TDSS part 1: The x64 Dollar Question

a1234567mdy 发表于 2011-12-22 08:53

<a href="http://resources.infosecinstitute.com/tdss4-part-1/" target="_blank">http://resources.infosecinstitute.com/tdss4-part-1/</a> Introduction
In the two years since the Win32/Olmarik family of <a href="http://www.infosecinstitute.com/courses/advanced_reverse_engineering_malware.html" target="_blank">malware</a>
programs (also known as TDSS, TDL and Alureon) started to evolve, its
authors have implemented a notably sophisticated mechanism for bypassing
various protective measures and security mechanisms embedded into the
operating system.
The fourth version of the TDL rootkit family (TDL4) is the first
reliable and widely spread bootkit to target x64 operating systems
(Windows Vista and Windows 7). Since TDL4 started to spread actively in
August 2010, several versions of the malware have been released. By
comparison with its predecessors, TDL4 is not just characterized by
modification of existing code, but to all intents and purposes can be
regarded as new malware. Among the many changes that have been applied
as it developed, the most radical were those made to its mechanisms for
self-embedding into the system and surviving reboot. One of the most
striking features of TDL4 is its ability to load its kernel-mode driver
on systems with an enforced kernel-mode code signing policy (64-bit
versions of Microsoft Windows Vista and Windows 7) and perform
kernel-mode hooks with kernel-mode patch protection policy enabled. This
makes TDL4 a powerful weapon in the hands of cybercriminals. In this
article, we consider the PPI (Pay Per Install) distribution model used
by both TDL3 and TDL4, and the initial installation.
Distribution by Pay Per Install
In <a href="http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf" target="_blank" target="_blank">“TDL3: The Rootkit of All Evil?”</a>
Aleksandr Matrosov and Eugene Rodionov described how the DogmaMillions
cybercrime group distributed the third version of the TDSS (a.k.a. TDL,
Olmarik, or Alureon) rootkit using a PPI (Pay Per Install) scheme. It’s
both interesting and instructive to compare the ways in which TDL3 and
TDL4 (as described in their more recent paper <a href="http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf" target="_blank">“The Evolution of TDL: Conquering x64″</a>) have been distributed.
The TDL3 rootkit droppers were distributed using a Pay-Per-Install
(PPI) scheme popular among cybercrime groups. The scheme is, in fact,
similar to schemes commonly used for distributing browser toolbars.
Toolbar distributors have a special build with an embedded identifier
which allows for calculating the number of installations associated with
that ID and therefore for determining their revenue. The same approach
is used for distributing the rootkits: information about the distributor
is embedded into the executable and special servers are used to
calculate the number of installations.
Anyone deciding to cooperate with the cybercrime group received a
unique login and a password, identifying the number of installations per
resource, like this:
<div class="codesnip-container">
<div class="python codesnip" style="font-family:monospace;">hxxp://dogmamillions.com/download.html?login=b0bah&amp;amp;key=2b15ea4e5eb2bbd734081c051a14fa41&amp;amp;affSid=0</div>
</div>
The gang made use of a well-developed business infrastructure: for
example, each affiliate had a personal manager who could be consulted in
case of any problems.
Distributed malware was repacked every few hours (or even more
frequently) using all-too-reliable and sophisticated packers and
protectors in order to reduce the risk of detection by antivirus
software, using sophisticated tools and techniques to detect debuggers
and virtual machines. Partners were instructed not to check on whether
the malware can be detected by AV by using resources like VirusTotal,
and could even be “fined” for doing so.
You can see the user interface characteristic of one widely-used
encryptor in the figure below. At that point, this was attracting a
charge of around $500.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Crypter.png" target="_blank"><img class="aligncenter size-full wp-image-1630" title="User Interface of a Packer" src="http://resources.infosecinstitute.com/wp-content/uploads/Crypter.png" alt="" height="492" width="381"></a>Figure 1 – User Interface of a Packer
The Dogma Millions cybercrime group set up in business in the autumn
2009, placing many advertisements on public forums offering “easy
money”. However, it seems to have been somewhat uncomfortable with the
copious attention it received last year, and shut down in the fall.
Major affiliates to DogmaMillions could earn a cool $100,000 daily, so
it’s no surprise that TDL4, the latest generation of TDSS, quickly found
similar distribution channels.
GangstaBucks appeared at the end of 2010 and was widely advertised in
various forums in Russia and elsewhere, offering very similar terms and
features to DogmaMillions, and a very similar mode of expression.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Gansta-Bucks.png" target="_blank"><img class="aligncenter size-full wp-image-1631" title="The GanstaBucks Adverts 1" src="http://resources.infosecinstitute.com/wp-content/uploads/Gansta-Bucks.png" alt="" height="59" width="466"></a><a href="http://resources.infosecinstitute.com/wp-content/uploads/GanstaSup.png" target="_blank"><img class="aligncenter size-large wp-image-1632" title="The GanstBucks Adverts 2" src="http://resources.infosecinstitute.com/wp-content/uploads/GanstaSup-1024x222.png" alt="" height="222" width="1024"></a>Figure 2 – The GangstaBucks Adverts
Affiliates are able to download the current version of the Trojan
downloader and to receive statistics relating to detection by antivirus
software. This serves to dissuade the partner from submitting the
current version to services such as VirusTotal that forward malicious
samples to security companies.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Do-not-Use.png" target="_blank"><img class="aligncenter size-full wp-image-1633" title="Scanning Samples for Detection" src="http://resources.infosecinstitute.com/wp-content/uploads/Do-not-Use.png" alt="" height="764" width="881"></a>Figure 3 –Scanning Samples for Detection by AV Software
When the downloader is known to be widely detected, the partner
receives a newly-repacked sample, so that release/detect cycle begins
again.
When the downloader is launched it sends information about the
compromised system to a C&C (Command and Control) server and pulls
down a secondary downloader which in turn downloads and runs the main
malware. The sequence of download events for the downloader which we
analyzed is depicted in the following figure. As we can see, the first
downloader obtains Win32/Agent.QNF which downloads and installs either Win32/Bubnix or Win32/KeyLogger.EliteKeyLogger malware onto the system.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Downloader.png" target="_blank"><img class="aligncenter size-full wp-image-1634" title="The Downloader at Work" src="http://resources.infosecinstitute.com/wp-content/uploads/Downloader.png" alt="" height="264" width="625"></a>Figure 4 – The Downloader at Work
Downloader packers and links are changed every few hours, so as to
minimize the risk of detection by malware installation tracking systems.
In the middle of February we received a downloader
(Win32/TrojanDownloader.Agent.QOF) that installs the latest version of
the TDL4 bootkit onto the system. During the installation of the
bootkit, as we can see from figure 5, the downloader reports back to the
server to register the installation with the partner identifier.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Installation.png" target="_blank"><img class="aligncenter size-full wp-image-1635" title="Installation of GangstaBuck's TDL4" src="http://resources.infosecinstitute.com/wp-content/uploads/Installation.png" alt="" height="264" width="625"></a>Figure 5 – Installation of GangstaBucks’s TDL4
When conditions are mutually beneficial, services like DogmaMillions
and GangstaBucks can accumulate hundreds of partners. In such a case the
number of sites all over the world distributing the malicious software
can reach several thousand.
Bootkit Installation
The installation of the bootkit is handled differently on x86 and x64
systems due to specific limitations on x64 platforms. As soon as the
dropper is unpacked it checks whether it is running in Wow64 process and
determines which branch of the code it should execute.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Determining.png" target="_blank"><img class="aligncenter size-full wp-image-1636" title="Determining OS Version" src="http://resources.infosecinstitute.com/wp-content/uploads/Determining.png" alt="" height="119" width="558"></a>Figure 6 –Determining OS Version
Infecting x86 Systems
On x86 systems the installation process looks the same as it does for TDL3/TDL3+, as described in an earlier paper (<a href="http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf" target="_blank">http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf</a>). To bypass HIPS the bootkit loads itself as a print provider into the trusted system process (spooler.exe) from whence it loads a kernel-mode driver (drv32) which infects the system.
The bootkit implements an additional HIPS bypassing technique which wasn’t noticed in TDL3/TDL3+ droppers: it hooks the ZwConnectPort system routine exported from ntdll.dll.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Hooking.png" target="_blank"><img class="aligncenter size-full wp-image-1637" title="Hooking ZwConnectPort" src="http://resources.infosecinstitute.com/wp-content/uploads/Hooking.png" alt="" height="163" width="783"></a>Figure 7 – Hooking ZwConnectPort
Here is the prototype of the function ZwConnectPort. Parameter PortName is set to the name of the target LPC port to connect to.
<div class="codesnip-container">
<div class="python codesnip" style="font-family:monospace;">NTSYSAPI 
NTSTATUS 
NTAPI 
ZwConnectPort( 
OUT PHANDLE PortHandle, 
IN PUNICODE_STRING PortName, 
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 
IN OUT PPORT_SECTION_WRITE WriteSection OPTIONAL, 
IN OUT PPORT_SECTION_READ ReadSection OPTIONAL, 
OUT PULONG MaxMessageSize OPTIONAL, 
IN OUT PVOID ConnectData OPTIONAL, 
IN OUT PULONG ConnectDataLength OPTIONAL</div>
</div>
The routine is called during execution of AddPrintProvidor to connect to the print spooler LPC port. As shown here the hook prepends to the target port name “\??\GLOBALROOT” string in an attempt to connect to the print spooler service.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/The-Code.png" target="_blank"><img class="aligncenter size-full wp-image-1638" title="The Code of ZwConnectPort Hook" src="http://resources.infosecinstitute.com/wp-content/uploads/The-Code.png" alt="" height="403" width="710"></a>Figure 8 – The Code of ZwConnectPort Hook
When the driver is loaded into kernel-mode address space it
overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI
Request Block) packets directly to the miniport device object, after
which it initializes its hidden file system. The bootkit’s modules are
written into the hidden file system from the dropper by means of the CreateFile and WriteFile API functions.
The algorithm for infecting x86 operating systems is presented in
Figure 10. It is important to mention that the TDL4 dropper exploits the
now-patched MS10-092 vulnerability in the Microsoft Windows Task
Scheduler service in order to elevate privileges and successfully load
its own driver. The vulnerable systems include all Windows operating
systems starting from Microsoft Windows Vista (both x86 and x64
versions). If it fails to exploit the vulnerability it copies itself
into a file into TEMP directory with the name “setup_xxx.exe”
and creates a corresponding manifest file requesting administrative
privileges to run the application. After that, it runs the copied
dropper by calling ShellExecute and a dialog box message requesting administrative rights is displayed to the user.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/The-Algorithm.png" target="_blank"><img class="aligncenter size-full wp-image-1639" title="The Algorithm of Infecting x86 System" src="http://resources.infosecinstitute.com/wp-content/uploads/The-Algorithm.png" alt="" height="421" width="625"></a>Figure 9 – The Algorithm of Infecting x86 System
Infecting x64 Systems
When the dropper is run on x64 operating systems it is unable to load
the kernel-mode driver, as 64-bit systems require it to be signed. To
overcome this restriction the dropper writes all its components directly
to the hard drive by sending IOCTL_SCSI_PASS_THROUGH_DIRECT requests to
a disk class driver. It obtains the disk’s parameters and creates the
image of its hidden file system in the memory buffer which is then
written onto the hard drive at a certain offset. We’ll discuss the way
in which the hidden file system is maintained in a future article, but
an earlier article for Virus Bulletin (<a href="http://www.eset.com/us/resources/white-papers/Rooting-about-in-TDSS.pdf" target="_blank" target="_blank">Rooting around in TDSS</a>)
is also relevant to the discussion. When the image is written the
dropper modifies the MBR of the disk to get its malicious components
loaded at boot time. After that, the dropper reboots the system by
calling the ZwRaiseHardError routine, passing as its fifth parameter OptionShutdownSystem. This instructs the system to display a BSOD (Blue Screen Of Death) and reboot the system:
<div class="codesnip-container">
<div class="python codesnip" style="font-family:monospace;">NTSYSAPI 
NTSTATUS 
NTAPI 
NtRaiseHardError( 
IN NTSTATUS ErrorStatus 
IN ULONG NumberOfParameters, 
IN PUNICODE_STRING   UnicodeStringParameterMask OPTIONAL, 
IN PVOID *Parameters, 
IN HARDERROR_RESPONSE_OPTION ResponseOption, 
OUT PHARDERROR_RESPONSE Response );</div>
</div>
In the next figure we present a diagram depicting process of infecting x64 system.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/x64-Algorithm.png" target="_blank"><img class="aligncenter size-full wp-image-1640" title="The Algorithm for Infecting x64 Systems" src="http://resources.infosecinstitute.com/wp-content/uploads/x64-Algorithm.png" alt="" height="529" width="625"></a>Figure 10 – The Algorithm for Infecting x64 Systems
The Dropper’s Payload
The bootkit’s components are contained inside the “.config” section
of the dropper (the layout of the section is described below as detailed
in our report on TDL3).
The rootkit dropper is encrypted. The decryption routine is slightly
obfuscated and varies between different droppers. During unpacking, the
dropper performs some simple anti-debugging checks and also checks that
it isn’t running inside a virtual machine. The next figure shows the
structure of the dropper.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Dropper-Structure.png" target="_blank"><img class="aligncenter size-full wp-image-1641" title="The Dropper Structure" src="http://resources.infosecinstitute.com/wp-content/uploads/Dropper-Structure.png" alt="" height="417" width="423"></a>Figure 11 – The Dropper Structure
Here is the list of modules that are dropped into the hidden file system:
<table border="1" cellpadding="5" cellspacing="0">
<tbody>
<tr style="text-align: center;">
<td bgcolor="#4682b4" valign="top" width="149">Dropped modules</td>
<td bgcolor="#4682b4" valign="top" width="340">Description</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">mbr</td>
<td bgcolor="#add8e6" valign="top" width="340">original contents of the infected hard drive boot sector</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">ldr16</td>
<td bgcolor="#add8e6" valign="top" width="340">16-bit real-mode loader code</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">ldr32</td>
<td bgcolor="#add8e6" valign="top" width="340">fake kdcom.dll for x86 systems</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">ldr64</td>
<td bgcolor="#add8e6" valign="top" width="340">fake kdcom.dll for x64 systems</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">drv32</td>
<td bgcolor="#add8e6" valign="top" width="340">the main bootkit driver for x86 systems</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">drv64</td>
<td bgcolor="#add8e6" valign="top" width="340">the main bootkit driver for x64 systems</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">cmd.dll</td>
<td bgcolor="#add8e6" valign="top" width="340">payload to inject into 32-bit processes</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">cmd64.dll</td>
<td bgcolor="#add8e6" valign="top" width="340">payload to inject into 64-bit processes</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">cfg.ini</td>
<td bgcolor="#add8e6" valign="top" width="340">configuration information</td>
</tr>
<tr style="text-align: center;">
<td bgcolor="#d8bfd8" valign="top" width="149">bckfg.tmp</td>
<td bgcolor="#add8e6" valign="top" width="340">encrypted list of C&C URLs</td>
</tr>
</tbody>
</table>
Table 1 – Dropped Modules
Comparison with TDL3/TDL3+
Here is the table summarizing the major differences between the
TDL3/TDL3+ and TDL4 droppers which include bypassing HIPS, escalating
privileges, installation mechanism and number of installed modules.
<table border="1" cellpadding="10" cellspacing="0">
<tbody>
<tr style="text-align: center;">
<td bgcolor="#4682b4" valign="top" width="187"> </td>
<td bgcolor="#4682b4" width="234">TDL3/TDL3+</td>
<td bgcolor="#4682b4" width="195">TDL4</td>
</tr>
<tr style="text-align: center;">
<td style="text-align: left;" bgcolor="#4682b4" valign="top" width="187"> Bypassing HIPS</td>
<td bgcolor="#d8bfd8" valign="top" width="234">AddPrintProcessor/AddPrintProvidor</td>
<td bgcolor="#d8bfd8" valign="top" width="195">AddPrintProvidor, ZwConnectPort</td>
</tr>
<tr style="text-align: center;">
<td style="text-align: left;" bgcolor="#4682b4" valign="top" width="187"> Privilege Escalation</td>
<td bgcolor="#d8bfd8" valign="top" width="234">-</td>
<td bgcolor="#d8bfd8" valign="top" width="195">MS10-092</td>
</tr>
<tr style="text-align: center;">
<td style="text-align: left;" bgcolor="#4682b4" valign="top" width="187"> Installation mechanism</td>
<td bgcolor="#d8bfd8" valign="top" width="234">By loading kernel-mode driver</td>
<td bgcolor="#d8bfd8" valign="top" width="195">By loading kernel-mode driver,
Overwriting MBR of the disk</td>
</tr>
<tr>
<td bgcolor="#4682b4" valign="top" width="187">Number of installed modules</td>
<td style="text-align: center;" bgcolor="#d8bfd8" valign="top" width="234">4</td>
<td style="text-align: center;" bgcolor="#d8bfd8" valign="top" width="195">10</td>
</tr>
</tbody>
</table>
Table 2 – Comparison of TDL Droppers
TDL4 and Glupteba
At the beginning of March 2011 we received another interesting sample
of TDL4: this time, one that downloads and installs another malicious
program, Win32/Glupteba.D. This was the first instance the authors had
come across of TDL4s being used to install other malware. It is
important to mention that this is not a plug-in for TDL4: it is
standalone malware, which can download and execute other binary modules
independently. A sample of Win32/Olmarik.AOV was obtained from a server
at vidquick.info. After what looked at first like a standard TDL4
installation, at any rate by comparison with the most recent versions
analyzed, Win32/Olmarik.AOV received a command from the C&C server
to download and execute another binary file.
Win32/Glupteba.D uses the customary blackhat SEO (Search Engine
Optimization) methods to push clickjacking contextual advertising as
used by the ads network Begun (http://www.begun.ru/), which has a high
profile in Russia. Clickjacking algorithms have been developed for
crawling web sites pushing typical content for specified context ads.
All the affected web sites are hosted by a single provider:
“Masterhost.ru” is, in fact, the biggest Russian hosting-provider.
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Masterhost.png" target="_blank"><img class="aligncenter size-full wp-image-1642" title="The Masterhost.ru Empire" src="http://resources.infosecinstitute.com/wp-content/uploads/Masterhost.png" alt="" height="485" width="880"></a>Figure 12 – the Masterhost.ru Empire
Network activity from Win32/Glupteba.D is shown in the following screendump:
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Glupteba.png" target="_blank"><img class="aligncenter size-full wp-image-1644" title="Glupteba" src="http://resources.infosecinstitute.com/wp-content/uploads/Glupteba.png" alt="" height="321" width="723"></a>
Commands for Win32/Glupteba.D directed to the C&C server look like this:
<a href="http://resources.infosecinstitute.com/wp-content/uploads/Glupteba-win32.png" target="_blank"><img class="aligncenter size-full wp-image-1643" title="Commands for Win32/Glupteba" src="http://resources.infosecinstitute.com/wp-content/uploads/Glupteba-win32.png" alt="" height="622" width="921"></a>
Conclusion
In the <a href="http://resources.infosecinstitute.com/tdss4-part-2/" target="_blank" target="_blank">next article</a> in this series, we’ll consider the bot, kernel mode and bootkit functionality of the malware.
<a href="http://resources.infosecinstitute.com/tdss4-part-2/" target="_blank" target="_blank">TDSS part 2: Ifs and Bots</a>
Incoming search terms:<ul><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdl4" target="_blank">tdl4</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdss4" target="_blank">tdss4</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="TDL4 analysis" target="_blank">TDL4 analysis</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdl-4" target="_blank">tdl-4</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdss-4" target="_blank">tdss-4</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="TDSS TDL-4" target="_blank">TDSS TDL-4</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdl-4 windows 7" target="_blank">tdl-4 windows 7</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdss" target="_blank">tdss</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdl4 download" target="_blank">tdl4 download</a></li><li><a href="http://resources.infosecinstitute.com/tdss4-part-1/" title="tdl4 payload" target="_blank">tdl4 payload</a></li></ul>

页: [1]

Chinaunix's Archiver

TDSS part 1: The x64 Dollar Question