INDEX

Numbers and Symbols

$IDADIRloaders directory, 108

258SMM. See System Management Mode (SMM)

A

Absolute Software, 280

accept_file routine, 109110

ACM (Authenticated Code Module), 288, 299, 300, 340342, 343, 344

ACRAM (Authenticated Code RAM), 288

Advanced Configuration and Power Interface (ACPI), 307

Advanced Encryption Standard (AES), 190, 197, 210, 211, 218

Advanced RISC Machine (ARM) architecture, 116

BMC implementation, 314

boot loaders, 347348

Cortex-A, 347

Cortex-M, 347

implementations, 347

processors, 348

root of trust key, 350

Trusted Boot Board (TBB), 346, 347

Trust Zone, 346347

Advanced Technology Attachment (ATA), 262

Aeroflot, 14

afd.sys, 179

AIDS (computer virus), 208

Airbus, 314

Alureon family of malware, 4. See also TDL3

antirootkits, 36, 41, 43

antivirus industry

challenges, 53, 180, 231

evolution, 175

first-wave bootkits, reaction to, 133

Gapz (see Gapz)

hooks, antivirus (see hooking)

origins, 50

software, 4, 43, 70, 180

vendors, 4, 297

aPlib, 151, 152, 164

Apple, 286, 289, 308, 312, 365

operating system, 5051

PRx protections, 295296

Apple II, 5051

Aptiocalypsis (INTEL-SA-00057), 263

ARM (Advanced RISC Machine) architecture. See Advanced RISC Machine (ARM) architecture

array of flash data (FDATAX) register, 372, 373, 374

ASCII, 218

Assist, 14

ATA (Advanced Technology Attachment), 262

Authenticated Code Module (ACM), 288, 299, 300, 340342, 343, 344

Authenticated Code RAM (ACRAM), 288

Avatar, 10

B

base58 decoding algorithm, 218

BASE64, 190

Baseboard Management Controller (BMC), 288, 289, 313, 314315

BaseNamedObjects, 182

Basic Input/Output System (BIOS). See also BIOS Guard

accessibility, 101

Authenticated Code Module (ACM), 288, 299, 300, 340342, 343, 344

boot code, 152, 215

boot process, role in, 256

bootkit target, as, 58

bootkit, evolution of, 258

bootup, 50

bypassing, 365

Compatibility Support Mode, 215

complexity, 256

default behavior, early PCs, 50

DISK_ADDRESS_PACKET, 104

disk service, 101

entry point, 101

evolution, 52

EXTENDED_GET_PARAMS, 102, 103

extended read operations, 103

firmware implant, 291

firmware managed by, 286187

infection methods, 265

installation, 289

interrupt handler, 87

interrupts, 50, 51, 52

legacy, 233, 234, 235

boot process flow, 236

MBR code in, 238

UEFI, vs., 236, 237, 243

malicious boot loader sectors, 103, 104

malware, history of, 256

BIOSkit, 257

Chernobyl, 256257

evolution, 258, 261

Mebromi, 257

WinCIH, 256257

MBR, and, 96. 97. 257

nonpersistent implant, 291

outdated, 292

parameter block, 64, 106

persistent implant, 291

protection bits, 310

set-up, legacy processes, 59

set-up, Windows, 60

setup menu, 280

system initialization, 229

System Management Interrupt (SMI) handler (see System Management Interrupt (SMI) handler)

UEFI infections, 265267, 286

DEX driver, modifying, 269

Option ROM, modifying, 267269

vulnerabilities, 289290

Update App, 305

Update Driver, 305

updates, 286, 296, 297

vulnerabilities, during updates, 296

vulnerabilities, post-exploitation, 290, 291

BCD (Boot Configuration Data). See Boot Configuration Data (BCD)

BDS (Boot Device Selection), 244

BIOS Guard, 253, 293, 297, 298

BIOSkit, 257

BIOS Lock Bit, 298

BIOS Lock Enabled (BLE), 263, 310

BIOS Parameter Block (BPB), 186187, 188, 222

BIOSWE, 263

BIOS Write Enable, 263

BIOS Write Protection, 310

Bitcoin, used by ransomware, 209

Black Hat conference, 53, 267

Black Hat Asia, 272

Black Hat Vegas, 307, 311

BLE (BIOS Lock Enabled), 263

Blue Screen of Death (BSoD), 8687

BMC (Baseboard Management Controller), 288, 289, 313, 314315

Bochs emulator

bochsrc.bxrc, 117

bochssdbg.exe, 120

booting, 118

code interpretation, 116

configuration file, 121

debugger, 120121, 123124

disk image, infecting, 119121

dynamic analysis, in context of, 120

environment, creating, 117119

IDA Pro, combining with, 116, 118, 123124

installing, 117

origins, 116

Boot Configuration Data (BCD)

boot variables, 66, 67, 75

execution flow, role in, 68

layout, 66

parameters, 64

reading, 88

store, 249

UEFI, use by, 247, 249

Boot Device Selection (BDS), 244

Boot Guard, 205, 253

Authenticated Code Module (ACM), 288, 299, 300, 340342, 343, 344)

BIOS protection, 297, 298

boot code, early, 288

boot flow, 339

boot policy manifest (BPM), 343344

chain of trust, 344

configuring, 343345

FIT entries, 342342

integrity checking, 299

Measured Boot, 339, 342

OEM root public key, 350

process root, 293

root of trust, 312

technology overview, 299300

Verified Boot, 339, 342, 350

vulnerabilities, 300301

bootkits, 49

boot sector infectors (BSIs), 50, 5152, 59

Brain virus, 51

components, 96

development, 255256

digital signature checks, bypassing, 5253

ELAM, bypassing (see Early Launch Anti-Malware (ELAM) module)

Elk Cloner, 50

evolution of, 5153

functionality, 255256

Gapz (see Gapz)

goal of, 55

Load Runner, 51

Master Boot Record (MBR) (see Master Boot Record (MBR))

modern, 5354

processor execution mode switch, handling of, 66

proofs of concept (PoCs), 53, 54

resurgence of, 233

Secure Boot (see Secure Boot)

technology, 12

Volume Boot Record (VBR) (see Volume Boot Record (VBR))

bootloaders, 335

fallback, 266

operating system, 237, 242

Petya, in (see Petya)

Satana, in (see Satana)

Unified Extensible Firmware Interface (UEFI), in (see Unified Extensible Firmware Interface (UEFI))

bootmgr module, 62, 64

Gapz bootkit, use by, 189

hooking, 161, 189

loading, 108, 160

protected mode, 65, 66

real mode, 65

TDL4 infection, 87

Bootmgr partition, 62

boot process, Microsoft Windows, 5758

BIOS, role of, 60

bootmgr, 64

BCD (Boot Configuration Data) boot variables, 66, 67

real mode vs. protected mode, 65

winload.exe, loading, 67

components, 60

configuration data, 64

flow of, 5859

Initial Program Loader (IPL), 6264

legacy-based machines, 58

Master Boot Record (MBR), 6061

code modification infections, 8485 (see also TDL4)

Microsoft Windows drive layout, 62

partition table, 6162

preboot environment, 60

Volume Boot Record (VBR), 6164

bootvid.dll, 67

BotDos.sys, 31, 32

botnet, Festi. See Festi rootkits

bot plug-in manager, 19

BotSock.sys, 31, 3334

BotSpam.sys, 31

bot trackers, 137

BPB (BIOS Parameter Block), 186187, 188, 222

Brain virus, 51, 59

Bring Your Own Linker, 78

BSoD (Blue Screen of Death), 8687

Bulygin, Yuriy, 338

C

C&C (command and control) server. See command and control (C&C) server

C++ compiler, 237

Cache-as-RAM (CAR), 288

call conventions, modern OS, 101

Capsule Update, 242, 246, 274275

Carberp trojan malware, 171

CDFS, 38

debugging strings, 172173

development, 171173

dropper enhancements, 173174

hooking, 173

CBC (cipher block chaining) mode, 194, 211

.cdata, 16

CDO (control device object), 38, 39

certificate authority (CA), 7576

Certificate Table Data Directory, 322

chain of trust, 298, 344

Chernobyl virus, 256257

Chipsec, 264, 303, 324, 367, 386388, 390

ci.dll, 67, 74

callbacks, 77

information regarding, 78

initialization, 77

routines, 7677

cipher block chaining (CBC) mode, 194, 211

clfs.dll, 67

click fraud, 207

CloseHandle, 11

CmRegisterCallbackEx, 36

Code Integrity, 248

code-patching, 195

command and control (C&C) server, 15

communication protocol, 22, 204

domain names, 26, 30

Festi botnets, role in, 1516, 21, 2627

IP address, 26

Olmasco, relationship between, 137

parser, 17

plug-ins, malicious, 31

ransomware, communication with, 211

TCP protocol, relationship between, 26

Command Prompt, 324

Compatibility Support Module (CSM), 234

Component Object Model (COM), 138

compute_checksum, 230

Computrace, 275, 280281, 283

configuration information manager, 19

control device object (CDO), 3839

Core Wars, 44

CreateFile, 11, 226

CreateFileX, 142

CreateModule, 20

CryptoLocker, 209

CTB-Locker, 209

Cubi2, 264

Cylinder Head Sector (CHS)-based addressing, 101

Czarny, Joffrey, 315

D

DDoS (distributed denial of service) botnets. See distributed denial of service (DDoS) botnets

debuggers

32-bit code, 126

64-bit code, 126

Bochs emulator, in (see Bochs emulator)

detection of, 5

GNU debugger (see GNU Debugger (GDB))

kernel, 4445, 67, 250

protocol, kernel debugger, 67

remote, 45

Rovnix, interface in, 161

serial, 88

stability, 124

strings, in Rovnix, 172173

Windows, in, 41

DebugMonitor, 227

Dediprog SF100 ISP Programmers, 375

DeleteModule, 20

Device Guard, 8081, 250, 255

DeviceIoControl, 204, 226

DEVICE_OBJECT, 9, 24

DGA (domain name generation algorithm), 30

Diffie-Hellman key agreement algorithm, 218

digital rights management (DRM), 43

Direct Kernel Object Manipulation (DKOM), 36

direct memory access (DMA) attacks, 292

DiskNumber parameter, 213

disk service, 60

distributed denial of service (DDoS) botnets, 1314

Assist, against, 14

Festi botnet (see Festi rootkits)

plug-ins, jobs of, 15

DLLs (dynamic-link libraries), 6, 87

DNS flooding, 32

DogmaMillions, 4

domain name generation algorithm (DGA), 30

downloader infectors, 15, 134

dr0, 22

dr3, 22

DRAM (dynamic random access memory), 295

Driver Execution Environment (DXE), 244, 264, 265266, 269

BIOS phase, 278

boot phase, 293, 297, 299300

Computrace, in, 281, 283

drivers, 300, 305306, 320, 321

firmware implants, target of, 291

nonprivileged, 289

rkloader driver, 277

UEFI, in, 299

DRIVER_OBJECT, 5, 9

DriverObject field, 9

DRIVER_OBJECT modification, 357359

DriverSection, 5

DRM (digital rights management), 43

Dropbox, 209

droppers, 134

debug information in, 226

defining, 15

description, 15

downloader, vs., 134

enhancements, in Carberp, 173174

Gapz installation, use in, 177, 178179, 180181

manifest, 151

resources, 134135

Satana, in (see Satana)

DualBIOS technology, 366

DXE (Driver Execution Environment). See Driver Execution Environment (DXE)

dynamic analysis, 115116

dynamic-link libraries (DLLs), 6, 87

dynamic random access memory (DRAM), 295

E

Eagle, Chris, 112

Early Launch Anti-Malware (ELAM) module, 69

boot-start drivers, classifying, 71

bypassing, by bootkits, 72

callback routines, 70

known bad driver, 71

known good driver, 71

policy, 7172

ecc_cc_public key, 217

EDK2 kit, 267, 304, 332, 336

eEye, 53

EFI images, 298

EFI partition tables, 238

EFI system partition (ESP), 266

Electronic Code Book (ECB) mode, 168

Elk Cloner, 50

Elliptic Curve Cryptography (ECC), 209, 211

Embedded Controller (EC), 287, 298

Embedi, 313

emulators, 116

Bochs emulator (see Bochs emulator)

malware detection, 153

QEMU, 116

Endpoint Detection and Response (EDR) approach, 45

Equation Group, 262

event notification callbacks, 3637

evil maid attacks, 291

EX_CALLBACK_FUNCTION, 70

explorer.exe, 164, 181, 183

EXTENDED_GET_PARAMS, 102103

F

FADDR (flash address) register, 370, 373

fallback bootloader, 266

FastIO, 40

FAT32, 38, 193

FEK (file encryption key), 210

Festi rootkits

antidebugging techniques, 22

anti-virtual machine techniques, 2021

architecture, 13

C&C protocol parser, 17

communications protocol, 19

initialization phase, 26

work phase, 2627

concealment methods, 2224

DDoS attacks, 31, 32

domain name generation algorithm (DGA), implementation of, 30

driver, 17

encrypted strings, 16

forensics software, bypassing, 2728

hooking, 22, 23

memory manager, 17

Microsoft Windows x86 platform target, 15

network sockets, 17

object-oriented framework of, 17

origins, 14

plug-in manager, 17, 1920

popularity, 14

proxy plug-in, 3334

proxy services, 31

registry key, 25

rootkit distribution, 15

security, bypassing, 2728

spam modules, 3132

FFS (firmware filesystem), 384, 385386

field-programmable fuse (FPF), 293, 300

file encryption key (FEK), 210

FILE_OBJECT, 23

filesystems, hidden, 351352

HiddenFsReader, 360362

images, parsing, 360

miniport storage driver, 354355

DEVICE_OBJECT modification, 359

direct patching of, 356357

storage device stack layout, 355356

usage, 362

finite state machine, 298

firewalls, Windows, 34

firmware, 261262

anomalies, detecting, 205

filesystem, 384, 385386

graphics card, 262

hard drive (HDD/SDD), 262

peripheral devices, for, 262

platform-specific nature of, 364

Power Management Unit (PMU), 287

rootkits, 320 (see also specific rootkits)

protecting against, 205

security issues, 205

system-to-system variations, 262

types, 262

UEFI, in (see Unified Extensible Firmware Interface (UEFI))

firmware filesystem (FFS), 384, 385386

firmware implants, 256

Firmware Interface Table (FIT), 340, 342

firmware Trusted Platform Module (fTPM), 288

flash address (FADDR) register, 370, 373

Flashrom, 375, 379

forensics, firmware

analysis, BIOS firmware image, 365366

emergence of, 364

importance, 364365

limitations of, 364

FPF (field-programmable fuse), 293, 300

fsbg.efi module, 279

FT2232H Mini Module, 377, 379

FT2232 SPI programmer, 375

G

GangstaBucks, 4

Gapz, 10, 83, 9293, 106

antimalware software, self-defense against, 194196

C&C servers, communication with, 204, 206

command executor code, 200

complexity, 177

detection name, 179

DLL loader code, 199200

dropper, 177, 178179

algorithm, 180

analysis, 180181

HIPS, bypassing, 181183, 184

modifying Shell_TrayWnd procedure, 184185

EXE loader code, 200201

filesystem, hidden, 190, 197

functionality, 177178, 186, 191193, 199

hacker disassembler engine (HDE), 196

hooking, 190, 194195, 202, 253

infection technique

BIOS parameter block, reviewing, 186187

kernel-mode driver, malicious, loading, 189190

VBR, infecting, 187, 188189, 190

installation, 177, 178179

kernel-mode code, 178

kernel-mode driver, 189, 190

kernel-mode module, 190, 195

memory allocation, 198199

name, origin of, 178

network architecture, 206

payload communication interface, 201202, 204

payload injection, 196199

pre-Vista operating systems, use on, 199

purpose, 189

security software checks, bypassing, 195

shellcode, 182, 184186

Shell_TrayWnd, 182, 184

storage, hidden, 193194

VBR target, 145, 235

Win32/Gapz.A, 179

Win32/Gapz.B, 179

Win32/Gapz.C, 177, 178

Gazet, Alexandre, 315

GDB. See GNU Debugger (GDB)

Gigabyte, 272

Gigabyte Brix platform, 272

GitHub, 304, 310

Global Descriptor Table, 10, 162

global unique identifier (GUID), 235, 386. See also GUID Partition Table (GPT)

GNU Debugger (GDB), 116

IDA, combining with, 126130

protocol, 126

VMware, use with, 124126

Google, 365

GpCode trojan, 208

graphics processing unit (GPU), 288

GUID Partition Table (GPT), 213

boot flow, 239

drive, parsing with SweetScape, 241

fields, 241

headers, 240241

infecting, with Petya, 214215

partitioning scheme, 215, 236

partitions, number of, 235236

partitions, sizes, 236

specifics, 238241

support, checking for on Windows, 240

UEFI support for, 235236

H

hacker disassembler engine (HDE), 196

Hacking Team, 244, 275, 363

hal.dll, 67, 246

hardware abstraction layer (HAL)

abstractions, 250

interfaces, 388

library, 246

module, 246

wrappers, 245

hardware sequencing flash control (HSFC) register, 370371, 373

hardware sequencing flash status (HSFS) register, 370371

Hardware Validated Boot (HVB), 350

HBA (host-based architecture), 9

Heasman, John, 267

HECI (Host-Embedded Controller Interface), 312

Hex-Rays, 136, 249. See also IDA Pro

HiddenFsReader, 360362

HiddenSectors, 187188

hooking

benign, 43

bootmgr module, 161, 189

Carberp trojan malware, 173

defining, 7

detecting, 196

Festi, in, 2223

Gapz, in (see Gapz)

manipulating object data, 41

placement, hook, 8

recovery of hooks by rootkits, 43

TDL3 technique (see TDL3)

ZwEnumerateKey, 25

host-based architecture (HBA), 9

Host-Embedded Controller Interface (HECI), 312

Host Intrusion Prevention Systems (HIPS), 34, 36, 177

bypassing, 180, 181183, 184

Endpoint Detection and Response (EDR) approach, 45

HSFC (hardware sequencing flash control) register, 370371, 373

HSFS (hardware sequencing flash status) register, 370371

HTTP flooding, 32

HTTP protocol, 204

HTTP proxy, 207

HVB (Hardware Validated Boot), 350

Hypervisor-Enforced Code Integrity (HVCI), 81

Hyper-V virtual machine manager, 130, 250

I

IAT (Import Address Table), 20, 197, 200

IDAPathFinder, 249

IDA Pro, 95

BIOS disk service, analyzing

accessibility, 101

DISK_ADDRESS_PACKET, 104

entry point, 101

EXTENDED_GET_PARAMS, 102103

extended read operations, 103

malicious boot loader sectors, reading, 103104

MBR drive parameters, 102

MBR partition table analysis, 104106

Bochs emulator, combining with, 116, 118, 123124

database, 98

decryption, 153

defaults, 97

disassembly, 98, 249

Gapz, use with, 180

GDB debugger, combining with, 126130

MBR, analyzing

decrypting, 96, 99

drive parameters, 102

entry point analysis, 9899

loading, 96, 9798

MBR drive parameters, 102

MBR partition table analysis, 104106

memory management, 99100

MBR loader, writing a custom, 108109

accept_file, 109110

loader.hpp, 109

load_file routine, 110111

partition table, importing, 111

memory allocation, 127

scripting engine, 99

VBR analysis techniques

kernel-mode drivers, analyzing, 108

malicious boot loaders, analyzing, 107108

VM, attachment to, 127

IDT (Interrupt Descriptor Table), 10, 162

Import Address Table (IAT), 20, 197, 200

Initialize, 18

Initial Program Loader (IPL), 62

decryption, 152153, 156, 159, 160

Rovnix, creation of code modification, 151152, 159, 235

TDL4 infection, 9192

Input/Output Control (IOCTL) code, 10

input/output request packet (IRP). See I/O request packet (IRP)

instruction set architecture (ISA), 288

INT 13h. See interrupt 13th handler (INT 13h)

integrated graphics processing unit (iGPU), 288

Integrated Sensor Hub (ISH), 287

Intel, 80, 253, 267

200 Series, 367

Active Management Technology (AMT), 288, 313314

Advanced Threat Research (ATR) group, 275

Baseboard Management Controller (BMC), 288, 289, 313, 314315

Boot Guard (see Boot Guard)

Embedded Controller (EC), 287, 298

GBE, 380

gigabit network, 287

Integrated Sensor Hub (ISH), 287

Intel Management Engine (ME), 263, 286289, 311

code attacks, 312

firmware, 380

SPI flash, relationship between, 369

vulnerabilities, 311312

Intel Product Assurance and Security (IPAS), 264

Intel PSIRT, 289

Intel Security Center of Excellence, 264

Internet of Things, 263

interrupt 13th handler (INT 13h)

accessing, 101

bootmgr, use by, 66

disk operations, interface for, 87

disk service, 60, 68

entry point, 101

executing, 104

extended read operation parameter, 103

hooking, 87, 90, 91, 160, 163, 189

Satana, use by, 229

tampering with, 60

Interrupt Descriptor Table (IDT), 10, 162

Invisible Things Lab, 311

IoAttachDeviceToDeviceStack, 24

IOCTL (Input/Output Control) code, 10

I/O driver, 24

IoGetRelatedDeviceObject, 24

IoInitSystem, 190

IoRegisterShutdownNotification, 25

I/O request packet (IRP), 8, 24, 25, 40

Bochs emulator, use in, 120

Festi, role in, 28

malware, bypassing defensive tools, role in, 85

processing, 28

IPAS (Intel Product Assurance), 264

IPL (Initial Program Loader). See Initial Program Loader (IPL)

IP network protocols, 170

IRP_MJ_CREATE, 2728

IRP_MJ_DIRECTORY_CONTROL, 25

IRP_MJ_INTERNAL_CONTROL, 10

ISA (instruction set architecture), 288

ISH (Integrated Sensor Hub), 287

J

jmp instructions, 153, 156158

K

Kallenberg, Corey, 264, 307, 338

Kaspersky Lab, 262, 275

kdcom.dll, 67, 8788

KdDebuggerEnabled, 22

KEK (key exchange key), 329, 337

kernel integrity, Microsoft Windows, 3

kernel rootkits, stealth mission of, 7

Kernel-Mode Code Signing Policy, 7, 12

bootkits, effectiveness against, 51, 5253, 64, 73

bypassing, 133

ci.dll module (see ci.dll)

disabling, 52, 67

driver signatures, 7374

effectiveness, 270

integrity checks, 73

introduction of, 73, 233

legacy code integrity weakness, 7476

rootkit development, impact on, 255, 319

kernel-mode drivers

configuration information, 16

DriverUnload, 203

duties of, 15

kernel-mode modules, 190, 195, 196

kernel-mode programming, 1314

kernel, system. See system kernel

key exchange key (KEK), 329, 337

key manifest (KM), 344

KLDR_DATA_TABLE_ENTRY, 5

known bad driver, 71

known good driver, 71

L

Lambert, John, 36

language-theoretic security, 105

LBA (logical block address), 11, 101102, 240, 241

legacy-based machines, boot process, 58

legacy code, integrity weakness, 7476

LegbaCore researchers, 314

Lenovo Thinkpad T540p, 324, 330, 375376

Linker, Bring Your Own, 78

linking, 78. See also hooking

Linux, 17, 95, 118

loader.hpp, 109

Load Runner, 51

local privilege escalation (LPE), 178179, 224

logical block address (LBA), 11, 101102, 240, 241

LoJack. See Computrace

LOJAX, 297

lwIP library, 170171

M

Macronix MX25L6473E, 379

MajorFunction array, 357358

Management Engine (ME). See Intel Management Engine (ME)

Master Boot Record (MBR), 58

bootloaders, 212

decrypting, 99

entry point, analyzing, 9899

infection techniques, 83, 84

input parameters, 99100

loaders, 108109

loading, into IDA Pro, 9697

memory allocation, 99, 100

modification by infecting bootkit, 9899

overwriting, with Shamoon, 210

partition tables, 9091, 104105, 109, 111, 138139, 151, 235, 239

Protective, 239

unmodified, 152

master file table (MFT), 209, 212, 216

Matrosov, Alex, 272, 275, 289, 300, 306

mbedtls library, 216

mbr.mbr, 120

MD5, 190

ME (Management Engine). See Intel Management Engine (ME)

Mebromi, 257

Mebroot, 53

memory protection bits, 263, 264

Microsoft. See also Windows, Microsoft

digital signature checks, 52

event notification methods, 36

kernel debugger, 45

Miller, Charlie, 262

miniport storage driver, 354, 355, 359

ModR/M, 196

MS-DOS, 50, 208

MSI Cubi2, 264

N

Necurs rootkit, 76

.NET metadata directory, 7

Network Address Translation (NAT), 33

Network Driver Interface Specification (NDIS), 53, 170171, 204

NIST 800-147, 293

NIST 800-147B, 293

Nmap, 22

nonvolatile random access memory (NVRAM) variable, 236, 239, 242, 244, 246, 281, 323, 388, 390

npf.sys, 21

NTFS, 38, 92, 187, 209, 221, 223

NTFS parser, 277

ntldr bootloader, 64

ntop, 22

NULL device, 204

NuMega SoftIce, 44

O

Ob* functions, 41

OBJECT_HEADER struct, 41

OBJECT_TYPE struct, 41

ObReferenceObjectByHandle, 23

ObReferenceObjectByName, 30

Oleksiuk, Dmytro, 310

Olmarik family of malware, 4. See also TDL3

Olmasco, 90, 133134

bootkit infection, 138141

bot trackers, countermeasures, 137

filesystem, 142, 144145

hard drive access, monitoring, 353

integrity verification, 143

interception methods, 40

MBR partition table modification, 235

partition table infection, 133

PPI distribution, 134

rootkit functionality

filesystem, maintaining, 141142

hooking hard drive, 141

payload injection, 141

sandbox analysis, bypassing, 137

OpenProcedure, 42

OpenSSL, 326

Open Systems Interconnection (OSI), 206

Option ROM, 267, 332, 339

original equipment manufacturers (OEMs), 323324

overlord32.dll, 198, 204

overlord64.dll, 198, 204

P

partition tables

MBR, as part of (see Master Boot Record (MBR))

Olmasco, infection by, 139, 140

Windows, 138

PatchGuard, 10, 25, 34, 255

Pay-Per-Install (PPI), 4

PCH (Platform Controller Hub), 288, 365

PCI bus driver, 38, 368

PCI configuration space, 367

PCIe devices, 288

PE (Portable Executable). See Portable Executable (PE)

Perigaud, Fabien, 314

Permeh, Ryan, 53

Petya, 209

administrator privileges, acquiring, 212

bootloader components, 210, 212, 214, 215216, 219220, 223

complexity, 225

cryptographic functionality, 216

encrypting, 215216

functionality, 225

GPT partition tables, parsing, 221222

hard drive, infecting

GPT hard drive, 214215

MBR hard drive, 213214

infection methods, 212

master file table, encrypting

decrypting, 224

disks, finding, 220

EncryptionStatus, 220

locating, 222, 223

metadata, 225

parsing, 223224

MBR infection, 230

ransom key, 217218

ransom message, displaying, 224

ransom URLs, generating, 219

Satana, compared to, 230

system, crashing, 219, 220

ZIP archives, 209

Platform Controller Hub (PCH), 288, 365

platform key (PK), 330, 337

plug and play (PnP), 38, 74

PLUGIN_INTERFACE, 17, 20

plug-ins

distributed denial of service (DDoS) botnets, role in, 1516

downloads from C&C servers, 1719

Festi manager, 17

functions, 15

polymorphism, 156

Portable Executable (PE)

headers, 67, 137

images, 322

position-independent code, 190

POSIX, 95

Power Loader, 186

Power Management Unit (PMU), 287

Power-On Self-Test (POST), 59

PPI (Pay-Per-Install), 4

proof of concept (PoC), 5354, 272, 307

_ProtoHandler routine, 22

PRx protections, 264, 294296

pshed.dll, 67

PsSetLoadImageNotifyRoutine, 37

public key certificates, 323

Python, 27

Bochs emulator, use with, 120

decrypting MBR, 99

IPL, writing onto disk image, 120

MBR code, script to decrypt, 99

MBR code, writing onto disk image, 120

MBR loaders, 109

VBR code, writing onto disk image, 120

Q

QEMU emulator, 116

R

ransomware, 207208

bootkit functionality, 208, 209

C&C servers, communicating with, 211

history of, 208209

operations, common, 210211

Petya (see Petya)

ransom key, 217218

ransom message, displaying, 224, 229

Satana (see Satana)

types of, 208

UEFI (see Unified Extensible Firmware Interface (UEFI))

victims, 230, 231

RC4 cipher, 136, 190, 210

RC5 cipher, 210

RC6 cipher, 168

RDPdoor, 171

ReadFile, 11

ReadFileX, 142

ReadFromTcpStream, 1819

read protections (RP), 295

Reaper, 50

Release, 18

reset, 229

return-oriented programming (ROP), 184

Reveton, 208

Rivest ciphers, 136, 168, 190, 210

Rivest, Ron, 168

rkloader, 276, 279

Robshaw, Matt, 168

Root Complex Base Address (RCBA), 368

Root Complex Register Block (RCRB), 368

rootkits. See also TDL3; TDL4

Aeroflot crime case, 14

detecting, 43

detection avoidance, 35, 42

evolving nature of, 35

Festi rootkit (see Festi rootkits)

history of, 4445

injection, 269271

BIOS update process, exploiting, 272274

Capsule Update, use of, 274275

SMM privilege escalation, using, 271272

interception methods

object dispatcher, intercepting, 4143

system calls, intercepting, 3738

system events, intercepting, 3637

kernel-mode attacks, 269

LOJAX, 297

neutralizing, 43

object data, altering/manipulating, 41

pointers, 42

purpose, 35

Sony, 43

trends, 12

root of trust, 79, 293, 297299, 311312, 331

ROP (return-oriented programming), 184

Rovnix bootkit, 10, 83, 9192, 106, 115

architecture, 148, 149150

basic blocks, 153

boot process, interference with, 160

Carberp trojan malware (see Carberp trojan malware)

communication channels, hidden, 169171

complexity, 175

create-process handler, 165

encryption, 168

evolution, 148149

filesystem, 149, 168169

hard drive access, monitoring, 353

hooking by, 160161, 163, 167

infection algorithm, 150151

interception methods, 40

Interrupt Descriptor Table, abuse of, 161162

IPL infection, 154, 159, 162, 174175, 235

kernel-mode driver, 163164, 169, 174

memory allocation, 162

origins, 147

payload module, injecting, 164166

self-defense mechanisms, stealth, 166167

symbolic link, 168

system registry key, 152

VBR target, 145

Virtual File Allocation Table (VFAT) filesystem, 168

RSA encryption, 211

S

S3 Boot Script, 205, 298, 306307

dispatch code, 309

script vulnerability, 311

sleep state, 307

suspend-resume cycle, 307

weaknesses, exploiting, 307310

sandbox environment, 21, 173

Satana

bootloader components, 210

dropper, 225226

debug information, 227228

interrupt 13th handler (INT 13h), use of, 229

MBR decryptor code, 227

MBR infection, 226230

Petya, compared to, 230

ransom message display, 229

recovery from, 231

TEMP folder, executing copy of, 226

sciport.sys, 195

SCSI disk devices, 38

SEC (security) phase, UEFI, 243

Second Level Address Translation (SLAT), 80

SecSmiFlash, 306

Secure Boot, 51, 53, 59, 130, 261

attacking

overview, 335

patching PI firmware, 335338

bootkit threats, as defense against, 319320

bypassing, 79, 290, 293, 299, 337

chain of trust, 298

Compatibility Support Module (CSM), incompatibility, 234

creation, 234

disabling, 299

enabled, 66

finite state machine, 298

firmware rootkit implants, bypassing by, 270

initialization, 248

integrity checks, 75

origins, 293

OS Secure Boot, 320

Platform Secure Boot, 320

protections, 80, 334335

Measured Boot, 338339

Verified Boot, 338339

signature verification algorithm, 327

SMM-based attacks, 293

Unified Extensible Firmware Interface (UEFI), 320

boot keys, secure, 328329

boot sequence, 321

code integrity checks, 326

db database, 323326, 347

dbr database, 328

dbt database, 328

dbx database, 326328, 337

executable authentication with digital signatures, 322323

implementation, 320321

key exchange key (KEK), 329, 337

platform key (PK), 330, 337

policies, 332334

relationship between, 7879, 234, 253

root of trust, 331

time-based authentication, 328

variables, 302

verification, 79

vulnerabilities, 298, 320

security (SEC) phase, UEFI, 243

SELinux, 75

Serial Peripheral Interface (SPI) bus, 365

SetFilePointer, 226

SHA1, 191, 197

Shamoon, 210

Sheldor, 171

shellcode, 182, 184186, 309

Shell_TrayWnd, 182, 184

Shlej, Nikolaj, 274

SIB, 196

Sidney, Ray, 168

signature certificates, 322

Skrenta, Rick, 50

Skylake CPU, 253

SLAT (Second Level Address Translation), 80

SMBus, 287

SMC (System Management Controller), 289

SMI (System Management Interrupt). See System Management Interrupt (SMI)

SmiFlash, 273, 306

SMM. See System Management Mode (SMM)

SMM BIOS Write Protection, 263

SMM BIOS Write Protection Bit, 297

SMM_BWP, 263

SMRAM, 301, 304

SMTP servers, 31, 32

Snort, 22

Socket Secure (SOCKS), 34

Soeder, Derek, 53

SoftIce, 44

Software Publisher Certificate (SPC), 73

SOIC-8 clip, 378

Sony rootkit, 43

South Bridge, 365

SPI (Serial Peripheral Interface) bus, 365

SPI Base Address Register (SPIBAR), 368369

SPI flash, 242, 244245, 263, 265, 269, 271, 312

chipsets, stored on, 366

data, reading, 372373

firmware imaged stored on, 366

firmware located on, 369

forensic analysis of, 365

FT2232 Mini Module, use with, 375

image, parsing, 389390

layout, 381

memory chip, 376377

modifying contents, 335

protecting, 294295, 296

read/write access, 287

regions, 381382

registers (see SPI registers)

SPI programmer, 374375

SPI registers, 369

array of flash data (FDATAX) register, 372374

flash address (FADDR) register, 370, 373

FREGI register, 370, 372

hardware sequencing flash control (HSFC) register, 370371, 373

hardware sequencing flash status (HSFS) register, 370371

spoolsvc.exe, 182

SSDT (System Service Descriptor Table), 10, 25, 43

static analysis

conventional approaches, 108

IDA Pro use (see IDA Pro)

MBR, relationship between, 99

signatures, static, 89

Volume Boot Record (VBR) (see Volume Boot Record (VBR))

Stoned, 5354

Structure window, 382

Stuxnet, 85

supply chain attacks, compromised, 291

firmware attacks, relationship between, 364365

problems, potential, 292

risk mitigation, 293294

SweetScape, 241

symbolic link, 168

system kernel

integrity, 43

restoring, 4344

System Management Controller (SMC), 289

System Management Interrupt (SMI) handler, 257, 258, 271, 296

exploiting, 301, 303

parameters, 303

validation of addresses/pointers, 305

vulnerabilities, 304

System Management Mode (SMM), 258

BIOS Write Protection Bit, 297

data, receiving, 303

design feature, 301

functionality, 294

initializing, 244

introduction, 244

privilege escalation, 290

rootkits targeting, 270, 286

SPI Flash, relationship between, 294

SPI Protected Rangers, relationship between, 264

threats to, 270272, 287

vulnerability, 263264

SystemRoot, 23

System Service Descriptor Table (SSDT), 10, 25, 43

T

tag-value-term scheme, 27

TBB (Trusted Boot Board), 346347

TCP flooding, 32

TCP/IP network stack, 190

TCP/IP protocol stack, 204

tcpip.sys driver, 30

TCP network protocols, 170

TCP stream, 18

TDL$, hooking, 87

TDL3

bootkit technology, 12

boot process infection, 84

detection, avoidance of, 45

distribution, 4

driver objects, malicious, 9

evolution of, 55

filesystem, hidden, 1011

file table, 11

hard drive access, monitoring, 353

hooking, 34

hooks, kernel-mode, 89

infection mechanism, 3

infection process, 57

I/O requests, maintaining and handling, 1112

origins, 4

piggybacking on Windows interfaces, 12

read/write intercepts, 8

reliability, 11

.rsrc section, 5

TDL4, compared to, 4

TDL4

boot code modifications, 235

bypassing security during boot, 8688

code integrity checks, disabling, 8889

evolution of, 55, 133

interception methods, 40

introduction of, 7

MBR code modification, 84, 188

MBR partition table modification, 90

origins, 4

system infection, 8486

system reboot, forced, 8586

TDL3, compared to, 4

TDSS family of malware, 4. See also TDL3

Tereshkin, Alexander, 311

Terse Executable (TE) images, 322

ThinkPwn (LEN-8324), 263

Thunderbolt Ethernet adapter, 267268

Time Stamping Authority (TSA) service, 327

Titan, 365

TOCTOU (time of check to time of use), 74

TOR protocol, 209, 219

TorrentLocker, 211

Transport Driver Interface, 170

trojans, 173

bootkit persistence methods, 207

Carberp trojan malware (see Carberp trojan malware)

GpCode trojan, 208

outbreak of, 231

Petya (see Petya)

Satana (see Satana)

Shamoon, 210

Trojan.Win32.EquationDrug.c, 262

Trusted Boot Board (TBB), 346347

Trusted Platform Module Platform Configuration Registers (TPM PCRs), 338, 339, 344

TSA (Time Stamping Authority) service, 327

U

UDP flooding, 32

UEFITool, 380386

Unified Extensible Firmware Interface (UEFI), 58

BMC, use of, 288

BmMain, 247248

boot configuration data, 247248

Boot Device Selection (BDS), 244

bootkit development, impact on, 255256

bootloaders, 236, 266

boot manager, 242, 245

boot process, 235236, 265266, 335

Boot Services, 250

complexity, 235

defining, 234

development, 234

digital signatures, 322

disk partitioning, 235236

Driver Execution Environment (DXE), 244

DXE drivers, 265266

execution environment, establishing, 245246

Exit Boot Services, 250

firmware, 237, 242243, 245, 265266, 269, 276

forensics (see forensics, firmware)

GPT, support for, 235236

implementations, 322

legacy BIOS, vs., 236, 237, 243

memory protection bits, 263, 264

modern vs. legacy, 233234

NVRAM variable, 242, 244

open source, 234

Option ROM (see Option ROM)

OS bootloader, 242

OS loader, 242, 245

partitioning scheme, 242

platform initialization, 242

Pre-EFI Initialization (PEI) phase, 243

protected mode, 237, 249

protocol initializations, 279

ransomware, 273

rootkits, 244

Computrace/LoJack (see Computrace)

Vector-EDK (see Vector-EDK)

runtime services, 249

Secure Boot (see Secure Boot)

security (SEC) phase, 243

specification, 243244

SPI flash (see SPI flash)

standards, 233234

System Management Mode, 244

UEFITool (see UEFITool)

vulnerabilities, 234235, 263265, 269, 308

Windows Boot Manager, accessing, 245

unique identifiers (UIDs), 4, 134

Update App, 305

Update Driver, 305

Uroburos family of malware, 75

User Account Control (UAC), 151, 179

V

Vbootkit, 53

VBR (Volume Boot Record). See Volume Boot Record (VBR)

VDO (volume device object), 39

Vector-EDK, 275, 277280

Vilaca, Pedro, 307

VirtualBox driver, 75

Virtual File Allocation Table (VFAT) filesystem, 168

Virtual File System (VFS), 8

virtualization-based security (VBS), 289

virtual machine manager (VMM), 130

virtual machines, 5, 116, 310

Virtual Secure Mode (VSM), 8081, 250, 252, 255

VirusTotal, 5

VMware, 20

debugging case example

decryption, 157, 158

IPL polymorphic decryptor, dissecting the, 156159

MBR code, observing, 154155

memory allocation, 156

VBR code, observing, 154155

decryption, 153

GDB debugger, use with, 124126

Player version, 125

Professional version, 125

VMware Workstation, 116

configuring, 125126

GDB, combining with IDA, 126130

malicious bootstrap, debugging, 130

Volume Boot Record (VBR), 61, 6264

Bochs emulator, use with, 120

bootkits, role in, 96

HiddenSectors, use of, 187

infection techniques, 83, 105106

Parameter Block, 106

TDL4 infection, 87, 91, 9293

unmodified, 152

volume device object (VDO), 39

Vrublesky, Pavel, 14

W

War Games, 44

Win32, 142, 149

Win32/Gapz.A, 179. See also Gapz

Win32/Gapz.B, 179. See also Gapz

Win32/Gapz.C, 178. See also Gapz

Win32/Redmys, 186

WinCIH virus, 256257

WinDbg, 45

Windows Boot Loader, 242, 245, 248249, 250, 252

Windows Boot Manager, 242, 245, 247249, 266

Windows Driver Kit (WDK), 9

Windows Management Instrumentation (WMI), 137138

Windows Object Manager, 182

Windows packet capture library, 21, 22

Windows Task Scheduler, 85

Windows, Microsoft

boot process (see boot process, Microsoft Windows)

bximage, use with, 118

debuggers, 41

file subsystem, 3839

GPT support, checking for, 240

kernel integrity, 3

kernel patch protection (see PatchGuard)

Kernel-Mode Code Signing Policy (see Kernel-Mode Code Signing Policy)

kernel-mode drivers, 37

operating systems

32-bit editions, 25, 73, 126

64-bit editions, 10, 12, 25, 34, 84, 126

boot process (see boot process, Microsoft Windows)

debugging with, 126

rootkits piggybacking on, 12

system registry, 37

version 10, 272

Device Guard, 80, 81

Second Level Address Translation (SLAT), 80

virtualization-based security, 7981

Virtual Secure Mode, 8081

version 7, 41, 77, 78

version 8, defensive changes, 7778

version 95, 256

version 98, 256

Vista, 5253, 64, 75, 78

x86 platform, as target for Festi botnets, 15

winload.exe, 64, 79, 87, 163, 189

boot start drivers, 67

OS boot, control of, 67

WinPcap, 21, 22

WinPE mode, 75

winresume.exe, 64, 87

Wireshark, 22

WMI (Windows Management Instrumentation), 137138

Wojtczuk, Rafal, 263, 307

writedr, 22

WriteFile, 11, 226

WriteIntoTcpStream, 18

write protections (WP), 295

X

X.509 certificate, 76, 347

x86 processors, 302

Y

Yin, Yiqun Lisa, 168

Z

Z5WE1X64.fd, 275, 277

ZeroAccess, 10, 361

Zhou, Zhitao, 257

ZwCreateFile, 28

ZwEnumerateKey, 25

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.64.192