Bootkits and Rootkits

A good read that covers bootkits and rootkits, as well as the different variants of such malware. It details how these malware achieves persistence by embedding themselves deep into the boot phase of the machine. Doing so, it will bypass most application level anti-viruses.

A Bootkit is a malware to modify the boot process of the machine so that it gains persistence. A Rootkit is a malware that operates at “root level” which is typically hidden, and has various functionalities. A Bootkit is a type of Rootkit that modifies the boot process.

There are a few key concepts that pertains to bootkits and rootkits:

Evasion through Analyzing the Environment

Malwares are able to detect if they are running in a sandboxed environment, and if they do, they will not execute, thus not revealing their capabilities to the forensic analyst.

Anti-VM techniques include checking the ebx register which contains the value of VMX, which is 1 when it’s in a VM, and 0 when it’s not.

The malware can also look for the presence of npf.sys (network packet filter) driver, which indicates that the network is being monitored, and there is a high chance that it’s being analyzed

Anti-Debugging techniques checks for the presence of a kernel debugger by examining KdDebuggerEnabled variable exported from the OS. It will be TRUE if a system debugger is attached to the system.

Evasion through Hooking Functions

Another way to hide itself from analysis is to prevent itself from showing up in the first place. This can be done by hooking functions that list or show processes or files, and modifies them to remove the malware from any of such entries, thus not revealing itself to any processes.

Malwares can intecept

  • System Events
  • System Calls
  • File Operations
  • Object Dispatchers

Evasion through Self-Sufficiency

Most malware can Live of the Land (LOL), but to evade security software that monitors the network, malwares can come with their own custom TCP/IP stack

Different Attack Vectors

A malware can attack various parts of the boot process to achieve persistency

  1. MBR (Master Boot Record)
  2. VBR/IPL (Volume Boot Record)/(Initial Program Loader)

The MBR (Master Boot Record) is a data structure that contains a partition table to hold information about where the OS is stored. The Malware can either change the entire MBR, or only data within the partition table.

VBR/IPL attacks modify the VBR or IPL code which performs hooking of several functions to gain persistency.

Delivery

Most of such malware involves a dropper, which is a first-stage malware that downloads the actual malware to run on the system

UEFI and Secure Boot

UEFI (Unified Extensible Firmware Interface) is an improvement over the older BIOS way of booting up a machine, and it acts as an interface between the OS and the firmware.

Secure Boot is only available on UEFI mode, and not UEFI CSM (Compatibility Support Mode), which support legacy BIOS boot process.

The flow from MBR to VBR is completely eliminated in UEFI, and it has its own boot code.

BIOS boot code -> MBR -> VBR -> Boot Manager -> OS Loader -> Load Kernels and Drivers

UEFI boot code -> UEFI Boot Loader -> OS Loader -> Load Kernels and Drivers

UEFI uses GUID Partition Table (GPT), while BIOS uses MBR-styled partition tables

UEFI runs almost all of its code in protected mode, while BIOS is protected only at the OS Loader phase, which leaves the BIOS boot code, MBR and VBR vulnerable. This make UEFI many times more protected against rootkits and bootkits.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: