LAST-MINUTE PAPER: Modern bootkit trends: bypassing kernel-mode signing policy

Eugene Rodionov ESET
Aleksandr Matrosov ESET

The Microsoft Windows x64 platform is considered to be more secure than the x86 one. Indeed, there are several security enhancements that were introduced in 64-bit Windows OSs such as kernel-mode code signing policy and kernel-mode patch protection. The first mechanism prevents the loading of unauthenticated code into kernel-mode address space since each kernel-mode module is required to be digitally signed. The second enhancement makes it harder to modify kernel-mode structures such as SSDT (System Service Dispatch Table), MSR (Machine State Register) and so on, which are targeted by rootkits. All these steps should reduce the number of complex threats which use advanced techniques to stay hidden in the system for a long time and perform malicious activities.

Nevertheless, in recent times a new population of threats has appeared which is capable of bypassing the aforementioned security measures. The malware is able to load its malicious unsigned driver and therefore penetrate kernel-mode address space even though kernel-mode code signing policy and patch protection are enforced. This is achieved by loading before the operating system gains control at system startup. The malware uses well-known techniques dating back to boot viruses from the MS-DOS era, since such techniques offer the only possible ways of getting executed before the OS kernel starts.

In this presentation we focus on the techniques the malware employs to bypass the kernel-mode code signing policy. We discuss different methods in use based on examples of the contemporary bootkits in the wild:

  • Win64/Olmarik (TDL4)
  • Win64/PSW.Papras
  • Win64/TrojanDownloader.Necurs (rootkit dropper)
  • NSIS/TrojanClicker.Agent.BJ (rootkit dropper)

While discussing such methods as abusing WinPE mode, using test signing certificates and directly patching OS modules, we will also pay close attention to the design principles of the boot loader components which make it possible to bypass the security measures. Since the most difficult thing the malicious boot code deals with is retaining control after transition into protected mode, we elaborate on this from the point of view of OS security.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

SMI Oil and Gas Cyber Security 2014

VB100 certification
VB100 For the first time in living memory, this test saw a clean sweep of certification passes, with all products reaching the required standard for a VB100 badge, and most also doing well in terms of stability.
See full results.

Virus Bulletin currently has 231,288 registered users.