defeating antiforensics in contemporary complex threats
DESCRIPTION
Forensic analysis plays a crucial role in cybercrime group investigation, as it allows investigators to obtain such information as bot configuration data, C&C URLs, payload, stolen data and so on. Some of the modern malware falling into the class of complex threats employs various tricks to resist forensics and conceal its presence on the infected system. This paper will present technical and in-depth analysis of the most widely used anti-forensic technique, the implementation of hidden encrypted storage, as used by complex threats currently in the wild: Win64/Olmarik (TDL4) Win64/Olmasco (MaxSS) Win64/Rovnix/Carberp Win64/Sirefef (ZeroAccess) Win32/Hodprot These complex threats use hidden encrypted storage areas to conceal their data and avoid relying on the file system maintained by the operating system. In the presentation the authors will focus on the details of hidden storage implementation as well as the ways in which it is maintained within the system by various kinds of malware. The analysis begins with the initialization procedure and the mechanisms behind it. It is shown which system mechanisms are used to store and retrieve data from the hidden container and the degree to which the malware depends on them. Close attention is paid to the self-defence mechanisms employed by the malware in order to conceal the content kept in its hidden storage areas and protect those contents against modification by the system or by security software. Also a detailed description of the hidden file system is presented for each threat considered, as well as a comparison of its features to the other threats analysed here. To conclude, an approach is presented on the retrieval of data from hidden storage. We will discuss the steps that should be taken to defeat self-defence mechanisms, locate hidden storage on the hard drive and read plain data.TRANSCRIPT
•
•
•
•
Win32/Hodprot
ErrorControl CoreSettings HashSeed
Loader Code Main Module C&C URLs
One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor.
Relies on system registry to keep its modules and payload HKLM\SOFTWARE\Settings
Win32/Hodprot
ErrorControl CoreSettings HashSeed
Loader Code Main Module C&C URLs
One of the most frequently used droppers in 2011 for delivering banking trojans in Russia: Carberp, Sheldor, RDPdoor.
Relies on system registry to keep its modules and payload HKLM\SOFTWARE\Settings
Browser Address Space
sfc.sys
Setupapi.dll
Payload
System Registry
User-mode
Kernel-mode
Winlogon Address Space
sfcfiles.dll
UpdatePayload
Inject Payload
Assemble Payload
Inject PayloadAssemble PayloadInstall & Load
Driver
Configuration data are stored in a resource of the Flame main module
Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm
Block BYTE
Data Length Data
1 Byte 4 Byte Data Length Bytes
Block BYTE
Data Length
1 Byte 4 Byte Data Length Bytes
Offset of the block with item data
Offset of the next item
block
Unicode string (name of the item)
Configuration data are stored in a resource of the Flame main module
Configuration data are encrypted with custom algorithm and compressed with DEFLATE algorithm
Block BYTE
Data Length Data
1 Byte 4 Byte Data Length Bytes
Block BYTE
Data Length
1 Byte 4 Byte Data Length Bytes
Offset of the block with item data
Offset of the next item
block
Unicode string (name of the item)
Malicious kernel-mode driver
Malware payload
File system interface
Physical storage interface
Hard drive
OS file system driver
OS storage device driver stack
Hidden FS area
Applications
kernel-mode address space
user-mode address space
Bootkit hidden storage
Kernel-mode driver
Process1 Process2 Process3 ProcessN
Payload1 Payload2 Payload3 PayloadN
Payload1 Payload2 Payload3 PayloadN
kernel-mode
user-mode
First widely spread bootkit targeting Microsoft Windows x64 platform
Infects MBR of the bootable hard drive to receive control before OS
Abuses Windows PE (Preinstallation Environment) boot mode to disable kernel-mode code signing policy
Keeps payload in the hidden file system
Hijacks pointer to the driver object of the lowest device object in storage device stack
typedef struct _TDL4_FS_ROOT_DIRECTORY
{
// Signature of the block
WORD Signature;
// Set to zero
DWORD Reserved;
// Array of entries corresponding to files in FS
TDL4_FS_FILE_ENTRY FileTable[15];
}TDL4_FS_ROOT_DIRECTORY, *PTDL4_FS_ROOT_DIRECTORY;
TDL4 Hidden FS
Growth direction
Disk partitions
One sector
One sector
Variable length Not more than 8 Mb
Infe
cte
d M
BR
typedef struct _TDL4_FS_FILE_ENTRY { // File name - null terminated string char FileName[16]; // Offset from beginning of the file system to file DWORD FileBlockOffset; // Reserved DWORD dwFileSize; // Time and Date of file creation FILETIME CreateTime; }TDL4_FS_FILE_ENTRY, *PTDL4_FS_FILE_ENTRY;
TDL4 Volume device object
DriverObject
...Vpb
...
TDL4 Physical device object
DriverObject
...
\Driver\PnpManagerDriver object
TDL4Driver object
Volume parameter block
DeviceObject
RealDevice
\Device\XXXXXXXX Unnamed
XXXXXXXX – random 32-bit hexadecimal integer
Visible to payload Maintained by rootkit
Bootmgr Partition
OS Partition
MBR Code
Partition Table Entry #1
MBR Data
Partition Table Entry #2
Partition Table Entry #3
Partition Table Entry #4
Unpartitioned Space
Bootmgr Partition
OS Partition
MBR Code
Partition Table Entry #1
MBR Data
Partition Table Entry #2
Partition Table Entry #3
Partition Table Entry #4
Olmasco Partition
Empty Partition Entry Active Partition Entry
Before Infecting After Infecting
Existing Partition Entry
Modifies partition table of the bootable hard drive to create malicious partition and mark it active
Employs the same approach for disabling kernel-mode signing policy as TDL4 bootkit
Bootmgr Partition
OS Partition
MBR Code
Partition Table Entry #1
MBR Data
Partition Table Entry #2
Partition Table Entry #3
Partition Table Entry #4
Unpartitioned Space
Bootmgr Partition
OS Partition
MBR Code
Partition Table Entry #1
MBR Data
Partition Table Entry #2
Partition Table Entry #3
Partition Table Entry #4
Olmasco Partition
Empty Partition Entry Active Partition Entry
Before Infecting After Infecting
Existing Partition Entry
Modifies partition table of the bootable hard drive to create malicious partition and mark it active
Employs the same approach for disabling kernel-mode signing policy as TDL4 bootkit
typedef struct _OLMASCO_FS_ROOT_DIRECTORY { // Signature of the block // DC - root directory DWORD Signature; // Set to zero DWORD Reserved1; // Set to zero DWORD Reserved2; // Set to zero DWORD Reserved3; // Size of the file system cluster DWORD ClusterSize; // Size of file table in clusters DWORD SizeOfSysTableInClusters; // Size of file table in bytes DWORD SizeOfSysTableInBytes; // Checksum of file table DWORD SysTableCRC32; // Array of entries corresponding to files in FS OLMASCO_FS_FILE_ENTRY FileTable[]; }OLMASCO_FS_ROOT_DIRECTORY, *POLMASCO_FS_ROOT_DIRECTORY;
typedef struct _OLMASCO_FS_FILE_ENTRY
{ // File name - null terminated string char FileName[16]; // Offset from beginning of the file system to file DWORD OffsetInClusters; // Size of the file in clusters DWORD SizeInClusters; // Size of the file in bytes DWORD SizeInBytes; // Checksum DWORD Crc32;
}OLMASCO_FS_FILE_ENTRY, *POLMASCO_FS_FILE_ENTRY;
Mounts a file containing payload & configuration data as NTFS volume with transparent encryption
Keeps payload & configuration data encrypted in “C:\windows\$NtUninstallKB35373$” directory
VS.
ZeroAccess Volume Device
DriverObject
...
ZeroAccessDriver Object
Hidden Volume Name
File ObjectFile with data
Related Device Object
DriverObject
...
NTFSDriver Object
First known bootkit which infects VBR (Volume Boot Record) with polymorphic malicious bootstrap code
It utilizes debugging facilities of the hardware (debugging registers) to persists among processor execution mode switching and set up hooks
Rovnix bootkit employs modification of FAT16 for hidden partition
Rovnix bootkit was used in Carberp banking trojan
•
MBR VBR Bootstrap Code File System Data
VBRMalicious
CodeFile System Data
Bootstrap Code
MBR
NTFS bootstrap code(15 sectors)
Before Infecting
After InfectingCompressedData
Hidden Partition
Malicious Unsigned
Driver
Employs advanced bootkit techniques to load unsigned malicious kernel-mode driver on 64-bit version of Windows OS
Combines bootkit techniques present in Olmarik (TDL4) & Rovnix
Bypasses PatchGuard by means of modifying kernel before integrity enforcement service is started
Goblin hidden implements hidden file system in a similar way to Olmarik (TDL4)
functionality Olmarik (TDL4)
Sirefef (ZeroAccess)
Rovnix (Cidox)
Goblin (XPAJ)
Olmasco (MaxSS)
MBR modification
VBR modification
Hidden file system type
Custom NTFS FAT16
modification Custom
(TDL4 based) Custom
encryption algorithm
XOR/RC4 RC4 Custom
(XOR+ROL)
RC6 modification
compression algorithm
aPlib aPlib
eset.com/download/utilities/detail/family/173/
Aleksandr Matrosov [email protected] @matrosov
Eugene Rodionov [email protected] @vxradius