TDL-4 Rootkit Functions
Monday, October 10, 2011 | Author: Deep Flash
The latest, most nefarious and sophisticated rootkit out there. A little insight into the functions of this rootkit and how it bypasses Windows Driver Signing Policy.

Bootkit Technique - It makes use of this technique to infect the Master Boot Record (first sector of your hard disk). The result being, it can load even before your Operating System loads.

How do you check your MBR contents? There's a wide variety of tools. You can use HD Hacker 1.4 if you prefer to go for the GUI.

However, if you have a Linux Copy, then you can, use the following command to view the contents of your MBR:

First Run: fdisk -l and not down the name of your hard disk device.

dd if=/dev/sda count=1 | hexdump -C | more

It will display the MBR contents in hexdump.

Encrypted File System - This rootkit has it's own encrypted file system. It is encrypted using RC4 encryption algorithm. The latest variant has it's own encryption algorithm, using XOR swaps. The rootkit writes it's files to the last sectors of the hard disk.

Driver Signing Policy Bypass - This rootkit infects the x64 version of Windows OS as well. These OS have a Driver Signature Enforcement Policy turned on. This will prevent any unsigned driver to be loaded during the boot process.

Developers actually need to pay Microsoft so that they can verify their drivers and sign them before these softwares/hardwares can be used with Windows x64 Systems.

To check whether your driver is signed or not. Run the Verifier command in CLI.

How it works?

Winload.exe is the windows executable which loads the Windows Kernel along with other dependencies like hal.dll and kdcom.dll. It also reads the Boot Configuration Data to determine whether or not the digital signature of the drivers have to be verified.

This rootkit infects the kdcom.dll and replaces the original one. However, the infected kdcom.dll is not signed. To be able to load this unsigned file successfully, the rootkit swaps 2 flags in BCD. The BCDLibraryBoolean_EMSEnabled is swapped with BCDOSLoaderBoolean_WinPE.

EMS - Emergency Management Services, a feature added by Microsoft in Windows 2003 which allows remote management and remote system recovery of the server in the event of it becoming unresponsive and inaccessible using standard network connections.

WinPE - Windows Pre Installation Mode.

Windows does not verify the digital signature of the drivers in Pre Installation Mode. This fact is exploited by the rootkit.

This will allow the infected kdcom.dll file to be loaded.

When does winload.exe load kdcom.dll?

The infection must start when kdcom.dll is being loaded by winload.exe. The rootkit will try to load it's infected version instead of the original kdcom.dll file. To be able to detect this point in the loading process, it makes use of a Signature Scan.

The rootkit uses the kdcom.dll's PE export directory data size as the signature to detect when kdcom.dll is being loaded. Once detected, the infection process starts.

What Microsoft has done so far?

In order to patch the above loopholes, Microsoft released a patch in April which patches the winload.exe and kdcom.dll. Winload.exe now verifies the digital signature of the drivers irrespective of whether it is being loaded in the WinPE mode or not.

kdcom.dll's PE export directory data size is modified and now changed to a different value to evade TDL-4's signature scan. This workaround is not impressive. Since, the rootkit authors can merely update the signature scan in their code to look for the new value.

Prevent the OS to load in WinPE mode

The rootkit changes the Boot Configuration Data to load OS in WinPE mode only for the purpose of bypassing Windows Driver Signing Policy to load infected modules like kdcom.dll. However, it must prevent the OS itself from loading in WinPE mode. To do this, we need to see what exactly happens when the OS loads in WinPE mode.

Windows passes a /MININT flag to the kernel while loading in the WinPE mode. This process is intercepted by the rootkit and the flag is replaced by IN/MINT. As Windows Kernel doesn't recognize this string, Windows is loaded normally with driver signing functionality enabled again.

/MININT is the switch passed to kernel in Windows Preinstallation Mode so that Registry System Hive is loaded in volatile mode and changes made to it in memory are not saved back to the hive image.

TDL-4 Rootkit updated

To bypass the latest patch developed by Microsoft, rootkit authors have made several modifications to rootkit.

Winload.exe verifies the digital signature of the drivers irrespective of whether the OS is being loaded in the WinPE mode or not. If the driver's integrity check fails, an NTSTATUS error code is returned to the Kernel. The security routine which checks the Digital Signature is intercepted by the rootkit and it modifies this error code to a non existent error code.

The winload function patched by rootkit is: I_CheckImageHashInCatalog.

Listening now: 009 Sound System - Born To Be Wasted
|
This entry was posted on Monday, October 10, 2011 and is filed under . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 comments:

On December 21, 2011 at 3:59 AM , Akanksha said...

thanks

 
On December 24, 2011 at 6:46 AM , Akanksha said...
This comment has been removed by the author.
 
On December 24, 2011 at 6:47 AM , Akanksha said...

I find your post very informative. This post includes TDL 4 rootkit functions. This post describes bootkit techniques and how they work. The tips given in this post are very useful. This information helps to upload in Windows. Thanks for this post.
digital signature Adobe Acrobat