The latest, most nefarious and sophisticated rootkit out there. A little insight into the functions of this rootkit and how it bypasses Windows Driver Signing Policy.
Bootkit Technique - It makes use of this technique to infect the Master Boot Record (first sector of your hard disk). The result being, it can load even before your Operating System loads.
How do you check your MBR contents? There's a wide variety of tools. You can use HD Hacker 1.4 if you prefer to go for the GUI.
However, if you have a Linux Copy, then you can, use the following command to view the contents of your MBR:
First Run: fdisk -l and not down the name of your hard disk device.
dd if=/dev/sda count=1 | hexdump -C | more
It will display the MBR contents in hexdump.
Encrypted File System - This rootkit has it's own encrypted file system. It is encrypted using RC4 encryption algorithm. The latest variant has it's own encryption algorithm, using XOR swaps. The rootkit writes it's files to the last sectors of the hard disk.
Driver Signing Policy Bypass - This rootkit infects the x64 version of Windows OS as well. These OS have a Driver Signature Enforcement Policy turned on. This will prevent any unsigned driver to be loaded during the boot process.
Developers actually need to pay Microsoft so that they can verify their drivers and sign them before these softwares/hardwares can be used with Windows x64 Systems.
To check whether your driver is signed or not. Run the Verifier command in CLI.
How it works?
Winload.exe is the windows executable which loads the Windows Kernel along with other dependencies like hal.dll and kdcom.dll. It also reads the Boot Configuration Data to determine whether or not the digital signature of the drivers have to be verified.
This rootkit infects the kdcom.dll and replaces the original one. However, the infected kdcom.dll is not signed. To be able to load this unsigned file successfully, the rootkit swaps 2 flags in BCD. The BCDLibraryBoolean_EMSEnabled is swapped with BCDOSLoaderBoolean_WinPE.
EMS - Emergency Management Services, a feature added by Microsoft in Windows 2003 which allows remote management and remote system recovery of the server in the event of it becoming unresponsive and inaccessible using standard network connections.
WinPE - Windows Pre Installation Mode.
Windows does not verify the digital signature of the drivers in Pre Installation Mode. This fact is exploited by the rootkit.
This will allow the infected kdcom.dll file to be loaded.
When does winload.exe load kdcom.dll?
The infection must start when kdcom.dll is being loaded by winload.exe. The rootkit will try to load it's infected version instead of the original kdcom.dll file. To be able to detect this point in the loading process, it makes use of a Signature Scan.
The rootkit uses the kdcom.dll's PE export directory data size as the signature to detect when kdcom.dll is being loaded. Once detected, the infection process starts.
What Microsoft has done so far?
In order to patch the above loopholes, Microsoft released a patch in April which patches the winload.exe and kdcom.dll. Winload.exe now verifies the digital signature of the drivers irrespective of whether it is being loaded in the WinPE mode or not.
kdcom.dll's PE export directory data size is modified and now changed to a different value to evade TDL-4's signature scan. This workaround is not impressive. Since, the rootkit authors can merely update the signature scan in their code to look for the new value.
Prevent the OS to load in WinPE mode
The rootkit changes the Boot Configuration Data to load OS in WinPE mode only for the purpose of bypassing Windows Driver Signing Policy to load infected modules like kdcom.dll. However, it must prevent the OS itself from loading in WinPE mode. To do this, we need to see what exactly happens when the OS loads in WinPE mode.
Windows passes a /MININT flag to the kernel while loading in the WinPE mode. This process is intercepted by the rootkit and the flag is replaced by IN/MINT. As Windows Kernel doesn't recognize this string, Windows is loaded normally with driver signing functionality enabled again.
/MININT is the switch passed to kernel in Windows Preinstallation Mode so that Registry System Hive is loaded in volatile mode and changes made to it in memory are not saved back to the hive image.
TDL-4 Rootkit updated
To bypass the latest patch developed by Microsoft, rootkit authors have made several modifications to rootkit.
Winload.exe verifies the digital signature of the drivers irrespective of whether the OS is being loaded in the WinPE mode or not. If the driver's integrity check fails, an NTSTATUS error code is returned to the Kernel. The security routine which checks the Digital Signature is intercepted by the rootkit and it modifies this error code to a non existent error code.
The winload function patched by rootkit is: I_CheckImageHashInCatalog.
Listening now: 009 Sound System - Born To Be Wasted
Botnet Bitcoin Mining - Just Another Devious Way to use Botnets
Sunday, October 09, 2011
| Author:
Deep Flash
Botnets are an army of compromised machines over the net which can be controlled by a Hacker using a command and control server. There are many ways of utilizing the Botnets.
Hackers have been using Botnets to provide services such as an Anonymous Proxy Service for quite some time. For a reasonable fee per month, they allow you to use the Botnets to surf the internet anonymously. While the end user is not aware of what exactly is the proxy served to them, it could be a compromised machine on the network which is acting as a proxy.
Recently, the TDSS rootkit has widespread to millions of computers and is considered as one of the most sophisticated rootkit ever developed. One of the primary reasons of it's invincible persistence is the way it manifests itself on your machine.
It makes a place for itself in your Master Boot Record. By doing this, it's able to load itself from the first boot sector of your hard drive even before your Operating System loads. This is also a reason for the TDL-4 rootkit to be known as a bootkit.
Kaspersky Labs have developed a small utility which allows you to remove the TDSS rootkit. It's called the TDSS Killer. The most recent variant of the TDSS rootkit (TDL v4.2) still remains persistent though.
Speaking of the ways Botnets have been used by Hackers for commercial purposes. Besides providing Anonymous Proxy Service to naive internet users, they are also used to commit Click Fraud.
Here, huge campaigning lists are download to the victim's machine by the rootkit and it visits these advertisement sites in the background. This way, they can generate a lot of revenue within a short duration.
Apart from all the above devious ways in which Hackers have used Botnets till date. The most recent and innovative way is to use these Botnets for Bitcoin Mining.
Trojans such as Trojan.CoinBitMiner were used to mine for Bitcoins on victim's machine using their CPU Computing Power. But as we know, the performance of GPUs is better than CPUs by a factor of almost 100 for Mining, the latest Trojans use the GPU Computing Power of the victim's machine instead.
Trojan.BadMiner is one among these latest category of Trojans which detects your Hardware and looks for any Graphics Cards installed. If it finds a GPU running on the victim's machine, an appropriate miner such as Phoenix Miner is downloaded and setup for mining.
If no GPU is found on the machine, then an RPC Miner is downloaded which uses the CPU Computing Power.
By doing so, hackers are now able to utilize the distributed computing power of Botnets to mine Bitcoins at a rate unimaginable for a single machine owner.
Hackers have been using Botnets to provide services such as an Anonymous Proxy Service for quite some time. For a reasonable fee per month, they allow you to use the Botnets to surf the internet anonymously. While the end user is not aware of what exactly is the proxy served to them, it could be a compromised machine on the network which is acting as a proxy.
Recently, the TDSS rootkit has widespread to millions of computers and is considered as one of the most sophisticated rootkit ever developed. One of the primary reasons of it's invincible persistence is the way it manifests itself on your machine.
It makes a place for itself in your Master Boot Record. By doing this, it's able to load itself from the first boot sector of your hard drive even before your Operating System loads. This is also a reason for the TDL-4 rootkit to be known as a bootkit.
Kaspersky Labs have developed a small utility which allows you to remove the TDSS rootkit. It's called the TDSS Killer. The most recent variant of the TDSS rootkit (TDL v4.2) still remains persistent though.
Speaking of the ways Botnets have been used by Hackers for commercial purposes. Besides providing Anonymous Proxy Service to naive internet users, they are also used to commit Click Fraud.
Here, huge campaigning lists are download to the victim's machine by the rootkit and it visits these advertisement sites in the background. This way, they can generate a lot of revenue within a short duration.
Apart from all the above devious ways in which Hackers have used Botnets till date. The most recent and innovative way is to use these Botnets for Bitcoin Mining.
Trojans such as Trojan.CoinBitMiner were used to mine for Bitcoins on victim's machine using their CPU Computing Power. But as we know, the performance of GPUs is better than CPUs by a factor of almost 100 for Mining, the latest Trojans use the GPU Computing Power of the victim's machine instead.
Trojan.BadMiner is one among these latest category of Trojans which detects your Hardware and looks for any Graphics Cards installed. If it finds a GPU running on the victim's machine, an appropriate miner such as Phoenix Miner is downloaded and setup for mining.
If no GPU is found on the machine, then an RPC Miner is downloaded which uses the CPU Computing Power.
By doing so, hackers are now able to utilize the distributed computing power of Botnets to mine Bitcoins at a rate unimaginable for a single machine owner.
One must never lose touch with their roots.
Been so long, since I took a listen to my favorite artists. Revisiting to see if they came up with some new tunes lately.
Asphyxia - No new music in the past 6 months. One of the most talented solo Dark Electro artists I have ever come across.
http://www.myspace.com/asphyxiaa
A7ie - Sick is what they are and hell yeah, I like them! Another French Dark Electro act. Harsh as ever and I am glad they didn't change their style.
http://www.myspace.com/a7ie
Velvet Acid Christ - What more must I say, Bryan Erickson was the reason I got into Industrial Music. One of the most complex compositions out there and interesting stuff. Those rolling synth sounds, tickling the neurons, ah that feeling!
http://www.myspace.com/velvetacidchrist93
Besides these, there are a whole lot of artists I need to revisit. What's been happening in the underground scene?
Wintersoul, Winterstahl, Force.Is.Machine, Acid Trauma, Sadiztik:Injektion, Yersinia Pestis, Rabia Sorda. Going to be a busy week.
Oh god, did you eat all this Acid?
.... That's right. Music!
Listening Now: Velvet Acid Christ - Fun With Drugs
Been so long, since I took a listen to my favorite artists. Revisiting to see if they came up with some new tunes lately.
Asphyxia - No new music in the past 6 months. One of the most talented solo Dark Electro artists I have ever come across.
http://www.myspace.com/asphyxiaa
A7ie - Sick is what they are and hell yeah, I like them! Another French Dark Electro act. Harsh as ever and I am glad they didn't change their style.
http://www.myspace.com/a7ie
Velvet Acid Christ - What more must I say, Bryan Erickson was the reason I got into Industrial Music. One of the most complex compositions out there and interesting stuff. Those rolling synth sounds, tickling the neurons, ah that feeling!
http://www.myspace.com/velvetacidchrist93
Besides these, there are a whole lot of artists I need to revisit. What's been happening in the underground scene?
Wintersoul, Winterstahl, Force.Is.Machine, Acid Trauma, Sadiztik:Injektion, Yersinia Pestis, Rabia Sorda. Going to be a busy week.
Oh god, did you eat all this Acid?
.... That's right. Music!
Listening Now: Velvet Acid Christ - Fun With Drugs
Steganography is the art of concealing the existence of hidden data inside cover mediums without effecting their functionality. It's been around ever since there was a need to protect the private information.
As the way people exchanged information evolved, so did the ways of information hiding changed with time.
There's been a lot of research work done on hiding information inside cover mediums like images, audio files and videos. These are all static storage mediums and the amount of data which can be hidden remains limited depending on the cover medium.
The latest vector in the field of Steganography is Network Protocols. Instead of using the cover medium to propagate the hidden message, the communication protocols which govern the path of cover mediums on the network are used to send the hidden message.
This has 2 major advantages. One being, the capacity of information hiding depends on the duration for which the communication in the network lasts. Also, unlike cover mediums like images and audio files, where a forensic investigator can perform steg analysis on the data to detect the presence of any hidden message. In case of Network Steganography, there must be a complete network capture of the activity between the sender and receiver to be able to conclude any covert communication channel. This is very unlikely.
The most significant research done in this field till date is by Polish Network Security researchers from the Warsaw University of Technology.
An in-depth understanding of the Network Protocols is required to implement Network Steganography.
Recently, one of the implementations which caught my attention was StegSuggest. Here, hidden data is transmitted by modifying the Google Search Suggestions returned by GoogleSuggest Server. Words are inserted at the end of Google Search Suggestions. These words carry the bits of steganogram.
Google Suggest was a feature developed based on AJAX to help an end user in choosing the right search phrase based on what they input.
The attacker can modify the search suggestions returned by Google Suggest Server to the Google Suggest Client by adding frequently used words at the end of these search suggestions.
To prevent any disclosure of steganography words embedded in the google search, a codebook is utilized to insert words. This codebook comprises of the 5000 most frequently used American English words as they appear on www.wordfrequency.info
In order to avoid any suspicion, this codebook is further refined by filtering out pronouns, prepositions and homograms. Reason being, the steg suggest words are added to the end of google search suggestions.
The 2 key protocols which are involved in this setup are HTTP and TCP. The Window Scale and Timestamp options of the TCP header message are altered to establish the covert communication channel.
HTTP protocol is involved in GoogleSuggest. Everytime, an end user types in a letter in the Google Search Bar, an HTTP GET Request is sent to the Google Suggest Server. It returns an HTTP 200Ok Response with 10 most popular suggestions according to the Google Query.
A video demonstration of this method can be found here:
http://www.youtube.com/watch?v=TanWj2fh2co
Listening Now: Adele - Rolling In The Deep
As the way people exchanged information evolved, so did the ways of information hiding changed with time.
There's been a lot of research work done on hiding information inside cover mediums like images, audio files and videos. These are all static storage mediums and the amount of data which can be hidden remains limited depending on the cover medium.
The latest vector in the field of Steganography is Network Protocols. Instead of using the cover medium to propagate the hidden message, the communication protocols which govern the path of cover mediums on the network are used to send the hidden message.
This has 2 major advantages. One being, the capacity of information hiding depends on the duration for which the communication in the network lasts. Also, unlike cover mediums like images and audio files, where a forensic investigator can perform steg analysis on the data to detect the presence of any hidden message. In case of Network Steganography, there must be a complete network capture of the activity between the sender and receiver to be able to conclude any covert communication channel. This is very unlikely.
The most significant research done in this field till date is by Polish Network Security researchers from the Warsaw University of Technology.
An in-depth understanding of the Network Protocols is required to implement Network Steganography.
Recently, one of the implementations which caught my attention was StegSuggest. Here, hidden data is transmitted by modifying the Google Search Suggestions returned by GoogleSuggest Server. Words are inserted at the end of Google Search Suggestions. These words carry the bits of steganogram.
Google Suggest was a feature developed based on AJAX to help an end user in choosing the right search phrase based on what they input.
The attacker can modify the search suggestions returned by Google Suggest Server to the Google Suggest Client by adding frequently used words at the end of these search suggestions.
To prevent any disclosure of steganography words embedded in the google search, a codebook is utilized to insert words. This codebook comprises of the 5000 most frequently used American English words as they appear on www.wordfrequency.info
In order to avoid any suspicion, this codebook is further refined by filtering out pronouns, prepositions and homograms. Reason being, the steg suggest words are added to the end of google search suggestions.
The 2 key protocols which are involved in this setup are HTTP and TCP. The Window Scale and Timestamp options of the TCP header message are altered to establish the covert communication channel.
HTTP protocol is involved in GoogleSuggest. Everytime, an end user types in a letter in the Google Search Bar, an HTTP GET Request is sent to the Google Suggest Server. It returns an HTTP 200Ok Response with 10 most popular suggestions according to the Google Query.
A video demonstration of this method can be found here:
http://www.youtube.com/watch?v=TanWj2fh2co
Listening Now: Adele - Rolling In The Deep