A good read that covers bootkits and rootkits, as well as the different variants of such malware. It details how these malware achieves persistence by embedding themselves deep into the boot phase of the machine. Doing so, it will bypass most application level anti-viruses.
A Bootkit is a malware to modify the boot process of the machine so that it gains persistence. A Rootkit is a malware that operates at “root level” which is typically hidden, and has various functionalities. A Bootkit is a type of Rootkit that modifies the boot process.
There are a few key concepts that pertains to bootkits and rootkits:
Evasion through Analyzing the Environment
Malwares are able to detect if they are running in a sandboxed environment, and if they do, they will not execute, thus not revealing their capabilities to the forensic analyst.
Anti-VM techniques include checking the ebx register which contains the value of VMX, which is 1 when it’s in a VM, and 0 when it’s not.
The malware can also look for the presence of npf.sys (network packet filter) driver, which indicates that the network is being monitored, and there is a high chance that it’s being analyzed
Anti-Debugging techniques checks for the presence of a kernel debugger by examining KdDebuggerEnabled variable exported from the OS. It will be TRUE if a system debugger is attached to the system.
Evasion through Hooking Functions
Another way to hide itself from analysis is to prevent itself from showing up in the first place. This can be done by hooking functions that list or show processes or files, and modifies them to remove the malware from any of such entries, thus not revealing itself to any processes.
Malwares can intecept
- System Events
- System Calls
- File Operations
- Object Dispatchers
Evasion through Self-Sufficiency
Most malware can Live of the Land (LOL), but to evade security software that monitors the network, malwares can come with their own custom TCP/IP stack
Different Attack Vectors
A malware can attack various parts of the boot process to achieve persistency
- MBR (Master Boot Record)
- VBR/IPL (Volume Boot Record)/(Initial Program Loader)
The MBR (Master Boot Record) is a data structure that contains a partition table to hold information about where the OS is stored. The Malware can either change the entire MBR, or only data within the partition table.
VBR/IPL attacks modify the VBR or IPL code which performs hooking of several functions to gain persistency.
Delivery
Most of such malware involves a dropper, which is a first-stage malware that downloads the actual malware to run on the system
UEFI and Secure Boot
UEFI (Unified Extensible Firmware Interface) is an improvement over the older BIOS way of booting up a machine, and it acts as an interface between the OS and the firmware.
Secure Boot is only available on UEFI mode, and not UEFI CSM (Compatibility Support Mode), which support legacy BIOS boot process.
The flow from MBR to VBR is completely eliminated in UEFI, and it has its own boot code.
BIOS boot code -> MBR -> VBR -> Boot Manager -> OS Loader -> Load Kernels and Drivers
UEFI boot code -> UEFI Boot Loader -> OS Loader -> Load Kernels and Drivers
UEFI uses GUID Partition Table (GPT), while BIOS uses MBR-styled partition tables
UEFI runs almost all of its code in protected mode, while BIOS is protected only at the OS Loader phase, which leaves the BIOS boot code, MBR and VBR vulnerable. This make UEFI many times more protected against rootkits and bootkits.