More rootkits are “good” and different. Part I
Sometimes the differences in the style of writing and the applied principles of the malicious software significantly differs from sample to sample. Some rely on polymorphism, others on the rootkit component. Especially in terms of the development of the rootkit technology, the TDL TDV family (also called TDSS, Alureon, Olmarik, Tidserv) has distinguished itself. As you know, the new is a well forgotten old. At the dawn of personal computer development, the bulk of malware was viruses, which were divided into two classes — file and boot (there were also combined, for example, the infamous OneHalf ). The TDL-4 bootkit is a worthy successor to boot viruses, although it is a Trojan program (unable to spread on its own). A bootkit is a word formed from the words boot (boot, boot area) and rootkit (rootkit, means of hiding signs of activity). But before becoming a bootkit, TDL has come a long way.
One of the first versions of the rootkit was discovered by Kaspersky Lab in April 2008, it kept its tdsserv.sys driver in the system, from which the TDSS name came. Subsequently, the name of the main driver was changed several times to clbdriver.sys, seneka * .sys, UACd * .sys, gaopdx * .sys, tdlserv.sys and others.
The alternative TDL name was due to the presence of multiple identifiers in the code, starting with the characters 'tdl'. The TDL-1 dropper contained two main files: the driver-rootkit itself and the library in which the main functionality (payload) was located. At that time, methods for intercepting functions were quite trivial and did not differ in innovation, but allowed to bypass most of the anti-virus protection.
The main functions of masking, implemented by the driver:
The driver is also able to perform several other functions aimed at actively counteracting antivirus:
')
When installing the rootkit, the following technique was used to bypass the behavioral protection: the malicious code is placed in the system cache of frequently used \ KnownDLLS libraries, from where it is called by the legitimate system application when it uses one of these libraries. Specifically, TDL-1 was used to patch the advapi32.dll library, loaded by the Microsoft Installer service, during the installation. Newer versions used the msi.dll patching library. Thus, the call to the TDL-1 code was made from the context of the trusted application. More information about the methods used by TDL-1 can be found in the post of Alice Shevchenko.
The installation took place according to a similar first version of the TDL method, while the msvcrt.dll library was patched. To make it more difficult for driver-rootkits to detect, obfuscation and encryption mechanisms have been used. In particular, the binary code was “diluted” with random words from the work of “Hamlet” by William Shakespeare. Compared to the first version, the rootkit has changed little functionally, however, the concealment and protection methods have changed, which is probably due to the previous version getting into the anti-virus database.
In the fall of 2009, a third version appeared, containing many technical innovations. The crawl technique has changed, now it was the DLL hijacking method, its essence - the OS first searches for the necessary dll in the current directory, and then in the system directory, therefore, by placing a malicious library in the directory of a legitimate program with the name of one of the imported libraries, you can running a malicious code. TDL-3 copied itself as a library into the print processor directory, and then accessed it. This led to the execution of malicious code in the context of a system process.
To gain control after a reboot, the method used to infect OS system components (drivers) was used. For infection, a mini-port / port disk driver, atapi.sys, was used; in later versions, TDL-3 randomly selected and infected system drivers suitable for some parameters. Atapi.sys driver was injected with a small section of 824 bytes of malicious code (917 bytes for variants with random drivers), which served as a loader, while the original size of the driver remained unchanged. The original data that was replaced was stored together with the main code in a dedicated place at the end of the hard disk. The last several disk sectors were organized into a kind of encrypted data storage with its own file system, and a virtual device was created to work with it. This storage also contained configuration data blocks. TDL-3 intercepted calls to the disk and, in the case of viewing its "personal" sectors, returned their contents as a data block filled with zeros. The configuration data block (config.ini) is unchanged for all three versions, it contained the following data:
[main] - identification data
Quote - quotes from movies, cartoons, etc., which are displayed when the debugger is connected;
Version - version;
Botid - bot ID for the admin panel;
AffId - ID of the "affiliate program";
SubId - is used to identify the bot network when a botnet is divided into several subnets;
Installdate - installation date in the system;
Builddate - the date of compilation.
[injector] - mapping of implemented modules and processes
contains a list of value pairs: process name (by default “*”, means all processes) - the name of the DLL (dynamic library that should be loaded to the specified process).
[tdlcmd] - server data
Servers - addresses of rootkit administrative panels, usually three addresses;
Wspservers - addresses of servers for work with search services;
Popupservers - server addresses for opening pages;
Version - payload version.
TDL was distributed using so-called “affiliate programs” or “affiliate programs”. According to Wikipedia , “affiliate programs are a form of business cooperation between a seller and partners when selling a product or providing services; allows the seller to reduce the cost of attracting the end buyer. " In the field of cybercrime, malware is a commodity, and the services are attracting users to infected web resources and infecting their computers. Money is paid for each successful installation. This is exactly what the AffId field in config.ini is used for, in order to know to whom in what amount to pay money for installing a bot with a given identifier. It also allows you to evaluate the performance of a particular "affiliate". For assistance in distributing TDL, affiliate program owners receive from 1,000 installations of malware from 20 to 200 USD - depending on the geographic location of the victim computer. The final installation could be done in various ways, for example, by installing fake codecs, by introducing a bot into keygens for popular software, or by distributing exploits via exploit packs.
Data exchange with the TDL control server was carried out using the HTTPS protocol, for this purpose, the attackers used a self-signed security certificate (which was located on the server) issued by the fictitious company Internet Widgits Pty Ltd. The use of HTTPS did not allow antivirus to detect and block network traffic on the contents of packages. In addition, in TDL-3 GET, requests were additionally encrypted using the RC4 symmetric algorithm.
The main goal of TDL is to monetize, based on the botnet created with it. TDL had a modular structure and allowed loading additional modules (as a DLL) over the network. One of the modules installed by TDL by default was tdlcmd.dll, which performs the following tasks:
List of commands supported by tldcmd.dll:
Interception of user requests for the purpose of spoofing the output was made for popular search engines such as Google, Yahoo, Bing, etc. With each request to such sites tdlcmd.dll generates a request to the server specified in the Wspservers field of the configuration file. In response from the server comes a link to the page that you want to display to the user. A link can lead either to a malicious site (for example, to install another malware) or to a legitimate site (banner wrapping).
An interesting feature is tdlcmd.dll - a mechanism for unfair "promotion" of sites by keywords (Black Seo). For his work in the TDK repository, a keywords file is created containing words that need to be addressed to the search engine. Then, in the search results, the site chosen by the attackers is selected. At the same time, to convincingly simulate the user's work, JavaScript was used, embedded in the browser and imitating clicking on the corresponding controls (buttons, links, etc.).
Another way to monetize was the sale of part of a botnet, for this purpose in the config.ini was the parameter SubId. Subnets of a botnet of up to 20,000 computers were subject to sale. Otherwise, TDL creators conducted their criminal business themselves.
In February 2010, an unplanned update from Microsoft MS10-015 was released. This patch eliminated a vulnerability that allows you to locally enhance your privileges, and made modifications directly to the OS kernel. After this patch, some users began to complain about the appearance of BSOD. Later it turned out that the indicated computers were infected with TDL-3 and the BSOD caused its incorrect loading. This is due to the use of implicit calls to WinAPI functions by shifting them in memory, modifications occurred during the update, as a result, the addresses of the functions became different, and the TDL-3 code stopped working as intended. Because of this developer error, the number of the botnet was significantly reduced, especially in the United States, where the majority of users use licensed Windows with the update mechanism enabled ( source ). The developers quickly responded with the release of TDL version 3.26. Now, instead of infecting a previously known driver, the rootkit infected a random driver, and the search for addresses of kernel functions used in this code was carried out using checksums calculated from their names. Encryption storage has changed to a simpler one, using single-byte XOR operation and increasing the value of this byte, the initial value 0x54 ( source ).
Despite some tricks to protect against loss of control, the command center scripts contained vulnerabilities that allowed some computer security researchers to successfully crack. Details of one of them are available here . According to the information obtained from the databases of the hacked server, the total number of computers infected with the TDL-3 rootkit from 12.08.2009 to 14.07.2010 amounted to more than 16,000,000 computers. Naturally, this is the total. In reality, the “live” bots were of the order of 5,000,000. A larger number of them (43%) were in the USA. This can be explained by the greater monetary return from banner cheating in this country.
Continued here .
TDL-1
One of the first versions of the rootkit was discovered by Kaspersky Lab in April 2008, it kept its tdsserv.sys driver in the system, from which the TDSS name came. Subsequently, the name of the main driver was changed several times to clbdriver.sys, seneka * .sys, UACd * .sys, gaopdx * .sys, tdlserv.sys and others.
The alternative TDL name was due to the presence of multiple identifiers in the code, starting with the characters 'tdl'. The TDL-1 dropper contained two main files: the driver-rootkit itself and the library in which the main functionality (payload) was located. At that time, methods for intercepting functions were quite trivial and did not differ in innovation, but allowed to bypass most of the anti-virus protection.
The main functions of masking, implemented by the driver:
- hiding registry keys;
- hiding files on the disk;
- introduction of malicious code into system processes from the kernel mode driver;
- hiding TCP network ports;
- hiding loaded DLL libraries.
The driver is also able to perform several other functions aimed at actively counteracting antivirus:
')
- destroy the flow;
- block the execution of a thread;
- destroy the current process;
- get the name of the current process;
- unload the driver;
- get a list of running processes.
When installing the rootkit, the following technique was used to bypass the behavioral protection: the malicious code is placed in the system cache of frequently used \ KnownDLLS libraries, from where it is called by the legitimate system application when it uses one of these libraries. Specifically, TDL-1 was used to patch the advapi32.dll library, loaded by the Microsoft Installer service, during the installation. Newer versions used the msi.dll patching library. Thus, the call to the TDL-1 code was made from the context of the trusted application. More information about the methods used by TDL-1 can be found in the post of Alice Shevchenko.
TDL-2
The installation took place according to a similar first version of the TDL method, while the msvcrt.dll library was patched. To make it more difficult for driver-rootkits to detect, obfuscation and encryption mechanisms have been used. In particular, the binary code was “diluted” with random words from the work of “Hamlet” by William Shakespeare. Compared to the first version, the rootkit has changed little functionally, however, the concealment and protection methods have changed, which is probably due to the previous version getting into the anti-virus database.
TDL-3
In the fall of 2009, a third version appeared, containing many technical innovations. The crawl technique has changed, now it was the DLL hijacking method, its essence - the OS first searches for the necessary dll in the current directory, and then in the system directory, therefore, by placing a malicious library in the directory of a legitimate program with the name of one of the imported libraries, you can running a malicious code. TDL-3 copied itself as a library into the print processor directory, and then accessed it. This led to the execution of malicious code in the context of a system process.
To gain control after a reboot, the method used to infect OS system components (drivers) was used. For infection, a mini-port / port disk driver, atapi.sys, was used; in later versions, TDL-3 randomly selected and infected system drivers suitable for some parameters. Atapi.sys driver was injected with a small section of 824 bytes of malicious code (917 bytes for variants with random drivers), which served as a loader, while the original size of the driver remained unchanged. The original data that was replaced was stored together with the main code in a dedicated place at the end of the hard disk. The last several disk sectors were organized into a kind of encrypted data storage with its own file system, and a virtual device was created to work with it. This storage also contained configuration data blocks. TDL-3 intercepted calls to the disk and, in the case of viewing its "personal" sectors, returned their contents as a data block filled with zeros. The configuration data block (config.ini) is unchanged for all three versions, it contained the following data:
[main] - identification data
Quote - quotes from movies, cartoons, etc., which are displayed when the debugger is connected;
Version - version;
Botid - bot ID for the admin panel;
AffId - ID of the "affiliate program";
SubId - is used to identify the bot network when a botnet is divided into several subnets;
Installdate - installation date in the system;
Builddate - the date of compilation.
[injector] - mapping of implemented modules and processes
contains a list of value pairs: process name (by default “*”, means all processes) - the name of the DLL (dynamic library that should be loaded to the specified process).
[tdlcmd] - server data
Servers - addresses of rootkit administrative panels, usually three addresses;
Wspservers - addresses of servers for work with search services;
Popupservers - server addresses for opening pages;
Version - payload version.
TDL was distributed using so-called “affiliate programs” or “affiliate programs”. According to Wikipedia , “affiliate programs are a form of business cooperation between a seller and partners when selling a product or providing services; allows the seller to reduce the cost of attracting the end buyer. " In the field of cybercrime, malware is a commodity, and the services are attracting users to infected web resources and infecting their computers. Money is paid for each successful installation. This is exactly what the AffId field in config.ini is used for, in order to know to whom in what amount to pay money for installing a bot with a given identifier. It also allows you to evaluate the performance of a particular "affiliate". For assistance in distributing TDL, affiliate program owners receive from 1,000 installations of malware from 20 to 200 USD - depending on the geographic location of the victim computer. The final installation could be done in various ways, for example, by installing fake codecs, by introducing a bot into keygens for popular software, or by distributing exploits via exploit packs.
Data exchange with the TDL control server was carried out using the HTTPS protocol, for this purpose, the attackers used a self-signed security certificate (which was located on the server) issued by the fictitious company Internet Widgits Pty Ltd. The use of HTTPS did not allow antivirus to detect and block network traffic on the contents of packages. In addition, in TDL-3 GET, requests were additionally encrypted using the RC4 symmetric algorithm.
The main goal of TDL is to monetize, based on the botnet created with it. TDL had a modular structure and allowed loading additional modules (as a DLL) over the network. One of the modules installed by TDL by default was tdlcmd.dll, which performs the following tasks:
- receiving and executing commands from the control center;
- interception of user requests to search engines in order to spoof the issue;
- Creation of specified queries to search engines;
- Emulation of user experience with the site.
List of commands supported by tldcmd.dll:
- DownloadCrypted - download an encrypted file;
- DownloadAndExecute - download and execute the file;
- DownloadCryptedAndExecute - download an encrypted file, decrypt and execute it;
- Download - download file;
- ConfigWrite - make changes to the configuration file.
Interception of user requests for the purpose of spoofing the output was made for popular search engines such as Google, Yahoo, Bing, etc. With each request to such sites tdlcmd.dll generates a request to the server specified in the Wspservers field of the configuration file. In response from the server comes a link to the page that you want to display to the user. A link can lead either to a malicious site (for example, to install another malware) or to a legitimate site (banner wrapping).
An interesting feature is tdlcmd.dll - a mechanism for unfair "promotion" of sites by keywords (Black Seo). For his work in the TDK repository, a keywords file is created containing words that need to be addressed to the search engine. Then, in the search results, the site chosen by the attackers is selected. At the same time, to convincingly simulate the user's work, JavaScript was used, embedded in the browser and imitating clicking on the corresponding controls (buttons, links, etc.).
Another way to monetize was the sale of part of a botnet, for this purpose in the config.ini was the parameter SubId. Subnets of a botnet of up to 20,000 computers were subject to sale. Otherwise, TDL creators conducted their criminal business themselves.
In February 2010, an unplanned update from Microsoft MS10-015 was released. This patch eliminated a vulnerability that allows you to locally enhance your privileges, and made modifications directly to the OS kernel. After this patch, some users began to complain about the appearance of BSOD. Later it turned out that the indicated computers were infected with TDL-3 and the BSOD caused its incorrect loading. This is due to the use of implicit calls to WinAPI functions by shifting them in memory, modifications occurred during the update, as a result, the addresses of the functions became different, and the TDL-3 code stopped working as intended. Because of this developer error, the number of the botnet was significantly reduced, especially in the United States, where the majority of users use licensed Windows with the update mechanism enabled ( source ). The developers quickly responded with the release of TDL version 3.26. Now, instead of infecting a previously known driver, the rootkit infected a random driver, and the search for addresses of kernel functions used in this code was carried out using checksums calculated from their names. Encryption storage has changed to a simpler one, using single-byte XOR operation and increasing the value of this byte, the initial value 0x54 ( source ).
Despite some tricks to protect against loss of control, the command center scripts contained vulnerabilities that allowed some computer security researchers to successfully crack. Details of one of them are available here . According to the information obtained from the databases of the hacked server, the total number of computers infected with the TDL-3 rootkit from 12.08.2009 to 14.07.2010 amounted to more than 16,000,000 computers. Naturally, this is the total. In reality, the “live” bots were of the order of 5,000,000. A larger number of them (43%) were in the USA. This can be explained by the greater monetary return from banner cheating in this country.
Continued here .
Source: https://habr.com/ru/post/162933/
All Articles