations research Game controller Functional (mathematics) Greatest element Image registration SCSI Operator (mathematics) Ring (mathematics) Rootkit MiniDisc Intercept theorem Physical system Data structure Reading (process) Spectrum (functional analysis) Writing Data type
Game controller Functional (mathematics) Complete metric space Generic programming Rule of inference Hooking Kernel (computing) Object (grammar) Ring (mathematics) Rootkit Process (computing) MiniDisc Area Patch (Unix) Structural load Electronic mailing list Coroutine Coprocessor Resource allocation Rootkit Function (mathematics) Password Device driver MiniDisc Hacker (term) Physical system
System call Entropiecodierung Multiplication sign File system Open set Machine code Pointer (computer programming) Velocity Semiconductor memory Kernel (computing) Object (grammar) File system Encryption Local ring Resource allocation Lambda calculus Physical system Injektivität Computer file Electronic mailing list Parameter (computer programming) Complete metric space Packet Loss Concealment Latent heat Malware Telecommunication output Configuration space Right angle Procedural programming Information security Data structure Physical system Row (database) Booting Asynchronous Transfer Mode Game controller Functional (mathematics) Freeware Table (information) Computer file Device driver Mathematical analysis Latent heat Telecommunication Read-only memory Ring (mathematics) Rootkit Configuration space Key (cryptography) Sine Projective plane Cartesian coordinate system System call Word Function (mathematics) Device driver Intercept theorem Table (information) Booting Windows Vista
Injektivität Context awareness Asynchronous Transfer Mode Injektivität System call Thread (computing) Key (cryptography) Machine code Thread (computing) Latent heat Malware Malware Kernel (computing) Ring (mathematics) Software Rootkit Gastropod shell Energy level Interrupt <Informatik> Normal (geometry) Algebra
Dataflow Booting Installation art Block (periodic table) File system Parameter (computer programming) Parameter (computer programming) Machine code Partition (number theory) Data management Latent heat Malware Ring (mathematics) Personal digital assistant Ring (mathematics) Rootkit Authorization Energy level Interrupt <Informatik> MiniDisc Block (periodic table) Volume Physical system Firmware
Module (mathematics) Trail Key (cryptography) Computer simulation Binary file Field (computer science) Inclusion map Hypermedia Personal digital assistant Encryption Hill differential equation MiniDisc Hacker (term) Address space Metropolitan area network Installable File System Booting
Booting Asynchronous Transfer Mode Proxy server Philips CD-i Electronic signature Machine code Mathematics Centralizer and normalizer Sign (mathematics) Read-only memory Semiconductor memory Kernel (computing) Source code Software testing Proxy server Information security Scaling (geometry) Forcing (mathematics) Code Bit Partition (number theory) Kernel (computing) Personal digital assistant Device driver Physical system Window Asynchronous Transfer Mode Booting Firmware Booting
Windows Registry Asynchronous Transfer Mode Group action Module (mathematics) Structural load INTEGRAL Patch (Unix) Machine code Semiconductor memory Kernel (computing) Interrupt <Informatik> Endliche Modelltheorie MiniDisc Proxy server Task (computing) Data integrity Patch (Unix) Structural load Code Coprocessor Flow separation Windows Registry Kernel (computing) Process (computing) Malware Device driver Interrupt <Informatik> Right angle Modul <Datentyp> Task (computing) Physical system Window Booting Asynchronous Transfer Mode Booting
Game controller Algorithm File system Opcode Content (media) Public key certificate Machine code Data management Kernel (computing) Befehlsprozessor Encryption File system Source code Configuration space Interrupt <Informatik> God Data integrity Digitizing Structural load Control flow Electronic signature Malware Configuration space Physical system Window Electric current Router (computing) Computer worm Asynchronous Transfer Mode
Service (economics) Booting Structural load Block (periodic table) Code Complete metric space Goodness of fit Process (computing) Cache (computing) Kernel (computing) Computer hardware Ring (mathematics) Phase transition Computer hardware Rootkit Gastropod shell Information security Information security Physical system Booting Booting Window
Scripting language Intel Flash memory Flash memory Computer network Field (computer science) Mereology Electronic signature Public-key cryptography Data management Data management Rootkit Interface (computing) Video Genie Configuration space Configuration space Physical system Booting Fingerprint Booting
Axiom of choice Booting Greatest element Module (mathematics) Computer file Authentication Computer-generated imagery Flash memory Database Content (media) Electronic signature Public key certificate Machine code Variable (mathematics) Sign (mathematics) Read-only memory Befehlsprozessor Rootkit Endliche Modelltheorie Information security Computing platform NP-hard Public key certificate Key (cryptography) Validity (statistics) Block (periodic table) Flash memory Digitizing Stress (mechanics) Code Database Digital signal Schlüsselverteilung Variable (mathematics) Electronic signature Word Kernel (computing) Rootkit Password Device driver Revision control Computing platform Formal verification Modul <Datentyp> Booting Asynchronous Transfer Mode Booting Firmware
Table (information) State of matter Computer-generated imagery File format Electronic signature Public key certificate Interprozesskommunikation Electronic signature Exact sequence Pointer (computer programming) Read-only memory Telecommunication Personal digital assistant Musical ensemble Flag Information security Table (information) Physical system Window Booting Data integrity Flag Address space
Reading (process) Module (mathematics) User interface Flash memory Real number Range (statistics) Virtual machine Mathematical analysis Set (mathematics) Bit Limit (category theory) Writing Malware Personal digital assistant Normed vector space Right angle Configuration space Physical system
Reading (process) Module (mathematics) Flash memory Mountain pass Flash memory Range (statistics) Set (mathematics) Limit (category theory) Entire function Total S.A. Area Product (business) Event horizon Computer hardware Normed vector space Configuration space Configuration space Modul <Datentyp> Musical ensemble Block (periodic table)
Ewe language Asynchronous Transfer Mode Malware Module (mathematics) Event horizon Vector space Personal digital assistant Interface (computing) Configuration space Modul <Datentyp> Control flow Asynchronous Transfer Mode
Email Algorithm INTEGRAL Real number Multiplication sign Range (statistics) Electronic signature Public key certificate Food energy Theory Magnetic stripe card Data management Device driver Goodness of fit Cache (computing) Read-only memory Befehlsprozessor Shared memory Software Quantum computer Firmware Information security Data integrity Algorithm Mass Range (statistics) Digital signal Twitter Electronic signature Shooting method Device driver Modul <Datentyp> Information security Physical system Oracle Asynchronous Transfer Mode
next up we are gonna have some fun with some low-level rootkits kind of stuff now Alexandra borgeous I'm doing my best here is in all the way from Brazil and he is a first-time speaker so we want to give him a special recognition so let's give him a round of applause have a wonderful time hello everybody good afternoon my name is Liliana Borges I'm MO and security researcher at black storm security and let's talk about wicked first of all two things English is not my native language so if you don't understand something please send you an e-mail yeah these professionals urbanizing sincerely thank you and a jeep respect for their researchers about the same time
let's start honestly I was expecting only 10 or 12 people here this is our table of content I will talk about two topics ring 0 in advance to our wingman strong first rootkits ring 0 malicious
drivers have you been using the same tricks every single day to infect systems but no doubts callback methods or carry no callback functions is a good one because is a kind of modern routes used by introverts programmers for monitoring in alert the kernel mode of about a specific event occurrence and care no Quebec methods are good trick to evade offenses Carioca balk methods providers notification when a process a library and a carry memories met with into memory when a fire see to become available when system is going to down before a system crash when I when a thread starts our length or finish when a process starts or finish when some hash tree interests are modified or remove it for example I have we seen some hours using this specific a callback mer to the CM has to come back for checking if there are per state center are capped and just an analysis are software or a programmer remove it so the amar is is able to adding back is a nice trick to keep the purse things to find it a number of Quebec metal disease so easy using winter back the first comment there yeah running a cup of comment we have a very nice way to list the callback methods for example PS activates process much viral gene that's a kind of list of callback routines to be called when a process is created or delete the so in this case it's so easy to find at a number of installed callbacks the first common winner wack and a variant which in common at the middle to list all the callback methods that are installed in the last few weeks I have seen several more is using the specific callback math PS set legal notify routine callback Maps it should register a malicious routine that is collared during the thread termination in this case the mower changed the kit red dot leg data to provide malicious address then the routine redirect the education flow should the malicious code is a very nice enjoy French trick here we have the output from the LS slide about the about the callback methods associated to create process and here we have the
structure of key thread in the legal data fields that is changed by the mower
Windows offers different types of drivers such as legacy drivers future drivers and money future drivers all of them are developed by using our double DME or wdf frameworks basically a drive is composed by one or more device object in each object is associated to a driver object so most ring 0 mowers mirrors
install filter drivers for much-respected end behavior of existing drivers fruitiness sutra of operations add new malicious features for example keyloggers the trick is almost the same we have driver stack a name our first create a name into device hope object by using this first function advise and secondly the malware adds the unlimited device to objects on the top of the stack by using this function I'll attach device our communications in the drive
stack is known a by using IRP packets and each IRP package is processed by a dispatch routine that's retrieved from the major functional table the IRP parameters are retrieved from the iOS stack location by using dysfunctional gate current IP stack location additionally it's possible to pass down the IRP parameters to the next layer by using iOS skip current stack location or copy now by using a current artistic location alternatively our IP packets can be passed down to the layer driver by using Jesus Pacific call a local driver here we have a very nice trick some mowers try to pass the IOP package so the lowest driver by passing the middle of drivers and so avoiding should be the package of four by monitoring tools and hooking tools so it's a very nice and smart trick to evade defenses here I show you a
complete picture about it at left we have the driver stack at right we have the associate device objects to each driver pay attention that the a local driver function is college to pass down the IRP package to the next layer at bottom we have computers routines that you are College in the reverse order so the computational Cheney is the function that do that does the job all of them are managed by the i/o compete request function right here we have the IRP
structure composed by I stacked part in I dynamic parts the new named parts is composed by you stack locations so each IRP is created by calling the i/o allocates IRP function and as I mentioned before this function and the other three in your hat our interesting functions should be analyzed when you reverse them over at the right bottom we have the IOA stack location structure composed by the major function the major fractionally holds the pointers to dispatch routines parameters field and computational change field
parameter fields depends on the major E minor functions so in this slide we have there its structure of the parameters field in the next slide we have a complete list of archetypes soo easy
here we have complete relationship between iOS technology structure device object structure and driver object structurally is a good lad Shore reach tomorrow night
here I show you I step-by-step investigation about the potential malicious driver named Angie a Borges with some comments in Miller back and
pay attention this specific mower use some its spectral genes such as squid read close right and device control it's so usual to see things like that when you are analyzed malicious drivers here
are Martin political overview showing you the relationship between the reversed code driver object and spectral chains
in this large I started an investigation about potential malicious future derive by using some comments anyway in the back naturally as caused a at bottom of
device stack or Chris day infection the more effective is this or I mean most most monitoring tools a hooking tools try to check the middle of the stack so if the infection happy at the bottom you are skipping all these tools and availing the defense's some mowers try to intercept requests such as read and write operations by manipulating the module function ah hey for example mg device control and IRP internal control callback Matt de spectral James rich
kids try to protects itself from being a movie by modify functions such as I rpm eg device control and hooking requests going to the disk is other kind of tricks some mowers try to hook the driver and load rule Cheney for prevented a rootkit are being removed another trick however most malicious drivers or most malicious neighbors trying to avoid touching areas protected by password and because password is suited to circumvented here we have we
have list of protections by password thanks to a lecture on Escobar is common
most time when hours have been storing there are pillows design configurations and encrypt hiding file systems additionally they have create the Renault device projection name is during the puja to associate to the day special file system some mowers composed by equitable a drivers have you been using a PLC a differential lock a procedure call to perform at the communication between the user code at the driver code instead of using i/o control comments another smart trick some hours don't choose the any specific drive before injection but right you randomly pick up a driver by parsing this last restructured our key logger data table entry certainly hooking the file sitting axis is so easy here I'll show you a complete list of api's it's so easy to do that few hours have been working this specific API zwh for intercept all open requests essential truth devices is a well it's marched with because V's ultra vires use the same trick some hours after infecting a system by dragging device by dropping kernel drivers try to force a boot by calling ZW r is hardly a work function is a very special in hair trick other mowers try to use the last row gene here in red are you rush the switch down notification for restoring and the malicious drive is in the next boot so if you try to remove innate daebak fortunately most my words have
been using excellent H poetic function to allocate memory pool but it is so easy to finally because we have the volatility here we can find it by using
algebra as you already know R is the key
to a common and we in the back finally
most malicious drugs have been used a peace injection to inject some malicious code instead of using create more threads so my recommendation is repetition at these three last functions in red
now let me talk about advanced mowers basically which kills my nose ring - true when we talk about ringing - some
hours they contacts is so different most most members exchanges level attack MBR VBR you if I for example Samaras altered the bbp BIOS parameter block should change the execution flow to another place in case this kind of malware authors
geez left field hiding sectors to change another address and executed a malicious quoting start off easy Kitsch in the IPL
here we have real keys about mirrors such as studio for or betcha which encrypt and in fact the MEP are so in case the trick is try to loaded good we are in a bad one in the Ida para animal ate then using Bach simulator so I try to compare to make my man Alice Caesar I mean we are modifications and
VBR modifications are FG ways to bypass GCS kernel mode called sign policy GCS is responsible for validating the drive central so there are some ways to bypass GCS disabled put'em in design test mode but in scale secure boots must be disabled change the current memory it's so easy or even trying to find off in the fermions case again securely put a bit about here we have real case about
a trojan banker where the member is put new windows in test mode in skates there goes it show force in a near-future to load the unsilent malicious driver
here I show you more complete overview composed by bios the here we have the boot process composed by bios m eb r vb r which manager and look at the left down there we have the wing load is mainly boot kids right shoe attack the before loaded a colonel in alert action it's unloaded smart quick to bypass defenses mars have been in fact in which
memory which manages responsible to switch the process execution from here mode to protect mode so mars have been using some interrupts to access the driver to patch models in large malicious drivers at bottom i show you some some tasks associated show moving loads easy it enabled a protected mode check the models integration load the windows kernel load several dll's and Ilyn protection and finally load drivers and system registry data
therefore target checking of in window load is critical and if it is super virtually everything fall because it intrepid control don't it doesn't it exist anymore so pay attention here all modern protections are based on digital certificates and digital signatures so it's critical most advantage of which kids as I mentioned previously start their payload and configuration and encrypt hide a file system by using some special up codes as
you know same mode is a kind of magical mojo god mode that's a perfect place to hide them over here I show you a first
approach composed by SPI flash SMM you if I service MBR VBR the West loader and OS pay attention here mirrors can attack any block here so you are not safe here quick reminder about the ufi phases so is here I show you more
complete overview about today which process composes by hardware and the efi phases and things like that again Mars can attack everywhere here but we have good protection such as boudoirs UEFI secure boot or a secure boot is someone
remember the spi flash is composed by the script tools Gigabit Ethernet managing Genie a CPI and bias so for
example the butch world controlled by managing genie is responsible for validating the boot process by flashing a public key into the Intel managing genie obviously for a perfect working of the boot part the SPI flash region must be locked and a bootable arch configuration must be searching any protect against SM rootkits
here I show you a quick picture above the boot word blocks basically each block verify the next one it's kind of search keychain another very interesting
protection is the password which runs within the SMM and protects the platform against an authorized the spi flash bios update booting faction and in corruption and basically bios will only allow stress models to modify the spi flash memory secure boot is responsible for protecting the entire path against which the kitchen faction protects the companies during the kernel mode key drivers important sitting files and attained secure boot prevent any loading of strange coach without a valid design digital Sinatra choice ain't so true essential items in the secure boot are the plataforma key the platform key establish relationship between the platform your honor a platform framer and it is responsible for verifying the key exchange key yeah at bottom key exchange key establish a trust relationship between the platform dreamer and OS actually the key exchange key verifies the authorized database which contains a trident signing certificates in digital sign shirts and forbidding database which contains the forbidden certificates and just of signatures absolutely if the platform key is corrupt everything fall because the secure boot must be our King be disabled unfortunately some vendors store important secure boot statues into f5f available however if some rootkit exploit these variables the secure boot can be disabled UEFI bios support tears
is equal to performance however there's it could form it doesn't support signatures and remember what a what I told you all the modern protections are based on GTO signature and all state certificates so in case if a huge kid is able to replace the typical peer loader by Tears is equitable so a secure boot can be disabled fortunately new releases
of Windows 10 introduced a very interesting feature about SME protections know as Windows SMM secret mitigation table in we understand the framers the kitchen as a member must be authorized the interest by VBS so it is an additional protection for assuming protection flags in windows can become contributors for your use and here I show you some flags finally I am
showing here Rosco case real case about a customer in Brazil in case this system is not protected against BIOS writing you see the second one bias with right permission so it's turbo and in the same system
BIOS watch enable is such establish true because any more can write a malicious code there the BIOS lock enable isn't set we start with true because this is a kind of notification bit the semm BIOS rights protection is disabled Harbor again at bottom right the protection range register are disabled to true so in this case we have complete exposed in Machine complete exported system Here I am using chip sack to perform my analysis my checking here we have the
flash configuration Aikido is enabled that's okay however is not matter because these settings protects the
protection range registers which are disabled so it's not mirror [Music]
here the BIOS stop swap mode is disabled that's okay because in this case it's impossible to redirect the reset vector sure make a people block so it's impossible to execute malicious code finally the SMM
range is enabled it's a good what is a good news so it's impossible to access the S mmm from no SME mode my conclusion are
mostly security professionals are not ready to analyze malicious drivers because the theory is huge energies and I know that real customers real world are not aware about wink - shoot rats and they know how to they don't know how to update the firmware most customers don't know how to do that and you finally remember all modern protections are based on the integrity for example digital certificates in signature however I leave you a question here what would happen if these algorithms were broken for example using quantum computation stock is dedicated to my wife and for you who we serve at some time it should be here think of her attend my talk [Applause]