Legal bootkits
Clever Rusakov, whom many still mistakenly call RusTOKov, wrote another article on www.securelist.ru . And again - about rootkit technology. However, neither TDL 4 nor any other malicious program is mentioned in this article. Because the article is about the dangers of using sloppy implemented rootkit technologies in legal products, which the author directly informs in the introduction. By the way, a special thank you for introducing him, because without him an unprepared reader would not understand anything at all - despite the fact that there are quite a few pictures in the text.
To begin with, the author with suspicious insight comes up with several cases of the very inaccurate implementation that could allow the villains to use legal drivers, protectors, cryptors and classic anti-rootkits for their villainous purposes. He practically succeeds in convincing the reader that a legitimate signed driver poses a potential security threat if the rootkit technologies are implemented in it with the care of the Russian car industry. Moreover, with suspicious awareness claiming that there are no fools on the other side of the barricades, the author intimidates readers with the possibility of the villains to dismantle the invented careless implementation of the kernel mode driver for bones and the knowledge obtained in such a barbaric way - to use it for evil purposes.
“However, we discovered an anomaly - the substitution of the MBR during reading. The substitution is implemented by the disk stack filter driver ”( Comodo Time Machine ).
')
Then it turns out that there are still legal programs on users' computers whose behavior seems suspicious not only to the author, but also to the anti-rootkit component of Kaspersky Anti-Virus. The author considers four programs using rootkit technologies: COMODO Time Machine, Norton GoBack, RestoreIT and PC Back Pro / Rollback Rx (one program with two names). All products were created with a noble goal - to return the system to a normal state in case of unforeseen disasters. Although two of the four programs are no longer supported by the manufacturer, the author also finds fault with them. And it turns out that all programs have the ability to start using the magic button of a special recovery console before loading the operating system. To realize this possibility, the MBR modification mechanism was used in all cases.
Further worse. In all programs, MBR substitution is detected during reading, which is implemented by the disk stack filter driver. In addition, in the case of reading the MBR, the MBR content is issued before the modification - that is, the fake content. And the entry in the MBR is either prohibited, or the filter driver sends you far away, i.e. redirects the request and writes to another location. At the same time, the modified MBR remains intact.
Even further - even worse, because the author, despite all his insight, the fact of concealing the MBR "surprised." And he decides to check how the products behave, if you modify the boot record to bypass the filter driver. Having successfully pushed a bunch of garbage around the filter into the MBR, the author discovers terrible things: after MBR is rewritten, all products continue to produce fake content when reading the MBR; computer after reboot ("of course") does not boot; and the recovery console cannot be called up by any magic buttons.
After thinking about the situation, the author comes to the conclusion that the use of this software can threaten the user a lot of trouble, namely:
• he will not have the opportunity to learn about the infection of the MBR;
• malware on your computer will be hidden with the help of a legal utility;
• in case of serious problems, software for system rollback will most likely not work;
• The use of partition editing tools can lead to system loss.
Being impressed by what he did, Rusakov even gives some recommendations to manufacturers of the products discussed above and their analogues. We quote:
We, for our part, join Vyacheslav's calls: if they hide your products from the user, let them stop immediately! Because the experts of the author know that this is not the end. Clever Rusakov will eventually write another article, and if you do not immediately follow his advice, he will get to your products, to the rootkit technologies implemented in them, and to the root of evil.
To begin with, the author with suspicious insight comes up with several cases of the very inaccurate implementation that could allow the villains to use legal drivers, protectors, cryptors and classic anti-rootkits for their villainous purposes. He practically succeeds in convincing the reader that a legitimate signed driver poses a potential security threat if the rootkit technologies are implemented in it with the care of the Russian car industry. Moreover, with suspicious awareness claiming that there are no fools on the other side of the barricades, the author intimidates readers with the possibility of the villains to dismantle the invented careless implementation of the kernel mode driver for bones and the knowledge obtained in such a barbaric way - to use it for evil purposes.
“However, we discovered an anomaly - the substitution of the MBR during reading. The substitution is implemented by the disk stack filter driver ”( Comodo Time Machine ).
')
Then it turns out that there are still legal programs on users' computers whose behavior seems suspicious not only to the author, but also to the anti-rootkit component of Kaspersky Anti-Virus. The author considers four programs using rootkit technologies: COMODO Time Machine, Norton GoBack, RestoreIT and PC Back Pro / Rollback Rx (one program with two names). All products were created with a noble goal - to return the system to a normal state in case of unforeseen disasters. Although two of the four programs are no longer supported by the manufacturer, the author also finds fault with them. And it turns out that all programs have the ability to start using the magic button of a special recovery console before loading the operating system. To realize this possibility, the MBR modification mechanism was used in all cases.
Further worse. In all programs, MBR substitution is detected during reading, which is implemented by the disk stack filter driver. In addition, in the case of reading the MBR, the MBR content is issued before the modification - that is, the fake content. And the entry in the MBR is either prohibited, or the filter driver sends you far away, i.e. redirects the request and writes to another location. At the same time, the modified MBR remains intact.
Even further - even worse, because the author, despite all his insight, the fact of concealing the MBR "surprised." And he decides to check how the products behave, if you modify the boot record to bypass the filter driver. Having successfully pushed a bunch of garbage around the filter into the MBR, the author discovers terrible things: after MBR is rewritten, all products continue to produce fake content when reading the MBR; computer after reboot ("of course") does not boot; and the recovery console cannot be called up by any magic buttons.
After thinking about the situation, the author comes to the conclusion that the use of this software can threaten the user a lot of trouble, namely:
• he will not have the opportunity to learn about the infection of the MBR;
• malware on your computer will be hidden with the help of a legal utility;
• in case of serious problems, software for system rollback will most likely not work;
• The use of partition editing tools can lead to system loss.
Being impressed by what he did, Rusakov even gives some recommendations to manufacturers of the products discussed above and their analogues. We quote:
- The MBR modification mechanism is quite legal, but it is necessary to completely abandon the rootkit technologies in their products - there are other algorithms. Do not hide anything from users.
- Recovery Console can be implemented as a boot disk or removable media.
- The drivers need the caller's authentication functionality if it is not there (end of quotation).
We, for our part, join Vyacheslav's calls: if they hide your products from the user, let them stop immediately! Because the experts of the author know that this is not the end. Clever Rusakov will eventually write another article, and if you do not immediately follow his advice, he will get to your products, to the rootkit technologies implemented in them, and to the root of evil.
Source: https://habr.com/ru/post/133517/
All Articles