MMM
    X

    Subscribe to New Ads!

    Receive weekly ads in your inbox!



Page 1 of 2 12 LastLast
Results 1 to 25 of 29

Thread: New Rootkit Bypasses Windows Code-Signing Security

  1. #1
    I am Xtreme
    Join Date
    Oct 2004
    Location
    U.S.A.
    Posts
    4,744

    New Rootkit Bypasses Windows Code-Signing Security

    Do you fell safe?

    It is kind of funny when Microsoft talks security because the always manage to cut corners somewhere.

    here's the short version


    Quote Originally Posted by /.
    "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

    here's the long version

    Quote Originally Posted by TP
    n recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

    The functionality is contained in TDL4, which is the latest version of an older rootkit also known as TDSS and Alureon. TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.

    TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

    "Starting with Windows Vista, kernel-mode code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator," Microsoft says in its explanation of the functionality.

    The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

    "The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows," Sunbelt's Chandra Prakash wrote in the TDL4 analysis.

    "The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR."

    Joe Johnson of Microsoft presented a talk about Alureon at the Virus Bulletin conference earlier this year, and discussed the low-level capabilities of the rootkit. The presentation addresses the rootkit's ability to get the Windows kernel to load a fake version of the legitimate kdcom.dll, but says that the malware does not actually bypass Kernel Patch Protection. In fact, it doesn't have to because KPP doesn't inspect all loaded drivers, only the code used by the kernel. Alureon patches the Windows Boot Configuration Data to make the machine think that what's loading is Windows PE, rather than a normal version of Windows, which prevents code integrity checks from being performed.

    Earlier versions of the TDL/TDSS rootkit were used in affiliate marketing programs and black hat SEO campaigns. also were part of botnets and had specific functionality designed to hide other malware programs. An analysis of the first three versions of TDL/TDSS by Kaspersky Lab researchers showed that the rootkit is not only quite advanced, but is under continuous development and refinement by a motivated, talented crew.

    "Given that the cybercriminals have put considerable effort into continuing to support this malware, fixing errors, and inventing various techniques for bypassing signature-based, heuristic and proactive detecting, TDSS is capable of penetrating a computer even if an antivirus solution is installed and running. The fact that bot communication with the C&C is encrypted makes it significantly more difficult to analyze network packets. An extremely powerful rootkit component hides both the most important malware components, and the fact that the computer has been infected. The victim machine becomes part of a botnet, and will have other malware installed to it. The cybercriminals profit by selling small botnets and using blackhat SEO," Sergey Golavanov and Vyacheslav Rusakov wrote. "As long as a malicious program is profitable, cybercriminals will continue to support and develop it."


    Asus Z9PE-D8 WS with 64GB of registered ECC ram.|Dell 30" LCD 3008wfp:7970 video card

    LSI series raid controller
    SSDs: Crucial C300 256GB
    Standard drives: Seagate ST32000641AS & WD 1TB black
    OSes: Linux and Windows x64

  2. #2
    Fanboy of Good Products
    Join Date
    Oct 2008
    Location
    FL
    Posts
    4,047
    Quote Originally Posted by safan80 View Post
    Do you fell safe?
    no, but i don't feel safe. where does this rootkit come from?
    Cruncher #1: EVGA Z68 FTW | i7-2600k @ 4.5 | 6GB Ram
    Cruncher #2: Supermicro Dual-Socket | 2 x 6-core Opterons | 4GB Ram
    Cruncher #3: 8-core Xserve 1,1

    T400 for non-crunching



    "But don't think you'll run me over - It's, ah, planting season here in Texas... and the farm is growing..." -Otis11 on crunching WCG

  3. #3
    Xtreme Member
    Join Date
    Oct 2009
    Posts
    241

    Talking

    Quote Originally Posted by shoota View Post
    no, but i don't feel safe. where does this rootkit come from?
    Sergey Golavanov and Vyacheslav Rusakov
    Mother Russia where rootkit's [insert funnys] you.
    .:. Obsidian 750D .:. i7 5960X .:. EVGA Titan .:. G.SKILL Ripjaws DDR4 32GB .:. CORSAIR HX850i .:. Asus X99-DELUXE .:. Crucial M4 SSD 512GB .:.

  4. #4
    Xtreme Cruncher
    Join Date
    Oct 2007
    Location
    New Westminster, BC
    Posts
    332
    Try beating a reformat...

  5. #5
    Xtreme Addict
    Join Date
    Jul 2007
    Posts
    1,488
    Quote Originally Posted by Jaivan View Post
    Try beating a reformat...
    Hardware/firmware rootkits can do that easily.

  6. #6
    Xtreme Addict
    Join Date
    Jun 2007
    Location
    Thessaloniki, Greece
    Posts
    1,306
    Quote Originally Posted by Solus Corvus View Post
    Hardware/firmware rootkits can do that easily.
    Formatting both the MBR and local partitions using a live linux distribution should clear this rootkit no matter what. Can't see how it could avoid deletion in such a scenario. Btw the MBR is not a hardware feature but the first sector of a HDD partitioned using MBR tables(as oposed to newer GUID disks used by EFI systems and Apple) http://en.wikipedia.org/wiki/Master_boot_record
    Seems we made our greatest error when we named it at the start
    for though we called it "Human Nature" - it was cancer of the heart
    CPU: AMD X3 720BE@ 3,4Ghz
    Cooler: Xigmatek S1283(Terrible mounting system for AM2/3)
    Motherboard: Gigabyte 790FXT-UD5P(F4) RAM: 2x 2GB OCZ DDR3 1600Mhz Gold 8-8-8-24
    GPU:HD5850 1GB
    PSU: Seasonic M12D 750W Case: Coolermaster HAF932(aka Dusty )

  7. #7
    Xtreme Addict
    Join Date
    Jul 2007
    Posts
    1,488
    Quote Originally Posted by BrowncoatGR View Post
    Formatting both the MBR and local partitions using a live linux distribution should clear this rootkit no matter what. Can't see how it could avoid deletion in such a scenario. Btw the MBR is not a hardware feature but the first sector of a HDD partitioned using MBR tables(as oposed to newer GUID disks used by EFI systems and Apple) http://en.wikipedia.org/wiki/Master_boot_record
    Not if the rootkit is installed in the bios or other hardware's firmware. Such a rootkit can persist even the installation of a completely new drive and OS, much less a simple MBR wipe and drive format.

    http://www.theregister.co.uk/2009/03...bios_rootkits/

  8. #8
    Xtreme X.I.P.
    Join Date
    Nov 2002
    Location
    Shipai
    Posts
    34,647
    cool...

  9. #9
    Xtreme Cruncher
    Join Date
    Oct 2007
    Location
    New Westminster, BC
    Posts
    332
    Quote Originally Posted by Solus Corvus View Post
    Hardware/firmware rootkits can do that easily.
    Okay allow me to rephrase then. Try beating a BIOS flash and reformat...

  10. #10
    Xtreme X.I.P. Particle's Avatar
    Join Date
    Apr 2008
    Location
    Kansas
    Posts
    3,218
    Quote Originally Posted by Solus Corvus View Post
    Hardware/firmware rootkits can do that easily.
    Quote Originally Posted by Solus Corvus View Post
    Not if the rootkit is installed in the bios or other hardware's firmware.
    This isn't a hardware rootkit. Their comments are valid in regards to what they were posting about, namely *this* rootkit.
    Particle's First Rule of Online Technical Discussion:
    As a thread about any computer related subject has its length approach infinity, the likelihood and inevitability of a poorly constructed AMD vs. Intel fight also exponentially increases.

    Rule 1A:
    Likewise, the frequency of a car pseudoanalogy to explain a technical concept increases with thread length. This will make many people chuckle, as computer people are rarely knowledgeable about vehicular mechanics.

    Rule 2:
    When confronted with a post that is contrary to what a poster likes, believes, or most often wants to be correct, the poster will pick out only minor details that are largely irrelevant in an attempt to shut out the conflicting idea. The core of the post will be left alone since it isn't easy to contradict what the person is actually saying.

    Rule 2A:
    When a poster cannot properly refute a post they do not like (as described above), the poster will most likely invent fictitious counter-points and/or begin to attack the other's credibility in feeble ways that are dramatic but irrelevant. Do not underestimate this tactic, as in the online world this will sway many observers. Do not forget: Correctness is decided only by what is said last, the most loudly, or with greatest repetition.

    Rule 3:
    When it comes to computer news, 70% of Internet rumors are outright fabricated, 20% are inaccurate enough to simply be discarded, and about 10% are based in reality. Grains of salt--become familiar with them.

    Remember: When debating online, everyone else is ALWAYS wrong if they do not agree with you!

    Random Tip o' the Whatever
    You just can't win. If your product offers feature A instead of B, people will moan how A is stupid and it didn't offer B. If your product offers B instead of A, they'll likewise complain and rant about how anyone's retarded cousin could figure out A is what the market wants.

  11. #11
    I am Xtreme
    Join Date
    Dec 2007
    Posts
    7,747
    so let me get this strait.
    signed driver annoyances can be simply turned off, so i can get full use out of my windows, but
    then im open to attacks so serious that we have this fear campaign launched about it?
    2500k @ 4900mhz - Asus Maxiums IV Gene Z - Swiftech Apogee LP
    GTX 680 @ +170 (1267mhz) / +300 (3305mhz) - EK 680 FC EN/Acteal
    Swiftech MCR320 Drive @ 1300rpms - 3x GT 1850s @ 1150rpms
    XS Build Log for: My Latest Custom Case

  12. #12
    Xtreme X.I.P. Particle's Avatar
    Join Date
    Apr 2008
    Location
    Kansas
    Posts
    3,218
    I would think you would by default be aware that disabling any security system leaves you more vulnerable. Their purpose isn't to annoy you, they're there to do something important. So yes, if you turn off the signed driver requirement then you're vulnerable to attacks that take advantage of loading unsigned drivers.
    Particle's First Rule of Online Technical Discussion:
    As a thread about any computer related subject has its length approach infinity, the likelihood and inevitability of a poorly constructed AMD vs. Intel fight also exponentially increases.

    Rule 1A:
    Likewise, the frequency of a car pseudoanalogy to explain a technical concept increases with thread length. This will make many people chuckle, as computer people are rarely knowledgeable about vehicular mechanics.

    Rule 2:
    When confronted with a post that is contrary to what a poster likes, believes, or most often wants to be correct, the poster will pick out only minor details that are largely irrelevant in an attempt to shut out the conflicting idea. The core of the post will be left alone since it isn't easy to contradict what the person is actually saying.

    Rule 2A:
    When a poster cannot properly refute a post they do not like (as described above), the poster will most likely invent fictitious counter-points and/or begin to attack the other's credibility in feeble ways that are dramatic but irrelevant. Do not underestimate this tactic, as in the online world this will sway many observers. Do not forget: Correctness is decided only by what is said last, the most loudly, or with greatest repetition.

    Rule 3:
    When it comes to computer news, 70% of Internet rumors are outright fabricated, 20% are inaccurate enough to simply be discarded, and about 10% are based in reality. Grains of salt--become familiar with them.

    Remember: When debating online, everyone else is ALWAYS wrong if they do not agree with you!

    Random Tip o' the Whatever
    You just can't win. If your product offers feature A instead of B, people will moan how A is stupid and it didn't offer B. If your product offers B instead of A, they'll likewise complain and rant about how anyone's retarded cousin could figure out A is what the market wants.

  13. #13
    I am Xtreme
    Join Date
    Dec 2007
    Posts
    7,747
    Quote Originally Posted by Particle View Post
    I would think you would by default be aware that disabling any security system leaves you more vulnerable. Their purpose isn't to annoy you, they're there to do something important. So yes, if you turn off the signed driver requirement then you're vulnerable to attacks that take advantage of loading unsigned drivers.
    the inability to load a few without being open to the risk of all of them is the issue i have. we already have that UAC pop up, why not let it be used during the installation of an unsigned driver? idk if im over-simplifying this, or if M$ is really just trying to get money from every person they can with the high cost to have drivers signed.
    2500k @ 4900mhz - Asus Maxiums IV Gene Z - Swiftech Apogee LP
    GTX 680 @ +170 (1267mhz) / +300 (3305mhz) - EK 680 FC EN/Acteal
    Swiftech MCR320 Drive @ 1300rpms - 3x GT 1850s @ 1150rpms
    XS Build Log for: My Latest Custom Case

  14. #14
    Xtreme Addict
    Join Date
    Oct 2007
    Location
    Chicago,Illinois
    Posts
    1,180
    This does not apply here,how many use their bench/game rig for work.How many keep the same bios or even mobo for a long period of time.How many extra bios chips,hdd,ram disk,usb drives,lol how many dvd drives.Xtremesystems is A Army.



  15. #15
    Xtreme X.I.P.
    Join Date
    Nov 2002
    Location
    Shipai
    Posts
    34,647
    Quote Originally Posted by Jaivan View Post
    Okay allow me to rephrase then. Try beating a BIOS flash and reformat...
    its a common misconception that flashing a bios actually overwrites all info stored on the chip

  16. #16
    Xtreme Addict
    Join Date
    Oct 2007
    Location
    Chicago,Illinois
    Posts
    1,180
    SPi flasher should.



  17. #17
    Xtreme X.I.P. Particle's Avatar
    Join Date
    Apr 2008
    Location
    Kansas
    Posts
    3,218
    Quote Originally Posted by saaya View Post
    its a common misconception that flashing a bios actually overwrites all info stored on the chip
    It doesn't matter. A "standard" flash, should it be possible to define such a thing (I'd say for AMI users it's afudos /P/B/N/C), overwrites all the executable data in the chip. If you're paranoid, you can be more thorough and overwrite every bit on the thing with the standard flashing tools. If you're paranoid, use a hardware programmer.

    Edit: You can make an SPI programmer yourself with a little bit of time and a $20 CPLD or even just a parallel port. It's not like it's out of reach for people on this forum. Heck, if you had the time, you could actually do the job by hand with nothing but some toggle switches, a resistor, and a battery. SPI is easy and can be done at any frequency below the maximum the device supports, even if that frequency is "between sips of beer".
    Last edited by Particle; 11-17-2010 at 08:28 AM.
    Particle's First Rule of Online Technical Discussion:
    As a thread about any computer related subject has its length approach infinity, the likelihood and inevitability of a poorly constructed AMD vs. Intel fight also exponentially increases.

    Rule 1A:
    Likewise, the frequency of a car pseudoanalogy to explain a technical concept increases with thread length. This will make many people chuckle, as computer people are rarely knowledgeable about vehicular mechanics.

    Rule 2:
    When confronted with a post that is contrary to what a poster likes, believes, or most often wants to be correct, the poster will pick out only minor details that are largely irrelevant in an attempt to shut out the conflicting idea. The core of the post will be left alone since it isn't easy to contradict what the person is actually saying.

    Rule 2A:
    When a poster cannot properly refute a post they do not like (as described above), the poster will most likely invent fictitious counter-points and/or begin to attack the other's credibility in feeble ways that are dramatic but irrelevant. Do not underestimate this tactic, as in the online world this will sway many observers. Do not forget: Correctness is decided only by what is said last, the most loudly, or with greatest repetition.

    Rule 3:
    When it comes to computer news, 70% of Internet rumors are outright fabricated, 20% are inaccurate enough to simply be discarded, and about 10% are based in reality. Grains of salt--become familiar with them.

    Remember: When debating online, everyone else is ALWAYS wrong if they do not agree with you!

    Random Tip o' the Whatever
    You just can't win. If your product offers feature A instead of B, people will moan how A is stupid and it didn't offer B. If your product offers B instead of A, they'll likewise complain and rant about how anyone's retarded cousin could figure out A is what the market wants.

  18. #18
    Xtreme Addict
    Join Date
    Jul 2002
    Location
    [M] - Belgium
    Posts
    1,819
    I've run into this puppy at work; took less than 2 seconds to infect a machine after clicking a link in Chrome to a malicious site, attack vector was through Java; the user only noticed it because he's a java dev; AV software tried to stop the java process but... "too little" "too late"; cleaning was not an option; had to complete scratch the disk and start from zero; thank god for backups


    Belgium's #1 Hardware Review Site and OC-Team!

  19. #19
    Xtreme Addict
    Join Date
    Apr 2007
    Posts
    2,128
    As if it was easy and practical to store and execute malicious code in most firmware..

  20. #20
    Xtreme Addict
    Join Date
    Jun 2006
    Posts
    1,820
    So much about Chrone, Java and AV safety
    Quote Originally Posted by jmke View Post
    I've run into this puppy at work; took less than 2 seconds to infect a machine after clicking a link in Chrome to a malicious site, attack vector was through Java; the user only noticed it because he's a java dev; AV software tried to stop the java process but... "too little" "too late"; cleaning was not an option; had to complete scratch the disk and start from zero; thank god for backups
    P5E64_Evo/QX9650, 4x X25-E SSD - gimme speed..
    Quote Originally Posted by MR_SmartAss View Post
    Lately there has been a lot of BS(Dave_Graham where are you?)

  21. #21
    Xtreme X.I.P. Particle's Avatar
    Join Date
    Apr 2008
    Location
    Kansas
    Posts
    3,218
    It wouldn't matter what browser you were running unless you ran the whole thing fully sandboxed like with sandboxie. That's why we see more and more plugin-targeted exploits instead of browser. Not everyone uses IE, but everyone has flash and acrobat.
    Particle's First Rule of Online Technical Discussion:
    As a thread about any computer related subject has its length approach infinity, the likelihood and inevitability of a poorly constructed AMD vs. Intel fight also exponentially increases.

    Rule 1A:
    Likewise, the frequency of a car pseudoanalogy to explain a technical concept increases with thread length. This will make many people chuckle, as computer people are rarely knowledgeable about vehicular mechanics.

    Rule 2:
    When confronted with a post that is contrary to what a poster likes, believes, or most often wants to be correct, the poster will pick out only minor details that are largely irrelevant in an attempt to shut out the conflicting idea. The core of the post will be left alone since it isn't easy to contradict what the person is actually saying.

    Rule 2A:
    When a poster cannot properly refute a post they do not like (as described above), the poster will most likely invent fictitious counter-points and/or begin to attack the other's credibility in feeble ways that are dramatic but irrelevant. Do not underestimate this tactic, as in the online world this will sway many observers. Do not forget: Correctness is decided only by what is said last, the most loudly, or with greatest repetition.

    Rule 3:
    When it comes to computer news, 70% of Internet rumors are outright fabricated, 20% are inaccurate enough to simply be discarded, and about 10% are based in reality. Grains of salt--become familiar with them.

    Remember: When debating online, everyone else is ALWAYS wrong if they do not agree with you!

    Random Tip o' the Whatever
    You just can't win. If your product offers feature A instead of B, people will moan how A is stupid and it didn't offer B. If your product offers B instead of A, they'll likewise complain and rant about how anyone's retarded cousin could figure out A is what the market wants.

  22. #22
    Xtreme Addict
    Join Date
    Jul 2007
    Posts
    1,488
    Quote Originally Posted by Jaivan View Post
    Okay allow me to rephrase then. Try beating a BIOS flash and reformat...
    Good enough (unless it was stored in some other firmware), but it would have to be on a machine/device that didn't boot from that bios.

    Quote Originally Posted by Particle View Post
    This isn't a hardware rootkit. Their comments are valid in regards to what they were posting about, namely *this* rootkit.
    I agree. I was just pointing out the misconception many have that formatting is necessarily the answer to every possible infection.

    This particular rootkit is something different. But it isn't long before novel ideas in one malicious program start showing up in other malicious programs. This particular attack and a BIOS attack are not necessarily mutually exclusive and could show up together in a rootkit in the future.

    Quote Originally Posted by saaya View Post
    its a common misconception that flashing a bios actually overwrites all info stored on the chip
    But without a pointer to the dangling code it will never execute.

    Quote Originally Posted by Calmatory View Post
    As if it was easy and practical to store and execute malicious code in most firmware..
    I didn't say it was easy, I said it is possible. And some really good programers are writing malicious code. Some of the most elegant, complex, difficult, and innovative code ever written has been for malicious programs. We are talking about code that can modify itself, bypass/control system calls, propagate itself without biological assistance, etc.

  23. #23
    Xtreme Addict
    Join Date
    Jul 2002
    Location
    [M] - Belgium
    Posts
    1,819
    for every guy paid $200/day for developing AV software; there are 2 being paid $1000/day to find exploits.


    Belgium's #1 Hardware Review Site and OC-Team!

  24. #24
    Xtreme Addict
    Join Date
    Jun 2006
    Posts
    1,820
    Quote Originally Posted by jmke View Post
    for every guy paid $200/day for developing AV software; there are 2 being paid $1000/day to find exploits.
    That's just in the AV company itself
    P5E64_Evo/QX9650, 4x X25-E SSD - gimme speed..
    Quote Originally Posted by MR_SmartAss View Post
    Lately there has been a lot of BS(Dave_Graham where are you?)

  25. #25
    Xtreme Addict
    Join Date
    Jul 2002
    Location
    [M] - Belgium
    Posts
    1,819
    wishful thinking, rather people on the other team...


    Belgium's #1 Hardware Review Site and OC-Team!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •