More rootkits are “good” and different. Part II
Start here .
TDL developers keep up with the times. This time their eyes were fixed on 64-bit systems that had not been covered before. In early August 2011, the 4th version of TDL with new "chips" appears. First of all, the separation of work files into 32 and 64 bit versions appeared. Secondly - the launch algorithm has changed once again after a reboot. Previously, a similar algorithm was used in Sinowal malware, which is well-known for its innovations to employees of antivirus companies. Now TDL version 4 has infected the master boot record (MBR). This method allows it to boot before the operating system, immediately after starting the computer. Thus, TDL-4 from the rootkit "mutated" into the bootkit. As before, the TDL-4 components were stored in a special area of the hard disk of no more than 8 Mb, encrypted with the RC4 algorithm. The code in the MBR passed control to the ldr16 component (from the repository). After transferring control, ldr16 intercepted the hard disk functions (the OS is not yet loaded). To load TDL-4, the kdcom.dll file was substituted (by installing an interceptor on Int 13h and searching for a specific signature kdcom.dll), which is necessary for initializing the operating system kernel at the boot stage. Instead of kdcom.dll, the malicious component ldr32 or ldr64 (from storage) was loaded, depending on the bitness of the target OS. The binary code ldr32 and ldr64 are almost identical, since they are compiled from the same source code. But, apart from the difference in the code, in 64 bit systems, starting with Windows 2003 x64 (XP x64 and then Vista, Seven), several technologies have appeared that are aimed at protecting against harmful effects. One of them is Patch Guard, which tracks changes in critical objects of the OS kernel, such as:
When loading, as part of Patch Guard, the OS calculates checksums for the above objects, saves them and periodically checks that the current values match the saved values. Upon detecting the modification of objects (by changing the checksum), the OS crashes with a BSOD mapping. In addition to Patch Guard, another protection mechanism has appeared - a mandatory digital signature verification for system-loaded drivers. However, the applied boot algorithm allowed us to successfully circumvent both of the above mechanisms, since TDL-4 gets control before the OS boots. To bypass the integrity check of the kdcom.dll file, ldr16 temporarily changed the Boot Configuration Data (BCD), a registry branch used by the Windows boot manager and supported starting with Windows Vista (this mechanism replaced the boot.ini). BCD had three different boot options:
')
TDL-4 switched boot mode to BcdOSLoaderBoolean_WinPEMode. After successful loading, ldr32 (ldr64) loaded the main modules (rootkit and payload) and this mode was disabled. The technique of intercepting functions was similar to that used in TDL-3. In conjunction with the infection of the MBR, it is possible to reliably hide its operation from anti-virus tools of the time.
In April 2011, Microsoft code released update KB2506014, the task of which was to make several changes to the winloader.exe module of 64 bit OS versions to counteract the loading of unsigned drivers. As a result, BCD lost the BcdOSLoaderBoolean_WinPEMode option that TDL-4 used for its download. Its developers reacted with the release of an updated version of TDL-4, in which, instead of switching to WinPE mode, the I_CheckImageHashInCatalog procedure was modified. This procedure checks the integrity of the modules loaded by the winload.exe program. TDL-4 changed the algorithm of its work, so that if the hashes did not match, the result would still be returned, that is all true. True, this mechanism did not work quite stably ( source ).
In the work of the new version of TDL remained the same way of distribution - through affiliate programs. Compared to the previous version, the protocol encryption algorithm used to communicate with the command center has been updated. Instead of RC4, a “self-made” encryption algorithm was used using the XOR operation. A new parameter bsh appeared in the configuration file - an identifier that is set by the managing server when the bot first connects to it. Protocol encryption is now carried out on its basis. Thus, the data stream from each bot was encrypted with different keys, which further complicated the procedure for monitoring traffic by means of antivirus malware detection by malware.
TDL-4 has acquired a kind of “antivirus” component that removes about 20 malicious programs, for example, Gbot, ZeuS, Clishmic, Optima, etc. This “antivirus” helps fight competitors, as well as reduce the likelihood of detection caused by being on an infected computer other malware.
The arsenal of “payloads” has been added to the SOCKS proxy module. The presence of such a module allows you to anonymously visit the resources of the Network. In the network you can find a large number of sites that offer a paid service to provide IP addresses of anonymous proxies, most of which are the addresses of infected malware.
Somewhat later, the appearance of a module for generating Bitcoin cryptocurrency and additional parameters in the config.ini for the operation of this module, such as the domain name of the Bitcoin server and the credentials for connecting to it, was revealed.
Despite the measures taken by the attackers to protect the botnet’s management servers, knowing the TDL-4 communication protocol with the management servers, the antivirus companies received statistics on the number of infected computers. The analysis of the data revealed about 60 domain names of command centers, which were redirected to three different servers using the Double Fast Flux technology.
The term “Fast Flux” (literally translated as 'fast flow' or 'flow') refers to the rapid multiple changes to the DNS records, which leads to a permanent change in the IP address to which the domain name belongs. Fast Flux technology itself is not “malicious” because it does not exploit any DNS vulnerabilities and is usually used to distribute server load. In the classical scheme, several dozens of IP addresses correspond to one domain name, which change every few minutes (Single Fast Flux scheme). This already makes it ineffective to block the traffic of bots by IP addresses. The attackers, on the other hand, improved the scheme somewhat - the DNS server does not return the final address of the command center itself, but the address of one of a large number of infected computers, each of which is a proxy to a real management server (Double Fast Flux scheme). MySQL databases that support the work of the botnet functioned on 3 servers located in Moldova, Lithuania and the USA. According to information from these databases, in the first three months of 2011, about 4.5 million computers worldwide were infected with TDL-4, about 28% of them were in the United States.
The most interesting innovation was the appearance of the “payload” kad.dll, intended for the exchange of information between TDL-4 bots via the P2P network. Botnets using P2P are no longer a rarity, but most of their implementations were based on their own closed network. TDL-4 uses the existing Kad public file-sharing network. In this case, the P2P network architecture was partially decentralized (more details here ). The kad.dll library downloaded a list of peers (bootstrap list) from one of the command servers in the form of a nodes.dat file. On one of the computers on the Kad network (“clean” or “infected”), the ktzerules file was located, which contained a list of commands to bots in an encrypted form and was digitally signed. The list of commands that could be in ktzerules:
As you can see, through the Kad network, attackers could access any file on the infected computer.
As you can see, the creators of TDL went on a more laborious way, writing kernel-level rootkits is a rather trivial task. In all of this, a certain old school is guessed, that is, the attackers not only pursue financial goals, but also in some way constantly prove to antivirus companies and Microsoft that "their Kung Fu is better." The TDL methods used by developers advance in their development the ways of countering antiviruses and OS protection components. At the same time, most APT attacks aimed at obtaining confidential information are content with a simple code-signing technique to circumvent security tools without using any concealment. This has a certain economic meaning. TDL developers minimize losses, develop the code themselves, do not use stolen certificates for signing, use common exploits. Their method is continuous operation under invisibility conditions. For cyber spies there are people with very big money (not necessarily the state, just competitors). Here the principle prevails - quickly “leaked” the necessary information and disappeared. In the process of theft of secrets, the important role is played by the fact that the fact of theft should not be discovered. Therefore, there are stolen signatures of major vendors, zero-day vulnerabilities and other “expensive” things. That is, simpler bypass techniques (in the technical sense - bought, compiled, works) at rather big prices. On the other hand, if we take the figure of $ 20 for 1000 installations in the framework of the "partner" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year just for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that “steal” the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, provision of anonymization service - were probably chosen so that law enforcement agencies would be less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected.
TDL-4
TDL developers keep up with the times. This time their eyes were fixed on 64-bit systems that had not been covered before. In early August 2011, the 4th version of TDL with new "chips" appears. First of all, the separation of work files into 32 and 64 bit versions appeared. Secondly - the launch algorithm has changed once again after a reboot. Previously, a similar algorithm was used in Sinowal malware, which is well-known for its innovations to employees of antivirus companies. Now TDL version 4 has infected the master boot record (MBR). This method allows it to boot before the operating system, immediately after starting the computer. Thus, TDL-4 from the rootkit "mutated" into the bootkit. As before, the TDL-4 components were stored in a special area of the hard disk of no more than 8 Mb, encrypted with the RC4 algorithm. The code in the MBR passed control to the ldr16 component (from the repository). After transferring control, ldr16 intercepted the hard disk functions (the OS is not yet loaded). To load TDL-4, the kdcom.dll file was substituted (by installing an interceptor on Int 13h and searching for a specific signature kdcom.dll), which is necessary for initializing the operating system kernel at the boot stage. Instead of kdcom.dll, the malicious component ldr32 or ldr64 (from storage) was loaded, depending on the bitness of the target OS. The binary code ldr32 and ldr64 are almost identical, since they are compiled from the same source code. But, apart from the difference in the code, in 64 bit systems, starting with Windows 2003 x64 (XP x64 and then Vista, Seven), several technologies have appeared that are aimed at protecting against harmful effects. One of them is Patch Guard, which tracks changes in critical objects of the OS kernel, such as:
- global descriptor table - GDT;
- interrupt descriptor table - IDT;
- System Services Descriptor Table - SSDT;
- some system files, for example, NTOSKRNL.EXE, NDIS.SYS, HAL.DLL;
- MSR service registers STAR / LSTAR / CSTAR / SFMASK.
When loading, as part of Patch Guard, the OS calculates checksums for the above objects, saves them and periodically checks that the current values match the saved values. Upon detecting the modification of objects (by changing the checksum), the OS crashes with a BSOD mapping. In addition to Patch Guard, another protection mechanism has appeared - a mandatory digital signature verification for system-loaded drivers. However, the applied boot algorithm allowed us to successfully circumvent both of the above mechanisms, since TDL-4 gets control before the OS boots. To bypass the integrity check of the kdcom.dll file, ldr16 temporarily changed the Boot Configuration Data (BCD), a registry branch used by the Windows boot manager and supported starting with Windows Vista (this mechanism replaced the boot.ini). BCD had three different boot options:
')
- BcdLibraryBoolean_DisableIntegrityCheck - forced disabling of the scan (most often used for debugging purposes);
- BcdOSLoaderBoolean_WinPEMode - disabling in OS installation or repair mode;
- BcdLibraryBoolean_AllowPrereleaseSignatures - allow uploading modules that have a test digital signature.
TDL-4 switched boot mode to BcdOSLoaderBoolean_WinPEMode. After successful loading, ldr32 (ldr64) loaded the main modules (rootkit and payload) and this mode was disabled. The technique of intercepting functions was similar to that used in TDL-3. In conjunction with the infection of the MBR, it is possible to reliably hide its operation from anti-virus tools of the time.
In April 2011, Microsoft code released update KB2506014, the task of which was to make several changes to the winloader.exe module of 64 bit OS versions to counteract the loading of unsigned drivers. As a result, BCD lost the BcdOSLoaderBoolean_WinPEMode option that TDL-4 used for its download. Its developers reacted with the release of an updated version of TDL-4, in which, instead of switching to WinPE mode, the I_CheckImageHashInCatalog procedure was modified. This procedure checks the integrity of the modules loaded by the winload.exe program. TDL-4 changed the algorithm of its work, so that if the hashes did not match, the result would still be returned, that is all true. True, this mechanism did not work quite stably ( source ).
In the work of the new version of TDL remained the same way of distribution - through affiliate programs. Compared to the previous version, the protocol encryption algorithm used to communicate with the command center has been updated. Instead of RC4, a “self-made” encryption algorithm was used using the XOR operation. A new parameter bsh appeared in the configuration file - an identifier that is set by the managing server when the bot first connects to it. Protocol encryption is now carried out on its basis. Thus, the data stream from each bot was encrypted with different keys, which further complicated the procedure for monitoring traffic by means of antivirus malware detection by malware.
TDL-4 has acquired a kind of “antivirus” component that removes about 20 malicious programs, for example, Gbot, ZeuS, Clishmic, Optima, etc. This “antivirus” helps fight competitors, as well as reduce the likelihood of detection caused by being on an infected computer other malware.
The arsenal of “payloads” has been added to the SOCKS proxy module. The presence of such a module allows you to anonymously visit the resources of the Network. In the network you can find a large number of sites that offer a paid service to provide IP addresses of anonymous proxies, most of which are the addresses of infected malware.
Somewhat later, the appearance of a module for generating Bitcoin cryptocurrency and additional parameters in the config.ini for the operation of this module, such as the domain name of the Bitcoin server and the credentials for connecting to it, was revealed.
Despite the measures taken by the attackers to protect the botnet’s management servers, knowing the TDL-4 communication protocol with the management servers, the antivirus companies received statistics on the number of infected computers. The analysis of the data revealed about 60 domain names of command centers, which were redirected to three different servers using the Double Fast Flux technology.
The term “Fast Flux” (literally translated as 'fast flow' or 'flow') refers to the rapid multiple changes to the DNS records, which leads to a permanent change in the IP address to which the domain name belongs. Fast Flux technology itself is not “malicious” because it does not exploit any DNS vulnerabilities and is usually used to distribute server load. In the classical scheme, several dozens of IP addresses correspond to one domain name, which change every few minutes (Single Fast Flux scheme). This already makes it ineffective to block the traffic of bots by IP addresses. The attackers, on the other hand, improved the scheme somewhat - the DNS server does not return the final address of the command center itself, but the address of one of a large number of infected computers, each of which is a proxy to a real management server (Double Fast Flux scheme). MySQL databases that support the work of the botnet functioned on 3 servers located in Moldova, Lithuania and the USA. According to information from these databases, in the first three months of 2011, about 4.5 million computers worldwide were infected with TDL-4, about 28% of them were in the United States.
The most interesting innovation was the appearance of the “payload” kad.dll, intended for the exchange of information between TDL-4 bots via the P2P network. Botnets using P2P are no longer a rarity, but most of their implementations were based on their own closed network. TDL-4 uses the existing Kad public file-sharing network. In this case, the P2P network architecture was partially decentralized (more details here ). The kad.dll library downloaded a list of peers (bootstrap list) from one of the command servers in the form of a nodes.dat file. On one of the computers on the Kad network (“clean” or “infected”), the ktzerules file was located, which contained a list of commands to bots in an encrypted form and was digitally signed. The list of commands that could be in ktzerules:
- SearchCfg - search for a new ktzerules file on the Kad network;
- LoadExe - load and run the executable file;
- ConfigWrite - make an entry in cfg.ini;
- Search - search for a file on the Kad network;
- Publish - publish the file on the Kad network;
- Knock - download a new nodes.dat file from C & C containing a list of IP addresses of servers and clients of the Kad network, including computers infected with TDSS.
As you can see, through the Kad network, attackers could access any file on the infected computer.
Thinking out loud
As you can see, the creators of TDL went on a more laborious way, writing kernel-level rootkits is a rather trivial task. In all of this, a certain old school is guessed, that is, the attackers not only pursue financial goals, but also in some way constantly prove to antivirus companies and Microsoft that "their Kung Fu is better." The TDL methods used by developers advance in their development the ways of countering antiviruses and OS protection components. At the same time, most APT attacks aimed at obtaining confidential information are content with a simple code-signing technique to circumvent security tools without using any concealment. This has a certain economic meaning. TDL developers minimize losses, develop the code themselves, do not use stolen certificates for signing, use common exploits. Their method is continuous operation under invisibility conditions. For cyber spies there are people with very big money (not necessarily the state, just competitors). Here the principle prevails - quickly “leaked” the necessary information and disappeared. In the process of theft of secrets, the important role is played by the fact that the fact of theft should not be discovered. Therefore, there are stolen signatures of major vendors, zero-day vulnerabilities and other “expensive” things. That is, simpler bypass techniques (in the technical sense - bought, compiled, works) at rather big prices. On the other hand, if we take the figure of $ 20 for 1000 installations in the framework of the "partner" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year just for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that “steal” the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, provision of anonymization service - were probably chosen so that law enforcement agencies would be less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected.
Source: https://habr.com/ru/post/163089/
All Articles