Musings from the bootkit underworld

Author: No Comments Share:

We all know that the prevalence of 64-bit machines and new defenses such as Patch Guard was supposed to put up a barrier against advanced malware. However, as the cybercrime defense ecosystem evolves the infection techniques evolve as well. Bootkits that can infect 64-bit Windows systems and defeat Patch guard are now fairly common. At Bromium Labs we’re actively monitoring enhancements to these bootkit families in our automated malware test harness. In this post we’re going to briefly discuss modern boot-sector malware and perform a detailed analysis of the latest bootkit called Gapz and its infection vector. In the end of the article we’ll briefly discuss the current state of yet another piece of advanced malware which appeared in 2013 – Avatar.

As I mentioned above, we regularly run various bootkits inside our analysis environment called LAVA. The analysis was done in 64-bit Windows 7 Professional SP 1. We used a random sample of about 20 samples from various malware families viz: TDL 4, Sinowal, Olmasco, Rovnix, Gapz, PbBot, MBRLock. From this experiment we obtained the following results:

  • The vast majority of older generation threats such as Rovnix, TDL4 and Sinowal were unable to modify the boot sector on the tested machine. From this we can conclude that these families are primarily aimed at 32-bit machines and older versions of Windows. We can report more precise results once we conclude additional, large-scale experiments.
  • PbBot and MBRLock while not as popular and well-studied as the previous examples show higher rates of bootkit activity. The former is allegedly a Chinese bot with bootkit functionality and the ability to hide its presence on the infected machine. The latter is a ransom ware Trojan that relocates the partition table and blocks the system from loading until the victim pays a fee.
  • Finally, two of the three samples of the Gapz bootkit actually infect the boot sector. The detailed analysis of these samples revealed some features that were not reported previously.

Since bootkit functionality allows the survival rate of malware to increase, it is reasonable to assume that the prevalence of such malware in the near future will grow. The latest example of this kind is the Gapz bootkit. It is well-studied and described by the ESET research team, however we’d like to add a couple of observations we made while analyzing the bootkit.

Gapz is known to be based on Power Loader – the latest dropper builder that uses lots of tricks to evade HIPS and inject the payload into one of the running processes on the target. The infection workflow is usually described as payload inject in explorer.exe using BaseNamedObjects. While this is a sophisticated and hard to detect technique it might fail sometimes. In that case the Gapz authors added an alternative infection workflow, which has not been studied yet:

The test al, al instruction checks the return value from the explorer-based injection. EAX register is set to 1 if the routine that corresponds to payload injection into explorer.exe succeeds. If not – the alternative infection routine is triggered:

The Power Loader dropper maintains a bit array – a copy where it keeps track of any Host Intrusion Prevention Systems (HIPS) detected in the system. It checks with this bit array in order to choose which process to use for payload injection – cscript.exe or svchost.exe. The procedure for payload injection is the following:

  1. Create process (e.g. svchost.exe) in suspended state.
  2. Map the image of the created process.
  3. Write shellcode and required Win API functions addresses to the mapped image.
  4. Un-map the view of the code section in the target process.
  5. Map the modified section (containing the shellcode) to the target process.
  6. Resume the thread of the target process.

The shellcode used in this routine is the same as in the explorer-based injection.

Another new feature of the PowerLoader API is call obfuscation. Earlier versions of Gapz called the required functions directly, using an import address table. The latest modifications use API call obfuscation to prevent analysis. Shortly after start, Gapz fills in the structure which we call IAT, and resolves the required API calls using hard-coded hash values:

PowerLoader computes the hash values of DLLs and their functions and matches them against hard-coded ones. The following hash functions were used (re-implemented in python):

[code language=”Python”]
#
# HASH FUNCTION FOR DLL NAMES
#
def get_hash_1(string_):
hashval = 0
for char_ in string_:
hashval = ror(hashval,0xb)
hashval+=ord(char_)
hashval&=0xFFFFFFFF
return hashval

#
# HASH FUNCTION FOR PROCEDURE NAMES
#
def get_hash_2(string_):
hashval = 0
x = 0
for char_ in string_:
x = ror(x,7)
x = (x&0xFFFFFF00)|ord(char_)
hashval^=x
return hashval
#
# ROR INSTRUCTION IMPLEMENTATION
#
def ror(val, n):
return ((val>>n)|(val<<(32-n)))&0xFFFFFFFF
[/code]

Interestingly, these algorithms are very susceptible to collisions.

In order to make a call, PowerLoader (and hence Gapz) loads the address of the IAT structure into a register and calls the corresponding member using memory references as shown below:

At Bromium Labs, we are actively monitoring various black hat forums and recently we saw an update for PowerLoader. The forum news is that the author has sold the source code for $600 to a number of his clients and an older version has leaked to the public:

Russian Translation:

“www (4.06.2013, 00:55):

Am I the only one who got this offer from the author in jabber?

“I can sell you the sources and the builder of PoweLoader…”

f1pilot (4.06.2013, 12:54):

Not only you. For 600$

Me and my partners got the message.

Is it a fake?

sboy2004 (4.06.2013, 13:57):

It’s not a fake.

I think the author needs money

He has sold the sources to 10 customers for the price of the builder”

Another noteworthy event from the black-hat forums is the release of the Avatar rootkit. It has already been used to compromise users, however its current functionality is limited. For instance it cannot infect 64-bit systems or infect boot drivers. But the latest discussions on several crimeware marketplaces show that the authors are working on the 64-bit version of Avatar and claim it is going to be a full-featured bootkit. Stay tuned for more updates!

Previous Article

Hey IT, W8 up!

Next Article

Intel SMEP (OS Guard) protection for Win7 in Bromium vSentry

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *