LAST-MINUTE PAPER: Modern bootkit trends: bypassing kernel-mode signing policy

Eugene Rodionov ESET
Aleksandr Matrosov ESET

  download slides (PDF)

The Microsoft Windows x64 platform is considered to be more secure than the x86 one. Indeed, there are several security enhancements that were introduced in 64-bit Windows OSs such as kernel-mode code signing policy and kernel-mode patch protection. The first mechanism prevents the loading of unauthenticated code into kernel-mode address space since each kernel-mode module is required to be digitally signed. The second enhancement makes it harder to modify kernel-mode structures such as SSDT (System Service Dispatch Table), MSR (Machine State Register) and so on, which are targeted by rootkits. All these steps should reduce the number of complex threats which use advanced techniques to stay hidden in the system for a long time and perform malicious activities.

Nevertheless, in recent times a new population of threats has appeared which is capable of bypassing the aforementioned security measures. The malware is able to load its malicious unsigned driver and therefore penetrate kernel-mode address space even though kernel-mode code signing policy and patch protection are enforced. This is achieved by loading before the operating system gains control at system startup. The malware uses well-known techniques dating back to boot viruses from the MS-DOS era, since such techniques offer the only possible ways of getting executed before the OS kernel starts.

In this presentation we focus on the techniques the malware employs to bypass the kernel-mode code signing policy. We discuss different methods in use based on examples of the contemporary bootkits in the wild:

  • Win64/Olmarik (TDL4)
  • Win64/PSW.Papras
  • Win64/TrojanDownloader.Necurs (rootkit dropper)
  • NSIS/TrojanClicker.Agent.BJ (rootkit dropper)

While discussing such methods as abusing WinPE mode, using test signing certificates and directly patching OS modules, we will also pay close attention to the design principles of the boot loader components which make it possible to bypass the security measures. Since the most difficult thing the malicious boot code deals with is retaining control after transition into protected mode, we elaborate on this from the point of view of OS security.



VB Conferences
VBConnect

VB2016 (Denver)

VB2015 (Prague)

VB2014 (Seattle)

VB2013 (Berlin)

VB2012 (Dallas)

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)


‘Very useful and enjoyable, with unparalleled networking.’


Advertisement
Jobs Career Sidebar