bootkits step by-step-slides-final-v1-release

IBM Security Systems | © 2014 IBM Corporation

BOOTKITS STEP-BY-STEP AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS

Eric KoeppenIBM X-Force Advanced Research

erkoeppe[at]us[dot]ibm[dot]com@PorkChop

(v1)


AGENDA

Introduction

Snapshot of Boot Process for various OSes

A Look at Low-Level Technologies – Case studies as examples of exploitation– Advice for detection and prevention

Conclusion


INTRODUCTION

BOOTKITS STEP-BY-STEP:

AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS


DEFINITION

For the purposes of this presentation, we will define Bootkit as any malware (rootkit) that is persistent and exists below the level of the operating system kernel environment (ring 0).


INTRODUCTION

Purpose: To look at how Bootkits achieve persistence and to give advice in regards to detection & prevention.

Scope is limited to x86 and x64 compatible architectures.

Scope does not include Virtualization technology.

More details can be found in the forthcoming companion white paper


THE BOOT PROCESS




BOOT PROCESSES > WINDOWS XP > BIOS

BIOS Boot Process for Windows XP

POST BIOS MBR/VBR NTLDR

(using ntdetect.com) NT Kernel


BOOT PROCESSES > WIN VISTA & LATER > BIOS

BIOS Boot Process for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2

POST BIOS MBR/VBR Windows Boot Mgr

Boot Conf Data (BCD)

Win Loader (winload.exe)

OS


BOOT PROCESSES > WINDOWS VISTA SP 1 & LATER > UEFI

UEFI Boot Process for Windows Vista SP1, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2

POST UEFI MBR/VBR or GPT

Windows Boot Mgr

Boot Conf Data (BCD)

Win Loader (winload.exe)

OS


BOOT PROCESSES > WINDOWS 8 & LATER > SECURE BOOT

Secure Boot Process for Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT.

POST UEFI MBR/VBR

or GPT Verified Boot Mgr

Verified OS Loader

OS


BOOT PROCESSES > MAC > EFI BOOT

EFI Boot Process for Mac.

BootROM

POST Hw Init Boot Loader (boot.efi)

EFI

OS Select


BOOT PROCESSES > LINUX > BIOS

BIOS Boot Process for Linux

POST BIOS MBR/VBR

or GPT Boot Loader (LILO or Grub)

Linux Kernel


BOOT PROCESSES > LINUX > UEFI

UEFI Boot Process for Linux

POST UEFI MBR/VBR

or GPT Boot Loader

Linux Kernel

Boot MGR Data


BOOT PROCESSES > LINUX > SECURE BOOT

Secure Boot Process for Linux

POST UEFI MBR/VBR

or GPT

Signed Boot Loader

Linux Kernel

Signed Boot MGR


A LOOK AT LOW-LEVEL TECHNOLOGIES




Basic Input/Output System (BIOS)– Firmware interface used to boot older machines.– Stored on nonvolatile ROM chip on mobo– Made of modules compressed with LZH

• Each Module has 8 bit checksum for verification– Some modules uncompressed:

• Bootblock that handles POST & emergency boot• Decompression routine

– Modifying module without updating checksum makes system unbootable

LOW-LEVEL TECHNOLOGIES > BIOS


Persistent BIOS Infection by Core @ Cansec West 09– Used 2 techniques for flashing the BIOS:

1. BIOS Building tool such as Pinczakko’s method2. Patch & update checksums

– Three steps for flashing BIOS1. Dump BIOS with flashrom2. Patch & update checksums3. Re-flash

LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION


Four ways to avoid this attack:

1.Stop initial access with common methods (AV, firewalls, etc) to avoid BIOS modification

2.Enable flash write protection on motherboard

3.Use digitally signed BIOS firmware

4.Don’t download BIOS updates from untrusted sources

LOW-LEVEL TECHNOLOGIES > BIOS > EXPLOITATION


Unified Extensible Firmware Interface (UEFI)– Designed as a BIOS replacement– Larger, more powerful, and more modular– Basically bare-bones Operating System– Allows pre-OS networking– Some versions provide pre-OS AV– Provides 2 types of Services:

1. Boot services: only available at boot time2. Runtime services: available while OS is running

LOW-LEVEL TECHNOLOGIES > UEFI


Dreamboot - Presented by Sebastian Kaczmarek @ Hack in the Box, Amsterdam 2013– Finds boot loader on hardware & patches it– Hijacks kernel entry point call in loader to redirect

control flow– Deactivates kernel protections (once it gets around

PatchGuard)– Hides payload in ntoskrnl relocation table

LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION


Countermeasures:– Prevent initial infection through normal means (AV,

IPS, HIPS, secure use policies)– Secure Boot means that the boot loader signature

will have to match the stored key.– Intel TXT’s “Late Launch” can help prevent loading

modified software.– Bitlocker in TPM mode will provide encryption to

make patching the boot loader more difficult, it stores software measurements and won’t even boot if they don’t match up.

LOW-LEVEL TECHNOLOGIES > UEFI > EXPLOITATION


Secure Boot (UEFI)– UEFI option where all applications and services

must have a valid digital signature– Secure Boot Keys stored in UEFI firmware– Offers protection that makes compromise more

difficult

LOW-LEVEL TECHNOLOGIES > SECURE BOOT


Setup For Failure: Defeating Secure Boot Presented by Corey Kallenberg and Mitre research team at Hack In the Box, Amsterdam 2014– Found that Secure Boot doesn’t always run the

signature check on all target EFI executables, especially Option ROMs (such as for graphics cards)

– Found a way to manually modify the Setup variable that determines how lax the signature checking policy is; making it so that all target EFI executables can be run without signature check.

LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION


Countermeasures:– Make sure the UEFI version follows the spec in regards

to variable protection, the UEFI spec does not allow this exploit

– BIOS_CNTL & SMM BIOS Write Enable protection– Intel Protected Range SPI Flash Protections

• Flash Configuration Lockdown (HSFS.FLOCKDN) Bit– Setting SMM BIOS Write Protection (SMM_BWP) Bit– Common Security measures to prevent initial infection

LOW-LEVEL TECHNOLOGIES > SECURE BOOT > EXPLOITATION


Mac EFI– Does basic hardware initialization– Selects Operating System to load– Modular: comprised of core components, apps,

drivers, bootloader– Lots of jump tables with function pointers– Core components reside on Mac BootROM– Used on all Intel Macs

LOW-LEVEL TECHNOLOGIES > MAC EFI


DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS presented by Snare at Black Hat 2012– Lists 3 valid options for persistence:

1. Patch or replace the bootloader /System/Library/CoreServices/boot.efi

2. Write to PCI device expansion ROM - writeable from OS via device firmware updates and/or flashrom application

3. Flash the firmware - also flashrom, but Firmware Volume signature gets checked by BootROM & new macs write protect flash

LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION


Countermeasures:– EFI password can prevent changing boot target,

but can be bypassed– UEFI Secure Boot would be nice but unsupported– Use normal measures to prevent initial infection.– Restrict physical access and consider blocking ports

to avoid “Evil Maid” scenario

LOW-LEVEL TECHNOLOGIES > MAC EFI > EXPLOITATION


System Management Mode (SMM)– Most privileged execution mode on x86/x64

architectures– Has access to all of system memory

• Not subject to standard OS memory protections such as page tables

– Stored in system firmware (BIOS or UEFI)– Can be accessed via System Management

Interrupts (SMI) handlers

LOW-LEVEL TECHNOLOGIES > SMM


A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers Phrack article by Filip Wecherowski– Modified System Management Interrupt (SMI)

handler to create I/O Trap based keylogger– Only applies to Asus motherboards AMIBIOS

LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION


Countermeasures:– Common methods (AV, IPS, HIPS, good security

policies, educated users, etc) to prevent initial infection.

– Author wrote simple C program to detect keylogger. Reads the Root Complex Base Address Register (RCBA). Tests keyboard controller port to see if I/O Trap is enabled.

– SMM Transfer Monitor (STM) to sandbox the existing SMM handler by virtualizing it using VT-x and VT-d technologies. Unfortunately it’s not available yet.

LOW-LEVEL TECHNOLOGIES > SMM > EXPLOITATION


Intel Active Management Technology (AMT)– Allows for remote system administration

• Doesn’t require Powered-On state or Installed OS– Stores various data in firmware memory

• System parameters (OEM-defined, setup, etc)• Configuration details (including startup hdw)• Credentials (passwords, certificates)• Network configuration• Security configuration (ACLs, Defense policies)

– Provides Direct Memory Access (DMA)• Independent of CPU

LOW-LEVEL TECHNOLOGIES > INTEL AMT


Evaluating “Ring -3” Rootkits presented by Patrick Stewin of Berlin Institute of Technology– AMT disabled by default– Some AMT code runs even if AMT is disabled– Leverages exploit from Tereshkin BH 09 based on calculating the

re-mapped memory address and hooking function that runs periodically regardless of whether AMT is enabled or not.

– Only works on old Q35 chipset, not Q45.– May require a BIOS downgrade, doesn’t require consent– Resides completely in ARC4 execution environment– Keylogger with covert communications channel– Working versions for Linux and Windows

LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION


Countermeasures– Replacing BIOS with UEFI Secure Boot– Intel Trusted Execution Technology (TXT)– Upgrading chipset to Q45 or later– Common security practices

LOW-LEVEL TECHNOLOGIES > INTEL AMT > EXPLOITATION


Trusted Platform Module (TPM)– Standard for a secure, dedicated microprocessor

designed to secure hardware by integrating cryptographic keys into devices.

– Developed by the Trusted Computing Group (TCG) for the purposes of:• Key Generation• System Hashing• Binding – encryption with factory burned key• Sealing – machine-state-dependent decryption

LOW-LEVEL TECHNOLOGIES > TPM


Thoughts about Trusted Computing presented by Joanna Rutkowska of Invisible Things Labs– Evil Maid Scenario – physical access allowing

malicious user to grab keys

LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION


Countermeasures:– Restrict physical access and consider blocking ports

to avoid “Evil Maid” scenario

LOW-LEVEL TECHNOLOGIES > TPM > EXPLOITATION


Intel Trusted Execution Technology (TXT)– Relies heavily on TPM for basic services

• Secure Storage– Provides trusted mechanism for securely loading &

executing system software• Stores software metrics• Called “Late Launch”

– AMD’s version implemented with SKINT instruction

LOW-LEVEL TECHNOLOGIES > INTEL TXT


Invisible Things Labs 2011 whitepaper– Exploiting flaw in SINIT Authenticated Code

Module (ACM), when executed by SENTER instruction to cause an overwrite when adding a maliciously crafted ACPI DMAR table• Requires execution prior to SENTER instruction• Requires some TXT heap manipulation• Causes TXT, LCP bypass & hijacks SMM• Advisories issued to customers to install updates

LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION


Countermeasures– Intel update fixes SINIT overflow– Intel processor microcode update to prevent

rollback and running buggy modules– Coordinating with OEM vendors to ensure that

above fixes get disseminated– Launch Control Policy (LCP) code moved to

beginning of SINIT code to offer blacklisting without the need for BIOS and microcode updates

LOW-LEVEL TECHNOLOGIES > INTEL TXT > EXPLOITATION


Master Boot Record (MBR)– Boot sector at the beginning of storage devices– Stores partition information– Stores code for loading OS– Maximum addressable storage space = 2 TB– Typically 512 bytes in size

LOW-LEVEL TECHNOLOGIES > MBR


Stoned Bootkit presented by Peter Kleissner at Black Hat 2009 (and many more)– Replaces MBR with its own– Patches ntoskrnl.exe

LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION


Countermeasures:– Common practices will completely mitigate this

particular malware and go a long way towards any future MBR attacks

– Full disk encryption using BitLocker in TPM mode– UEFI Secure Boot

LOW-LEVEL TECHNOLOGIES > MBR > EXPLOITATION


Volume Boot Record (VBR)– First sector of an individual partition on a

partitioned storage device– Loaded the same way as MBR

LOW-LEVEL TECHNOLOGIES > VBR


Reconstructing Gapz: Position-Independent Code Analysis Problem presented by Aleksandr Matrosov and Eugene Rodionov at RECon 2013– Relies on Windows VBR format– Hooks Int 13h– Patches 4 bytes in VBR to modify number of

“Hidden Sectors”– Also patches Bootmgr and Winload.exe

LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION


Countermeasures:– UEFI Secure Boot– Switching to GPT– BitLocker in TPM mode– Common security practices to prevent initial

infection

LOW-LEVEL TECHNOLOGIES > VBR > EXPLOITATION


GUID Partition Table (GPT)– Replacement for MBR– Allows storages devices larger than 2 TB– Not being targeted yet

LOW-LEVEL TECHNOLOGIES > GPT


NT Loader (NTLDR)– Boot loader for all legacy releases of NT-based

versions of Windows, including Windows XP– Works with ntldr file stored on bootable media– Loads boot.ini for specific boot options– Runs ntdetect.com to gather information about the

computer’s hardware– Passes that info to ntoskrnl.exe in order to load the

NT Kernel

LOW-LEVEL TECHNOLOGIES > NTLDR


Windows Boot Manager (Bootmgr.exe)– Replaces NTLDR– bootmgr is a hidden system file stored in the

System Reserved Volume– Locates the active partition– Reads Boot Configuration Database (BCD) file

• For boot-time configuration data– Passes data from BCD to Windows Loader

(winload.exe)

LOW-LEVEL TECHNOLOGIES > BOOTMGR


Vboot Kit (1 & 2) from Nitin & Vipin Kumar of NVLABs – Not really persistent, runs from CD– Used cdrom to hook INT 13 (Win Vista)– When bootmgr.exe loaded, hook runs payload– Patches bootmgr.exe in 3 places in memory– Bypassed checksums, digital signatures, & DEP– Gains control when winload.exe runs

LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION


Countermeasures– Don’t allow physical access to machine– Turn off cdrom boot in BIOS if not using– Find a better way to prevent in-memory

modification between loading executable into memory and execution

– Bitocker Drive Encryption (BDE) in TPM Mode:Measurements will be off in TPM, so it declines unsealing Volume Master Key (VMK), thus preventing boot

LOW-LEVEL TECHNOLOGIES > BOOTMGR > EXPLOITATION


CONCLUSION

Everything has potential for vulnerabilities

New technologies such as UEFI Secure Boot, TPM, TXT offer a lot of mitigation

Intel should do everyone a favor and release STM

Common security practices such as Antivirus, Intrusion Detection, Intrusion Prevention, Host-Based Intrusion Prevention, timely patches, and solid secure use policies can all help with detection and prevention.


REFERENCES

Complete Bibliography will be included in the forthcoming whitepaper

Presentations referenced are all available on the web sites for the conferences mentioned


BOOTKITS STEP-BY-STEP: AN IN-DEPTH LOOK AT PERSISTENCE MECHANISMS USED BY BOOTKITS

Thank You!

Eric KoeppenIBM X-Force Advanced Researcherkoeppe[at]us[dot]ibm[dot]com@PorkChop

bootkits step by-step-slides-final-v1-release

Presentations & Public Speaking

ibm security systems

ibm corporation bootkits

ibm corporation definition

ibm corporation dreamboot

boot services

boot time

windows server

finds boot loader