boot kit
TRANSCRIPT
-
7/31/2019 Boot Kit
1/5
BootKits
Bootsector viruses strikes back
Jrmy BOUTARD Loc GUEGUENCamille MONCELIER Thibault ROUAT
January 13, 2009
Contents
Introduction 1
1 What is a Rootkit ? 2
2 What is the difference between a rootkit and a bootkit ? 2
3 How operating system boot ? 3
3.1 What is a bootloader? . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2 How GRUB work ? . . . . . . . . . . . . . . . . . . . . . . . . . . 33.3 What can we do at this level ? . . . . . . . . . . . . . . . . . . . . 3
4 Existing bootkit 4
4.1 eEye BootRoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.2 VBootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.3 VMBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.4 Blue Pill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Conclusion 4
References 5
Introduction
Today, one of the most powerful type of malicious code are "rootkits". Rootkitsallows an attacker to keep an unrestricted access to an infected computer. A lotof products and techniques can find and remove this kind of malware. A newsubclass of rootkit could obtain a more stealth access by taking place before theOS kernel. Those are called Bootkits, as they are loaded during the boot.
To understand how it works and which forensic techniques could find it,first we will write a state of the art about bootkit. We will first explain whatsan bootkit, how it works, which bootkits can be find in the wild and at the endhow rootkit infection could be prevented.
-
7/31/2019 Boot Kit
2/5
2 WHAT IS THE DIFFERENCE BETWEEN A ROOTKIT AND A BOOTKIT ?
1 What is a Rootkit ?A rootkit is more often than not, a malicious piece of software. These softwareare designed to provide Administrator rights of an operating system without the
consent of the system owner.A rootkit cannot infect a system by itself. To compromise a system it need
Administrator rights. This is why some rootkits comes with a assortment ofexploit to take over a machine and install the rootkit.
Rootkits aim is stealthiness, it can hide processus, files, network connections,
etc. Rootkits can also contain programs like keyloggers, networks sniffers, etc.In order to fool the entire operating system, rootkits injects themselves
into the operating system by installing malicious driver or kernel modules, or
by directly modifying system core files. These rootkit are especially hard todetect because, while theyre running in privileged mode, the can intercept anyoperations of the operating system. A software running on a compromisedsystem, such as an antivirus or a firewall, could not be trusted anymore.
Because the rootkit makes change in the operating system, it can be detectedusing rootkit detectors. In order to accurately find any rootkits, this detectorsuse heuristics and/or signature to spot rootkits. These detectors should runfrom trusted media, such as a livecd. When running from a livecd, as the rootkitisnt executed by the Operating System and it cannot hide from the detectiontool.
2 What is the difference between a rootkit and abootkit ?
Do you remember the time when boot vector virus were in the wild ? When itwas dangerous to leave a floppy in the drive while booting ? If you tough thatthese viruses were a thing of the past, youre wrong !
Boot sector viruses are back on track. They can be a lot trickier to detect,since they loaded during the early stages of the OS initialization, antiviruscannot be trusted. The can be installed easily, since on some Operating Systems,
(Windows NT Family) MBR can be modified from user mode[4] [10] and BIOSMBR Protection is often disabled or unavailable.
Bootkits, as the name suggests, are bootkits which reside in the boot sector.
eEye BootRoot[11] is a proof of concept, which will be discussed later, showinga windows backdoor in the boot sector. We can think of bootkit attackingGRUB[1], allowing an attacker to load a different kernel than the one specifiedin the grub configuration file. An article describing this technique can be found
on the Phrack website[2]There is even more touchy tricks involving hiding a backdoor inside the
ACPI subsystem[5], inside a PCI card[6], running the Operating System insidea malicious hypervisor[12].
Page: 2/5
-
7/31/2019 Boot Kit
3/5
3 HOW OPERATING SYSTEM BOOT ?
3 How operating system boot ?3.1 What is a bootloader?
On every personal computer, there is a little program called bootloader which,
as its name says, loads an operating system from a kernel image, making somehardware and software verifications. For windows, when its installed alone,this boot loader is called NTLDR (for NT Loader), but well discuss aboutLinux operating systems, and his main boot loader which is GRUB, standingfor GRand Unified Boot Loader.
To make an simple explanation on our topic, we have to begin from themachines power on. The first software that will run on the booting machine isthe BIOS, embedded in a hardware microchip on the system motherboard. This
one will check reliability of the hardware configuration, and if passed, will seek
any hard drive to boot on and give the control to the MBR (Master Boot Record)
of this hard drive which corresponds to the 512 first bytes on the drive.
3.2 How GRUB work ?
Here is the main role of GRUB, nowadays the Linux default (and strongest) bootloader. Since the MBR part is small (512 bytes as you know), GRUB splits hisown boot action in several stages. The first one named stage1 will be stored in
the MBR,and will load other stages on the disk (in order to load kernel images),thats why GRUB is an advanced boot loader. To pick out stages files on thedisk, GRUB embeds several modules like disk inputs/outputs, string handling,and another one that will be interesting or us, ext2/3 file system handling. Soon, the Grub stage1 will load either stage1,5 if present, or stage2 directly ifstage1,5 is missing. After, the boot screen menu will be displayed and the userwill have to choose his operating system from the grub.conf configuration fileon the disk.
3.3 What can we do at this level ?
Previously, weve seen that GRUB displays operating systems from a configura-tion file. The aim here is to force it to load our code, without any configurationfile modification ! But we have to do that before stage2 end, to avoid any OS
verifications.Well focus on the stages load : we know that GRUB loads a ext2/3 system-file handling (e2fs_*), and will be able to read the grub configuration file. So we
could play with file inodes in order to change the physical file pointed on thedisk (like mentioned in Hacking GRUB for fun and profit) The to limit bordereffects, we need to go on deeper in the assembler code, and to be careful with
jumps, to play like we want after...
Page: 3/5
-
7/31/2019 Boot Kit
4/5
4 EXISTING BOOTKIT
4 Existing bootkit4.1 eEye BootRoot
eEye BootRoot is a project presented at Black Hat USA 2005 by researchers Derek
Soeder and Ryan Permeh of eEye Digital Security company, as an explorationof technology that custom boot sector code can use to subvert the Windowskernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoorthat demonstrates the implementation of this technology. Its easily detected by
most anti-virus.[3]
4.2 VBootkit
VBootkit is a proof of concept to develop Bootkit for the last Microsoft R OS :Windows Vista. This bootkit can escalating cmd.exe to system privileges every30 secs. It can make everythink that user software can. Because it becomes partof the kernel, it can do what the core of Vista can do.[8]
4.3 VMBR
Another proof of concept, VMBR is a rootkit installed on the host OS of avirtual machine. It can both Linux and Windows platforms. VMBR is harder todetect than other rootkits due to their nature of running underneath an existingOS, but theyll also be harder for intruders to develop and install. VMBRcan communicate whith a target OS, but isnt necessary. The team actuallydeveloped a VMBR was able to manipulate LEDs on some computers via thesystem BIOS to fool users into thinking a system was shut down when in fact it
wasnt ! [7]
4.4 Blue Pill
Its project presented at the Black Hat Briefings 2006 in Las Vegas on August3rd and stopped few month after. But in April 2007 another team of researchers
decided to redesign and write from scratch the New Blue Pill rootkit, so that itwould be possible to use it for further research and for educational purposes.The new code was based on different architecture with virtualization approachsuch as XEN 3.[9]
Conclusion and goal for our project
Their is a lot of method to hide a bootkit, ACPI, PCI, hypervisor and tech-niques to install them. Now we have find how a bootkit works and how tohide/find it in the system. The next the step for a good understanding of thisconcept will be to write our own bootkit.
As most of existing bootkits target Windows, our goal will be to find a way to
hack grub in order to dynamicaly patch the GNU/Linux kernel as it loads. This
will allow us to inject custom code into the kernel and survive kernel updates.
Page: 4/5
-
7/31/2019 Boot Kit
5/5
REFERENCES
If we have enougth time, we also try to find a solution to allow our bootkit tosurvive to a grub updates.
References
[1] Grub: Grand unified bootloader. URL http://www.gnu.org/software/grub/.
[2] CoolQ. Hacking grub for fun and profit. Phrack, 2005. URL http://www.phrack.com/issues.html?issue=63&id=10&mode=txt .
[3] eEye Digital Security. URL http://research.eeye.com/html/
tools/RT20060801-7.html .[4] Elia Florio. From bootroot to trojan.mebroot: A rootkit in your
mbr! 2008. URL https://forums.symantec.com/syment/blog/article?message.uid=305374 .
[5] John Heasman. Implementing and detecting an acpi bios rootkit, 2006. URLhttp://www.blackhat.com/presentations/bh-federal-06/
BH-Fed-06-Heasman.pdf.
[6] John Heasman. Implementing and detecting a pci rootkit, 2006.URL http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf .
[7] Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J.Wang, and Jacob R. Lorch. Subvirt: Implementing malware with virtualmachines, 2006. URL http://www.eecs.umich.edu/Rio/papers/king06.pdf.
[8] Nitin Kumar and Vipin Kumar. Vbootkit: Compromising win-dows vista security. Black Hat Europe, 2007. URL http://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_
nitin_vipin_whitepaper.pdf .
[9] Invisible Things Lab. Blue pill project, 2007-2008. URL http://bluepillproject.org/.
[10] Paul Laudanski. Stealth mbr rootkit, 2008. URL http://www2.gmer.net/mbr/.
[11] Derek Soeder and Ryan Permeh. eeye bootroot: A basis for bootstrap-basedwindows kernel code. Black Hat Europe, 2006. URL http://research.eeye.com/html/Tools/download/eeyebootroot.zip .
[12] Dino Dai Zovi. Hardware virtualization based rootkits. Black HatUSA, 2006. URL http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdf.
REFERENCES Page: 5/5
http://www.gnu.org/software/grub/http://www.gnu.org/software/grub/http://www.gnu.org/software/grub/http://www.phrack.com/issues.html?issue=63&id=10&mode=txthttp://www.phrack.com/issues.html?issue=63&id=10&mode=txthttp://www.phrack.com/issues.html?issue=63&id=10&mode=txthttp://research.eeye.com/html/tools/RT20060801-7.htmlhttp://research.eeye.com/html/tools/RT20060801-7.htmlhttp://research.eeye.com/html/tools/RT20060801-7.htmlhttps://forums.symantec.com/syment/blog/article?message.uid=305374https://forums.symantec.com/syment/blog/article?message.uid=305374http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdfhttp://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdfhttp://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdfhttp://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdfhttp://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdfhttp://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdfhttp://www.eecs.umich.edu/Rio/papers/king06.pdfhttp://www.eecs.umich.edu/Rio/papers/king06.pdfhttp://www.eecs.umich.edu/Rio/papers/king06.pdfhttp://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdfhttp://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdfhttp://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdfhttp://bluepillproject.org/http://bluepillproject.org/http://www2.gmer.net/mbr/http://www2.gmer.net/mbr/http://www2.gmer.net/mbr/http://research.eeye.com/html/Tools/download/eeyebootroot.ziphttp://research.eeye.com/html/Tools/download/eeyebootroot.ziphttp://research.eeye.com/html/Tools/download/eeyebootroot.ziphttp://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdfhttp://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdfhttp://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdfhttp://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdfhttp://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdfhttp://research.eeye.com/html/Tools/download/eeyebootroot.ziphttp://research.eeye.com/html/Tools/download/eeyebootroot.ziphttp://www2.gmer.net/mbr/http://www2.gmer.net/mbr/http://bluepillproject.org/http://bluepillproject.org/http://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdfhttp://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdfhttp://www.nvlabs.in/uploads/projects/vbootkit/vbootkit_nitin_vipin_whitepaper.pdfhttp://www.eecs.umich.edu/Rio/papers/king06.pdfhttp://www.eecs.umich.edu/Rio/papers/king06.pdfhttp://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdfhttp://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdfhttp://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdfhttp://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdfhttps://forums.symantec.com/syment/blog/article?message.uid=305374https://forums.symantec.com/syment/blog/article?message.uid=305374http://research.eeye.com/html/tools/RT20060801-7.htmlhttp://research.eeye.com/html/tools/RT20060801-7.htmlhttp://www.phrack.com/issues.html?issue=63&id=10&mode=txthttp://www.phrack.com/issues.html?issue=63&id=10&mode=txthttp://www.gnu.org/software/grub/http://www.gnu.org/software/grub/