BlueHat v18 || Return of the kernel rootkit malware (on windows 10)

July 12, 2019

I am pleased welcome onstage Matt oh who is going to be talking about it the return of the kernel rootkit malware on Windows and he is in our WD ATP team here at Microsoft focusing on exploit and malware analysis thank you yeah thank you [Applause] yeah so let's talk about some Windows rootkit malware yes sorry yeah it takes some time so yeah she enters with me but I can briefly talk about myself to understand how we are researching these kind of threats actually so I work for Microsoft W the ATP team so WD ATP is a EDR on edr system made by Microsoft actually so we are more a blue team and I have very special interest in exploit new exploit and malware techniques mmm I'm moral reverse engineer so I'm more of like a tearing down existing exploit or malware and to learn from their techniques and we can use it for better defense actually and and I was previously one day researcher thought Aaron Graham is a kind of like open source binary dipping tool so rootkit so rootkit you guys should probably remember these proteases are kind of really legendary legacy book about Windows rocket and this is the reference for Windows rootkit and many techniques techniques that were described in this book actually were used by real world mafia actually so for example DICOM was really popular with multiple malware and SSD DT hooks all these things are very very common around the 2000 and we did until mid 2000 so all this scene actually changed when Windows introduced driver signing requirement on Windows Vista and the other thing is that Windows by default had worried that this patch card in turn name is actually actual official name is Colonel patch protection this one actually goes through these memory locations for any modifications all the things and they will kind of panic when if for something not normal is detected so now malware authors are facing new challenges right so they need to have valid certificate to sign their drivers so for last almost 10 years actually we only saw very advanced threats actually using this kind of drivers and rook attacking techniques for example equation and Dooku to in most cases they stole they stole some valid certificate from other companies actually so in June of 2018 actually there was a very interesting report came out from BitDefender and with weird named Jackie no Jesse no I don't know but it's a different operation so the report looked very like a normal until it mention the digitally signed the rookies actually it's very interesting so and this is ad fraud operation ad fraud it means that it actually runs some browser in the background and it will click some adware or ad ad ad links and in that way they make a small money on from them machine so this is kind of very awkward situation when they are just using this high-end technique for this ad fraud operation so anyway Mike soft detection is d'être here so I'm going to use that are here as a kind of name here actually so the the report from BitDefender they focused on this adware or ad fraud aspect but this presentation is more focused on rugged aspect of this malware toolkit so one thing that we can notice is d'etre here was really under the radar for long time actually so if you look at the white of total intelligence record actually so the first file submitted is like a 2017 September and at the time there was only one vendor actually detected it it was Mallya bite and somehow it identified a correct actually as a rootkit agent but almost for next ten months or nine or ten month there were only six detections are all 67 vendors and those detections were not even specific enough they were kind of very suspicious about this file but the detections were not really very specific so just after BitDefender released this report the detection rate went up so what does it mean it means that this thread was really sneaky for a long time actually so if you want if you want to word to describe this threat there are two words right stealth nice and persistency so I will this whole presentation will talk about how they are stealthy and how they are persistent and there are three aspects that makes it stealth stealthy and persistent so first in fact other binaries to deliver itself so it will never be delivered itself as a kind of single binary so it always carries other binaries and whenever user opens the file their file access like other third-party programs or original programs and the other thing is that it installs a color driver that will hide other component so the exposure to user is really minimal and there are no chances that the security products have access to the actual file contents actually so I will talk talk about them more later and it also registered it as a kind of shutdown handler so this one is actually described well in BitDefender report and whenever the system shuts down if the service is still be registered it will register it again so in that way it will regain the persistent it's very very tricky to remove this thread from your machine so there are multiple components with this thread I just put the name based upon the functionality and some strings found on these binaries so driver protect is the main module doing these routine operations so it is doing the shutdown Handler registration here and it has hidden file system it hides other components from the file system and it's doing a lot of anti analysis and debugging operation so it will detect all these industry security product and you will just make them non loading or make them be functional and the other component is the user mode process and this module is doing USB file infection so whenever new USB Drive is inserted then the files on those drives will be impacted too and the other functionality is actually a network traffic injection and this is the main functionality for add fraud operations so whenever it get some traffic from some interesting programs actually it will inject its own JavaScript this one is really well documented we the BitDefender reporter so we will now really focus on this and the other one is a CNC operation it will connect to some CNC servers the other module is netfilter – so this is the core driver that performs network traffic injection it's more of driver and it's based upon some commercial products out there the last component II component is you disk manager so there is a name they are using internally and this is more of an anti remediation so if some tools trying to remove this threat and this module will involve and it will just make other interference between this removal process so let's first talk about infection and propagation phase so as I talked actually so this thread is very interesting because it goes it spreads through USB Drive actually so I found this just by plugging in my own USB Drive and actually looking at some logs actually it was writing back the existing files and I was really suspicious the file size increases all these things so also WD ATP our product actually I had a really good readability so if you look at this process tree this is a process Ltd this is a random name so this user mode component has always random names so that they can walk around any detections based upon some file names so this name this process actually if you look at that or D put mem tester this is the USB Drive file so one of the file so they actually overwritten this file so the thing that BitDefender actually described the initial infection bacterial factor as a fake VPN client but we suspect there may be this USB infection is one of the reason how that a fake be epic VPN client was infected in the first place so if this is more of speculation so when this final infection is happening actually so the fire property is actually chained because if we try to impact a note well for example so if you look at the signature it was originally signed but it becomes unsigned because they can replicate this certificate information apparently also this machine type originally it was 64-bit not bad but they they just change it to 32-bit because it looks like they only have 32-bit installer so they just use 32-bit as a kind of carrier of this thread and all other descriptions like a notepad all these informations are kind of fake and the the original 64-bit binary will be dropped and run from the system so if you look at the file structure itself when it is infected the original file this mg this file data is actually embedded inside the bin data resource section so they don't even try to hide it and from the original in Factor the original Orion factor the original P payload will be searched upon using the game module handle they will go through this memory space and we'll find a payload and we'll save the file as kind of temporary file on the system and we'll run throughout the file so it's a very simple operation and when this happens actually uh when they run this thread that they want administrator privilege they will prompt to you with the UAC prompt actually so if you use clicks yes then in that case if you look at this process 3-under SVC host for example I ran set up that exe and this file will be just actually this kind of admin so from the process tree it's not really obvious what is happening there so this is how the thread is spreading so it's not using really complicated techniques really simple tactics they're using those infecting USB Drive so over the worldwide are worried that these prevalence of this money is really low because we suspect that because they're worried the propagation tactic or strategy is really weak actually so but the interesting part actually starts from this kernel module so this one is kind of some information very interesting actually so if you look at the certificate that were used for these drivers rookie drivers this information actually this Hainan City digital District the UK or this Li ke this signer this certificate was actually stolen and revoked already so we might say that all because this certificate was stolen but it was a revoked so it can't be used right so the other very interesting fact is that there is no counter signatures so counter signatures we can describe it very easily so if someone writes some document and they can fill out anything any information there but if you want it more official you get notarized right so it's the same thing as this certificate so whenever someone write sign some files they can write any information they want but they want to be notarized if they want to make sure that this information really true but there is no counter signature it means that you can't trust the information saved in this signature and the other thing is that this certificate is expired actually so if you look at the valley the front field here so valid from June 27th 2013 to June 28th 2014 so now it is 2018 this Mario came like 2017 or something so this certificate is expired already so this is very interesting aspect of Windows actually when they're trying to load current drivers there are a lot of different hardware vendors actually shaping some hardware's with really old legacy drivers so Windows allows some old legacy drivers that were signed before some time frame actually so everything is documented I have the link somewhere in this presentation and the thing is that for these compatibility reasons if the driver is signed with this past time frame actually so Windows just allows you to load this driver so this one is kind of discussed a lot with the community right now and internally so the thing that there are some mitigation so you can put actually if you are really if you really want protect against these kind of threat the first option is actually using window 10s mode so for s mode you can actually the driver packages are more has more restrictions those drivers should be signed by windows or WT QL all these signers they have restricted set row of signers but for this thread the signer was kind of random some company located in China and the other way actually you can achieve the mitigation is actually using Windows Defender application control policy known as device code before actually so using customized policy actually you can specify what kind of driver you want to load a load to load on your system for example WH you can specify only wql certified drivers to be loaded on the system so you are looking at so there is those are two mitigations you can put on your system and the next one is actually it's not really strict mitigation is more of a generic approach to limit rootkit activities on your systems so it's combining secure boot with HV CI so now it's called memory integrity so if this one will detect any abnormal memory activities happening inside the commo like usually used by some exploits like allocating some some shellcode memory all these activities will be blocked and plus VBS how do we have based a security actually virtualization base to the security so this is more generic approach for any anti a rootkit or exploit approach so from the detection point of view actually so this can be really interesting topic because because of these body that is hardware compatibility issues just restricting all these drivers are now really practical actually so the other the next thing we can do is actually detecting this threat as as early as as possible so when they come out so 4wd ATP for RS 5 we have this thing is still going on but certificate telemetry will be improved to include more thorough data and combine the way the machine learning actually we can find that this kind of certificate abuse like a revoked and expired and a vendor that never signed any current drivers before suddenly signing some drivers then we can detect them very quickly and the other very interesting thing is that this signing of these Conner drivers are actually happening on the fly onto target system it's not pre-shaped on the on the binary so we see a lot of variants of these attacks these sign the drivers and this we suspect this is one tactic they're using so just changing the content a little bit for example like this they are just changing last maybe 30 bite and we did a random content did they just change the hash of the file contact and they just generate the unique files every time so it's very very tricky to block this thread using some hashes or this technique so there is one of the way they are using to evade some simple mitigations so this is how they are loading the thread but now there is the technique they're using but now there are more interesting fact actually it's about persistence how they are maintaining the persistence so usually rootkit they reside in the canal and they feel very safe and they hide everything so they don't really care about how they will maintain the persistence in many cases but in this case actually this thread is really really determined to remain on your system so this is a very simple diagram how the components are connected so when the installation phase happens the infected program actually drops and register the driver protect module there is no core component of this rookie operation and this one is registered this is the only component that is persistent on the system so this is just common driver just pass it on to system it's very tricky to find that this thing is actually malware actually because it has self protection so if the system is live if you try to access this file you get access denied I will talk about the mole more later the thing is the other component there can be multiple components I just described three components here they can download more components every component you will be saved into this hidden protect here the file system so this component you will be totally hidden from any security programs so the way they are achieving the ultimate persistence is actually rescuing registering the shutdown Handler so shutdown handler is a kind of just notification who so whenever the system shuts down the color wants each drivers to have a chance to save their state or some information so each driver can register their own handlers in that way whenever the system shut down they can save some data right so this driver this rootkit actually registers each own shutdown Handler and whenever the system reboot it will check whether it is still registered as a kind of driver service and if it is not it will register again so shutdown handle is the last operation that the system will perform so even though your system is this impacted when you reboot your system you are you are instantly reinfected so this is the code actually performs at this shutdown handling handler risk registration so this is some diagram they can show the how this thing works actually so this is a driver protect module and it will call this API from Windows kernel and shutdown handle or register a registration happens and whenever shutdown event happens the notification will be delivered to drive a protective register registered the routine but even before the shutdown maybe some security product tries to uninstall this threat by removing removing this register key but if those shutdown happens this shutdown handler will kick in again and we're Esther this recipe again so that is one way they can achieve so there this red is at the end of this system one system cycle so whenever system shutdown the restaurant so the other way they maintain their persistency is actually changing the group of the list so they make themselves as kind of very early stage of this tribal loading order so they minimize any chance is the other security product driver related drivers kicking first so they just change this register key and they just put them put themselves as kind of all this driver that can be loaded after some built-in drivers so the good news is that there are multiple other products out there but if you are using Windows 10 actually and the window defender window defender has this window defender offline mode so if you if you choose these advances scans from the settings menu actually there is a third option the Windows Defender of line scan so if you start the disk any so you do go through the file system and if we find this specific threat it will guide you through the remediation process so it will guide you through the repo sees reboot process and with next to reboot it will now reboot into your normal Windows operating system but more into this Windows are even re windows recovery partition and we will load a WD yo component there and it will remove any threats found on the system so with system reboot your system will be very clean so this is the only a reliable way you can remove this threat so we talked about this persistency and how they are loading these cars and how they are staying there and the other aspect is that is anti unknown system debugging and anti detections actually so they do a lot of things to prevent you from analyzing this rap so at first when I got this manga sample even I had really hard time just like just making it work and to see what it was actually doing so because there are too many techniques actually I came up with this diagram and even this diagram looks really really complicated in that way they're really really determined to deter any detection or analysis attempt so I can go through briefly upon each one of these like the on the top there are process creation on module loading driver loading loading system operations so whenever security product a related process or some unknown OCC related tools for example VIN debugger or Fidler all these tools come up then they will hook into this process or immediate load hole and they will prevent that this process come up actually so you will so you will be suspicious of what is happening on this system but kind of everything is kind of silent so maybe you can you can try to fix it but that is how it is doing and any file access to this protected storage they have their own file file directory that they save their own drivers or files and that directory will be protected you can't access those files from user mode component so any process trying to open the user mode process will get access denied to the so if you try to debug the target process and we even mean people will not work and the next thing is really critical because if you want to attach color debugger to the target system using virtual machine or something or even physical connection then it will detect those connection too and it will just bubble check the system and any crepe process or filter driver routines registered on the system by security products they will be registered so we can go through one by one actually anti analysis tools process creation callbacks this is very simple technique they are using they just queue whenever they find these patterns from the process names they will suspend the process and queue the hominid process Kovach also using this image load callback whenever they find that these process names they will just put what is that the knob code into their entry point and those modules will be loaded but will not perform anything because the entry point is kind of dollar fired already also any kernel driver they are loaded on the system like for example they have this list a lot of them are from some security product hmmm Pro there are panda or Kaspersky drivers they will be nullified just putting the knob code into an entry point so even though they will look normal because they are loaded on the system but actually the entry point is nullified already so they are kind of difunctional on the system so there is how they were kind of under the radar for their long time because they were those disabling all these security product like a without their knowledge because it's really silent operation they are just disabling these things so even the there is no telemetry for the vendors to verify what is happening on the system so other aspect is actually anti detection so this is very very interesting operation they are doing so actually they are competing with the security product and they are mimicking security products there is the point of what they are doing actually they learned a lot from what the security products are doing so if you go back this table again diagram again all these system operations here and Driver protect operation the process create notify call back image load call back filter driver process often callbacks or I don't know what the kernel tballga checker checkers check but this enumerate in some system components that's what the security product are actually doing so they are just adopting this like a techniques or tactics from the security product and they are using it in reverse way so they are all taking security product using the same way the security product are using so all the technique around here most of the techniques are well documented so they are not even using undocumented the features of Windows so that's how it is very hard to find these threats because they don't show the anomalies that should be showing that this shady rootkit should should be showing like 10 years ago so they are doing like a decom or SSD t it was really obvious at the time so now mmm this one is very special because whenever these drivers register any filter driver or process covet then this rocket will neutralize those Kovacs just putting the note code at the start of this share code actually the codec code so it means that even though this driver those security product the drivers will think that all everything is intact their codes are registers status success or something but actually they are not working in the kernel so they don't even know that their drivers are not working because there is no way for them to verify in like in meta prospective way so they just don't know what is happening there so this is one way they are just going under the radar for a long time and they have extensive list of this security product like the process names they have very long list actually and they have these company names and this soft sort of a key related the company names all these things and they're doing same thing as like a secret vault a scandal files so they read the actual files and they scan through the content with these signatures any strings like it's very like a knife signature system but they just go through some file header if these things found out they think this file must belong to this security product so they don't even need to specify every single files from these vendors so the other aspect they're using for anti debugging is actually they detect this kernel debugger this is really annoying because you want to dynamic analysis of these rookie modules but if you attach debugger then your system crashes then what can you do so it's really really challenging to get the first entry point into this reverse engineering of this thread and the other hole that you can get is actually some rookie kernel drivers there are multiple coño drivers so some versions are actually packed to be the VM product and this one is really hard to break off association technique but anyway if you just run it on the system it will be just the code itself but the me kind of mitigation doesn't work because it doesn't allocate in your memory it will just override its own image on the fly so you do not trigger any security mitigation in the corner and the other very interesting fact actually so I talked about there is a like three kernel modules the first one is driver driver protected domain entirety Pro module the next one is net filter – which is doing the network packet injection the third one is very weird one au disk manager so I was really curious what it is doing its really small module but this model is just targeting one security product so it is just interfering with any file writing operation with this file fix list dot txt so if you look at this driver code there is a fixed list a txt so this model is all about this file so whenever this file is found during the filtering the file system filtering operation it will go through some logic and if it is a writing operation it will fill the buffer with notes so this file contents if you try to put some contents there if you try to write some file contents into this specific file name then it will be always filled with notes so it turned out actually this file is actually used by the Mallya bite farber recovery scan tool f FR s FR st scan tool so looks like with the previous slide I talked at malleability is the one of the four to vendors who detected this threat actually so the only way to recover this system is using this window recovery mode recovery mode or is that new boost system actually so looks like I'm not really familiar with this tool but looks like this is one of the tool they can perform this recovery and I think a fixed list might contain the files that should be removed or recovered but because this file file itself is prevented from written on the system this whole process is kind of just like interfered so it looks like at this specific one driver is just targeting just one vendor so we talked about this anti analysis anti security product anti debugging feature so the next one is hidden file system so I will go through quickly up on this because it's really obvious so every files are hidden from the user process through filtering driver and the files even though you acquire these files through these forensic analysis these files are intentionally broken just like modifying two bytes in the P header but when they are loaded they will just fix up to P header and the other very interesting fact is when when they load user process they are not loaded from the usual end process they just inject the process from the kernel process and they are going through this whole process of reserving internal symbols and allocating process memory and thread memory themselves it's kind of really how the core technology are using so I suspected this is how they want to avoid any suspicious detections from security product so there is just speculation but and this hidden file system they have this call to his protected files whenever some files are under this category they will just return access denied so from the user user mode perspective they can't access these modules and if you look at these two drivers they registered they are regarded as a kind of non-existent file the good thing is that some security product like a WD date ATP because they operate in the comma space they have clear visibility into the driver loading all these operations so for the user mode operations WD ATP has Co feasibility so the less part is actually network traffic injection this one is the core functionality of this rootkit actually so the things that tape I suspected a day Porter's netfilter to module so there is a company in the filter their filter as take SDK comm they actually sell these filters so if you look at this property information the new filter SDK WP driver and there is a version number and based upon their homepage information web page information the filtering is fully transparent and you can change the tcp and UTP package on the fly without redirecting the traffic so i think this is more transparent proxy and the good thing is that not good things so the things that what they're doing is you can't put all these loading into the driver it's too much so actually the user mode process actually reads the data from the net filter to driver and every using ioctl and everything is done inside the user land so they did they detect some specific patterns and data is they can inject the data on the fly to the stream and they just write back the data and the nepeta to will pass the data to in this driver so there is how the injection is done and we believe that the malaria writers have access to the nematode to drive your source code because the source code is kind of slightly modified and it doesn't match any other other driver files that we found on on in the wild and the other thing that they they really want to hijack the HTTP traffic tool they installed their own root certificate so from WD ATP you can see that actually it modified the root certificate store it and our conclusion actually so this thread d'etre here or chiquinho is a threaded intercept network traffic on a machine to inject add so that is the co effect but it has multiple self protection mechanisms like hidden file system until Melissa's anti debugging anti security and T recovery actually run so there are multiple very customized anti security product or anti analyst features and the other thing is that it abuses features in Windows driver verification process and they can also use stolen and revoke the certificate before it was only stolen certificates they could use so even though they are involved they can still use so there is a difference and WD ATP has really good visibility into these activities so your security products should run inside the kernel not on the usual end because userland always can be deceived by this rookie threat and we are seeing more and more Rockets are appearing using similar technique and W do can be used to fully remedy this kind of threat and that's it and there are CNC servers IOC is and I think this slide will be shared later I guess and that's it any questions thank you so we have mic runners on both sides of the room so number three thanks for the presentation one question about memory memory forensics following your presentation you didn't mention anything that would lead to defense techniques regarding memory forensics is it true yes basically everything is extracted unfolded in the memory so if you dig into the memory then you have really clear view what it is actually so using volatility or recoil should work in terms of detecting yeah so the thing is that it's not really using any traditional rootkit technique they are using public API all these techniques it is now really easy to determine this one is malicious or not so very is only problem so ok thanks yeah Mike for thank you for the incredible presentation thing on the HTTPS interception what is the name of certificate and can you use the these sysinternals utility to dump all the certificates and check against the microsoft and find this malicious as yeah so it was also mentioned in the Ori that BitDefender report – it was secure secure network or I don't remember the actual name so you just secure something I can I can put them in the slide thank you yeah yeah thanks for a great presentation and our analysis picture the feature then you can load drivers signed with revoked certificate why maybe I missed that that part and I do understand the argument that we we allow some old signed drivers for backward compatibility but does the normal certificate validation process is not working in the kernel so we someone can load the driver with certificate reworked yeah so I'm not the best person who can actually answer those things actually so I moreover security research and there is one of the features that you see in Windows 10 for backward compatibility reasons and there are a lot of different vendors so there are some vendors doing this the other vendors doing doing that it's really hard to control what they are doing in many cases and I my basic understanding is that there is the root cause of the issue thanks Mike for thank you for the great presentation I actually have two questions the first one is this is a very complex piece of fruitcake so it's very unusual to be associated with a simple mobile like at add malware have you noticed the from telemetry that is it distributed much more complex malware so that's the first question what's more complex was like the ad ad my way yeah so doing a lot of effort – yeah kind of really weird aspect of this mallya because it's doing really high-end it's using a really high-end technique there what they are doing is just injecting ads actually so yeah but what I focused on is these techniques they are using protecting against all these secret products so I didn't have much time to investigate whether there is any other activities which it is doing but I first what BitDefender found but this technique the default point is that this technique can be used for like other operations – possibly a PT or like a more or the Venice no text okay okay so they I think it is a kind of a wake-up call for security vendors actually so they can be nullified and they can be totally they totally don't know about that for years yeah that is possible because this one is just putting two bytes in the coal beds and how can you know that you you are actually tempered actually right so there is one which you eat a lot of security product okay so that leads to the second question does Windows Defender ETB was in the list of the security product that the malware that would try to kill its a driver and if it's in this is list how would protect itself from writing the driver entry yeah I don't believe it was on the list but we have anti tampering team in our group actually he's here so we have a lot of ideas how we can detect these rootkit activities actually thank you I think we have time for one more question are there any questions online okay Mac three it's pretty great that uh wda TP was able to catch some of this stuff across from a kernel view I'm just curious at the beginning a talk you said kind of the rise or the return of kernel-mode rootkits other than this one instance in the telemetry of w datp are you guys seeing an increase in kernel mode activity and attack techniques across all of our tenants slash across the fleet that w datp is deployed on yeah so we see very interesting things happening from our client about we obviously we can't talk about it actually right so but there are a lot of interesting that happens actually so yeah that's what I can tell well let's thank our speaker again and thank you

You Might Also Like

No Comments

Leave a Reply