bootkits step by-step-slides-final-v1-release
DESCRIPTION
These are the slides from my presentation on Bootkits at HOPE X Conference in New York City, July 20, 2014.TRANSCRIPT
IBM Security Systems | © 2014 IBM Corporation
BOOTKITS STEP-BY-STEP AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
Eric KoeppenIBM X-Force Advanced Research
erkoeppe[at]us[dot]ibm[dot]com@PorkChop
(v1)
IBM Security Systems | © 2014 IBM Corporation
AGENDA
Introduction
Snapshot of Boot Process for various OSes
A Look at Low-Level Technologies – Case studies as examples of exploitation– Advice for detection and prevention
Conclusion
IBM Security Systems | © 2014 IBM Corporation
INTRODUCTION
BOOTKITS STEP-BY-STEP:
AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
IBM Security Systems | © 2014 IBM Corporation
DEFINITION
For the purposes of this presentation, we will define Bootkit as any malware (rootkit) that is persistent and exists below the level of the operating system kernel environment (ring 0).
IBM Security Systems | © 2014 IBM Corporation
INTRODUCTION
Purpose: To look at how Bootkits achieve persistence and to give advice in regards to detection & prevention.
Scope is limited to x86 and x64 compatible architectures.
Scope does not include Virtualization technology.
More details can be found in the forthcoming companion white paper
IBM Security Systems | © 2014 IBM Corporation
THE BOOT PROCESS
BOOTKITS STEP-BY-STEP:
AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > WINDOWS XP > BIOS
BIOS Boot Process for Windows XP
POST BIOS MBR/VBR NTLDR
(using ntdetect.com) NT Kernel
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > WIN VISTA & LATER > BIOS
BIOS Boot Process for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2
POST BIOS MBR/VBR Windows Boot Mgr
Boot Conf Data (BCD)
Win Loader (winload.exe)
OS
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > WINDOWS VISTA SP 1 & LATER > UEFI
UEFI Boot Process for Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2
POST UEFI MBR/VBR or GPT
Windows Boot Mgr
Boot Conf Data (BCD)
Win Loader (winload.exe)
OS
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > WINDOWS 8 & LATER > SECURE BOOT
Secure Boot Process for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT.
POST UEFI MBR/VBR
or GPT Verified Boot Mgr
Verified OS Loader
OS
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > MAC > EFI BOOT
EFI Boot Process for Mac.
BootROM
POST Hw Init Boot Loader (boot.efi)
EFI
OS Select
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > LINUX > BIOS
BIOS Boot Process for Linux
POST BIOS MBR/VBR
or GPT Boot Loader (LILO or Grub)
Linux Kernel
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > LINUX > UEFI
UEFI Boot Process for Linux
POST UEFI MBR/VBR
or GPT Boot Loader
Linux Kernel
Boot MGR Data
IBM Security Systems | © 2014 IBM Corporation
BOOT PROCESSES > LINUX > SECURE BOOT
Secure Boot Process for Linux
POST UEFI MBR/VBR
or GPT
Signed Boot Loader
Linux Kernel
Signed Boot MGR
IBM Security Systems | © 2014 IBM Corporation
A LOOK AT LOW-LEVEL TECHNOLOGIES
BOOTKITS STEP-BY-STEP:
AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
IBM Security Systems | © 2014 IBM Corporation
Basic Input/Output System (BIOS)– Firmware interface used to boot older machines.– Stored on nonvolatile ROM chip on mobo– Made of modules compressed with LZH
• Each Module has 8 bit checksum for verification– Some modules uncompressed:
• Bootblock that handles POST & emergency boot• Decompression routine
– Modifying module without updating checksum makes system unbootable
LOW-LEVEL TECHNOLOGIES > BIOS
IBM Security Systems | © 2014 IBM Corporation
Persistent BIOS Infection by Core @ Cansec West 09– Used 2 techniques for flashing the BIOS:
1. BIOS Building tool such as Pinczakko’s method2. Patch & update checksums
– Three steps for flashing BIOS1. Dump BIOS with flashrom2. Patch & update checksums3. Re-flash
LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Four ways to avoid this attack:
1.Stop initial access with common methods (AV, firewalls, etc) to avoid BIOS modification
2.Enable flash write protection on motherboard
3.Use digitally signed BIOS firmware
4.Don’t download BIOS updates from untrusted sources
LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Unified Extensible Firmware Interface (UEFI)– Designed as a BIOS replacement– Larger, more powerful, and more modular– Basically bare-bones Operating System– Allows pre-OS networking– Some versions provide pre-OS AV– Provides 2 types of Services:
1. Boot services: only available at boot time2. Runtime services: available while OS is running
LOW-LEVEL TECHNOLOGIES > UEFI
IBM Security Systems | © 2014 IBM Corporation
Dreamboot - Presented by Sebastian Kaczmarek @ Hack in the Box, Amsterdam 2013– Finds boot loader on hardware & patches it– Hijacks kernel entry point call in loader to redirect
control flow– Deactivates kernel protections (once it gets around
PatchGuard)– Hides payload in ntoskrnl relocation table
LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– Prevent initial infection through normal means (AV,
IPS, HIPS, secure use policies)– Secure Boot means that the boot loader signature
will have to match the stored key.– Intel TXT’s “Late Launch” can help prevent loading
modified software.– Bitlocker in TPM mode will provide encryption to
make patching the boot loader more difficult, it stores software measurements and won’t even boot if they don’t match up.
LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Secure Boot (UEFI)– UEFI option where all applications and services
must have a valid digital signature– Secure Boot Keys stored in UEFI firmware– Offers protection that makes compromise more
difficult
LOW-LEVEL TECHNOLOGIES > SECURE BOOT
IBM Security Systems | © 2014 IBM Corporation
Setup For Failure: Defeating Secure Boot Presented by Corey Kallenberg and Mitre research team at Hack In the Box, Amsterdam 2014– Found that Secure Boot doesn’t always run the
signature check on all target EFI executables, especially Option ROMs (such as for graphics cards)
– Found a way to manually modify the Setup variable that determines how lax the signature checking policy is; making it so that all target EFI executables can be run without signature check.
LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– Make sure the UEFI version follows the spec in regards
to variable protection, the UEFI spec does not allow this exploit
– BIOS_CNTL & SMM BIOS Write Enable protection– Intel Protected Range SPI Flash Protections
• Flash Configuration Lockdown (HSFS.FLOCKDN) Bit– Setting SMM BIOS Write Protection (SMM_BWP) Bit– Common Security measures to prevent initial infection
LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Mac EFI– Does basic hardware initialization– Selects Operating System to load– Modular: comprised of core components, apps,
drivers, bootloader– Lots of jump tables with function pointers– Core components reside on Mac BootROM– Used on all Intel Macs
LOW-LEVEL TECHNOLOGIES > MAC EFI
IBM Security Systems | © 2014 IBM Corporation
DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS presented by Snare at Black Hat 2012– Lists 3 valid options for persistence:
1. Patch or replace the bootloader /System/Library/CoreServices/boot.efi
2. Write to PCI device expansion ROM - writeable from OS via device firmware updates and/or flashrom application
3. Flash the firmware - also flashrom, but Firmware Volume signature gets checked by BootROM & new macs write protect flash
LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– EFI password can prevent changing boot target,
but can be bypassed– UEFI Secure Boot would be nice but unsupported– Use normal measures to prevent initial infection.– Restrict physical access and consider blocking ports
to avoid “Evil Maid” scenario
LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
System Management Mode (SMM)– Most privileged execution mode on x86/x64
architectures– Has access to all of system memory
• Not subject to standard OS memory protections such as page tables
– Stored in system firmware (BIOS or UEFI)– Can be accessed via System Management
Interrupts (SMI) handlers
LOW-LEVEL TECHNOLOGIES > SMM
IBM Security Systems | © 2014 IBM Corporation
A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers Phrack article by Filip Wecherowski– Modified System Management Interrupt (SMI)
handler to create I/O Trap based keylogger– Only applies to Asus motherboards AMIBIOS
LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– Common methods (AV, IPS, HIPS, good security
policies, educated users, etc) to prevent initial infection.
– Author wrote simple C program to detect keylogger. Reads the Root Complex Base Address Register (RCBA). Tests keyboard controller port to see if I/O Trap is enabled.
– SMM Transfer Monitor (STM) to sandbox the existing SMM handler by virtualizing it using VT-x and VT-d technologies. Unfortunately it’s not available yet.
LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Intel Active Management Technology (AMT)– Allows for remote system administration
• Doesn’t require Powered-On state or Installed OS– Stores various data in firmware memory
• System parameters (OEM-defined, setup, etc)• Configuration details (including startup hdw)• Credentials (passwords, certificates)• Network configuration• Security configuration (ACLs, Defense policies)
– Provides Direct Memory Access (DMA)• Independent of CPU
LOW-LEVEL TECHNOLOGIES > INTEL AMT
IBM Security Systems | © 2014 IBM Corporation
Evaluating “Ring -3” Rootkits presented by Patrick Stewin of Berlin Institute of Technology– AMT disabled by default– Some AMT code runs even if AMT is disabled– Leverages exploit from Tereshkin BH 09 based on calculating the
re-mapped memory address and hooking function that runs periodically regardless of whether AMT is enabled or not.
– Only works on old Q35 chipset, not Q45.– May require a BIOS downgrade, doesn’t require consent– Resides completely in ARC4 execution environment– Keylogger with covert communications channel– Working versions for Linux and Windows
LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures– Replacing BIOS with UEFI Secure Boot– Intel Trusted Execution Technology (TXT)– Upgrading chipset to Q45 or later– Common security practices
LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Trusted Platform Module (TPM)– Standard for a secure, dedicated microprocessor
designed to secure hardware by integrating cryptographic keys into devices.
– Developed by the Trusted Computing Group (TCG) for the purposes of:• Key Generation• System Hashing• Binding – encryption with factory burned key• Sealing – machine-state-dependent decryption
LOW-LEVEL TECHNOLOGIES > TPM
IBM Security Systems | © 2014 IBM Corporation
Thoughts about Trusted Computing presented by Joanna Rutkowska of Invisible Things Labs– Evil Maid Scenario – physical access allowing
malicious user to grab keys
LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– Restrict physical access and consider blocking ports
to avoid “Evil Maid” scenario
LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Intel Trusted Execution Technology (TXT)– Relies heavily on TPM for basic services
• Secure Storage– Provides trusted mechanism for securely loading &
executing system software• Stores software metrics• Called “Late Launch”
– AMD’s version implemented with SKINT instruction
LOW-LEVEL TECHNOLOGIES > INTEL TXT
IBM Security Systems | © 2014 IBM Corporation
Invisible Things Labs 2011 whitepaper– Exploiting flaw in SINIT Authenticated Code
Module (ACM), when executed by SENTER instruction to cause an overwrite when adding a maliciously crafted ACPI DMAR table• Requires execution prior to SENTER instruction• Requires some TXT heap manipulation• Causes TXT, LCP bypass & hijacks SMM• Advisories issued to customers to install updates
LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures– Intel update fixes SINIT overflow– Intel processor microcode update to prevent
rollback and running buggy modules– Coordinating with OEM vendors to ensure that
above fixes get disseminated– Launch Control Policy (LCP) code moved to
beginning of SINIT code to offer blacklisting without the need for BIOS and microcode updates
LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Master Boot Record (MBR)– Boot sector at the beginning of storage devices– Stores partition information– Stores code for loading OS– Maximum addressable storage space = 2 TB– Typically 512 bytes in size
LOW-LEVEL TECHNOLOGIES > MBR
IBM Security Systems | © 2014 IBM Corporation
Stoned Bootkit presented by Peter Kleissner at Black Hat 2009 (and many more)– Replaces MBR with its own– Patches ntoskrnl.exe
LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– Common practices will completely mitigate this
particular malware and go a long way towards any future MBR attacks
– Full disk encryption using BitLocker in TPM mode– UEFI Secure Boot
LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Volume Boot Record (VBR)– First sector of an individual partition on a
partitioned storage device– Loaded the same way as MBR
LOW-LEVEL TECHNOLOGIES > VBR
IBM Security Systems | © 2014 IBM Corporation
Reconstructing Gapz: Position-Independent Code Analysis Problem presented by Aleksandr Matrosov and Eugene Rodionov at RECon 2013– Relies on Windows VBR format– Hooks Int 13h– Patches 4 bytes in VBR to modify number of
“Hidden Sectors”– Also patches Bootmgr and Winload.exe
LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures:– UEFI Secure Boot– Switching to GPT– BitLocker in TPM mode– Common security practices to prevent initial
infection
LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
GUID Partition Table (GPT)– Replacement for MBR– Allows storages devices larger than 2 TB– Not being targeted yet
LOW-LEVEL TECHNOLOGIES > GPT
IBM Security Systems | © 2014 IBM Corporation
NT Loader (NTLDR)– Boot loader for all legacy releases of NT-based
versions of Windows, including Windows XP– Works with ntldr file stored on bootable media– Loads boot.ini for specific boot options– Runs ntdetect.com to gather information about the
computer’s hardware– Passes that info to ntoskrnl.exe in order to load the
NT Kernel
LOW-LEVEL TECHNOLOGIES > NTLDR
IBM Security Systems | © 2014 IBM Corporation
Windows Boot Manager (Bootmgr.exe)– Replaces NTLDR– bootmgr is a hidden system file stored in the
System Reserved Volume– Locates the active partition– Reads Boot Configuration Database (BCD) file
• For boot-time configuration data– Passes data from BCD to Windows Loader
(winload.exe)
LOW-LEVEL TECHNOLOGIES > BOOTMGR
IBM Security Systems | © 2014 IBM Corporation
Vboot Kit (1 & 2) from Nitin & Vipin Kumar of NVLABs – Not really persistent, runs from CD– Used cdrom to hook INT 13 (Win Vista)– When bootmgr.exe loaded, hook runs payload– Patches bootmgr.exe in 3 places in memory– Bypassed checksums, digital signatures, & DEP– Gains control when winload.exe runs
LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
Countermeasures– Don’t allow physical access to machine– Turn off cdrom boot in BIOS if not using– Find a better way to prevent in-memory
modification between loading executable into memory and execution
– Bitocker Drive Encryption (BDE) in TPM Mode:Measurements will be off in TPM, so it declines unsealing Volume Master Key (VMK), thus preventing boot
LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION
IBM Security Systems | © 2014 IBM Corporation
CONCLUSION
Everything has potential for vulnerabilities
New technologies such as UEFI Secure Boot, TPM, TXT offer a lot of mitigation
Intel should do everyone a favor and release STM
Common security practices such as Antivirus, Intrusion Detection, Intrusion Prevention, Host-Based Intrusion Prevention, timely patches, and solid secure use policies can all help with detection and prevention.
IBM Security Systems | © 2014 IBM Corporation
REFERENCES
Complete Bibliography will be included in the forthcoming whitepaper
Presentations referenced are all available on the web sites for the conferences mentioned
IBM Security Systems | © 2014 IBM Corporation
BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS
Thank You!
Eric KoeppenIBM X-Force Advanced Researcherkoeppe[at]us[dot]ibm[dot]com@PorkChop