December 22, 2012 at 18:51More rootkits - “good” and different. Part ii
Start here .
TDL developers keep up with the times. This time their eyes turned to 64-bit systems not previously covered. In early August 2011, there is a 4 version of TDL with new "chips." Firstly, the separation of working files into 32 and 64 bit versions has appeared. Secondly, the startup algorithm has changed once again after a reboot. Previously, a similar algorithm was used in Sinowal malware, well known for its innovations to antivirus companies. TDL version 4 now infects the master boot record(MBR). This method allows it to boot before the operating system, immediately after starting the computer. Thus, TDL-4 from a rootkit “mutated” into a bootkit. As before, the TDL-4 components were stored in a special area of the hard disk with a size of no more than 8 Mb, encrypted with the RC4 algorithm. The code in the MBR passed control to the ldr16 component (from the repository). After the transfer of control, ldr16 intercepted the functions of working with the hard disk (the OS is not yet loaded). To download TDL-4, we used the substitution of the kdcom.dll file (by installing the interceptor on Int 13h and searching for a specific signature of kdcom.dll), which is necessary to initialize the operating system kernel at the loading stage. Instead of kdcom.dll, the malicious component ldr32 or ldr64 (from the repository) was downloaded as a result, depending on the bit depth of the target OS. The binary code ldr32 and ldr64 are almost identical, as they are compiled from the same source code. But, in addition to the difference in code, in 64 bit systems, starting with Windows 2003 x64 (XP x64 and then Vista, Seven), several technologies have appeared that are aimed at protecting against malicious exposure. One of them is Patch Guard, which tracks changes in critical objects of the OS kernel, such as:
When loading, as part of the Patch Guard, the OS calculates checksums for the above objects, saves them and periodically checks whether the current values are saved. Having discovered the modification of objects (by changing the checksum), the OS crashes with the BSOD display. In addition to Patch Guard, another protective mechanism has appeared - mandatory verification of digital signatures for drivers loaded by the system. However, the applied loading algorithm allowed to successfully circumvent both of the above mechanisms, since TDL-4 receives control before loading the OS. To bypass the integrity check of the kdcom.dll file, ldr16 changed Boot Configuration Data (BCD) for a while, a registry branch that is used by the Windows boot manager and has been supported since Windows Vista (this mechanism replaced boot.ini).
TDL-4 switched boot mode to BcdOSLoaderBoolean_WinPEMode. After a successful boot, ldr32 (ldr64) loaded the main modules (rootkit and payload) and this mode was turned off. The function interception technique itself was similar to that used in TDL-3. Together with MBR infection, it allowed to reliably hide its functioning from antivirus products of that time.
In April 2011, Microsoft released the KB2506014 update, the task of which was to make several changes to the winloader.exe module of 64 bit OS versions to counteract the loading of unsigned drivers. As a result, BCD lost the option BcdOSLoaderBoolean_WinPEMode, which TDL-4 used to boot. Its developers reacted by issuing an updated version of TDL-4, in which, instead of switching to WinPE mode, the I_CheckImageHashInCatalog procedure was modified. Using this procedure, the integrity of the modules loaded by winload.exe is checked. TDL-4 changed the algorithm of its work, so that if the hashes do not match, the result would still be returned, that everything is correct. True, this mechanism did not work quite stably ( source ).
In the work of the new version of TDL, the distribution method remained unchanged - through affiliate programs. Compared with the previous version, the protocol encryption algorithm used to communicate with the command center has been updated. Instead of RC4, a “self-made” encryption algorithm using the XOR operation began to be used. A new bsh parameter has appeared in the configuration file - an identifier that is set by the managing server the first time the bot connects to it. Protocol encryption was now based on it. Thus, the data stream from each bot was encrypted with different keys, which further complicated the monitoring of traffic by means of malware detection by antivirus companies.
TDL-4 has acquired a kind of “anti-virus” component, which removes about 20 malicious programs, for example, Gbot, ZeuS, Clishmic, Optima, etc. This “anti-virus” helps to fight competitors, as well as reduce the likelihood of detection caused by the presence on an infected computer other malware.
The arsenal of “payloads” was replenished with the SOCKS proxy module. The presence of such a module allows you to anonymously visit the resources of the Network. You can find a large number of sites on the network that offer, on a paid basis, the services of providing IP addresses of anonymous proxies, most of which are addresses of computers infected with malware.
A bit later, the emergence of a module for generating Bitcoin cryptocurrency was revealed.and additional parameters in config.ini for the operation of this module, such as the Bitcoin server domain name and credentials for connecting to it.
Despite the measures taken by the attackers to protect the botnet's control servers, knowing the TDL-4 communication protocol with the control servers, anti-virus companies received statistics on the number of infected computers. An analysis of the data revealed about 60 domain names of the command centers, which were redirected to three different servers using the Double Fast Flux technology.
The term "Fast Flux" (literally translated as "fast flow" or "flow") refers to the rapid multiple changes to the DNS record, which leads to a constant change in the IP address to which the domain name belongs. Fast Flux technology itself is not “malicious,” since it does not exploit any DNS vulnerabilities and is usually used to distribute the load on servers. In the classical scheme, a single domain name corresponds to several dozen IP addresses that change every few minutes (Single Fast Flux scheme). This already makes blocking bot traffic by IP addresses ineffective. The attackers somewhat improved the scheme - the DNS server does not return the final address of the command center itself, but the address of one of the large number of infected computers, each of which is a proxy to the real management server (Double Fast Flux scheme). MySQL databases supporting the botnet functioned on 3 servers located in Moldova, Lithuania and the USA. According to information from these databases, in the first three months of 2011, about 4.5 million computers worldwide were infected with TDL-4, about 28% of them were in the United States.
The most interesting innovation was the appearance of the “payload” kad.dll, designed to exchange information between TDL-4 bots via a P2P network. Botnets using P2P are no longer uncommon, but most of their implementations are based on their own private network. TDL-4 uses the existing public file sharing network Kad. In this case, the P2P network architecture was partially decentralized (more details here ). The kad.dll library downloaded a list of peers (bootstrap list) from one of the command servers in the form of a nodes.dat file. On one of the computers on the Kad network ("clean" or "infected"), the ktzerules file was placed, which contained an encrypted list of commands to bots and was digitally signed. The list of commands that could be in ktzerules:
As you can see, through the Kad network, attackers could gain access to any file on the infected computer.
As you can see, the creators of TDL have taken a more laborious path, writing kernel level rootkits is a rather non-trivial task. In all this, a certain “old school” is guessed, that is, attackers not only pursue financial goals, but also in some way constantly prove to antivirus companies and Microsoft that "their kung fu is better." The methods used by TDL developers are ahead in their development of ways to counteract antiviruses and OS protection components. At the same time, most APT attacksaimed at obtaining confidential information, is content with a simple method of signing the code, to bypass the means of protection, without using any concealment. This has a certain economic meaning. TDL developers minimize losses, develop code themselves, do not use stolen certificates for signing, use common exploits. Their method is continuous work in invisibility. Behind cyber spies there are people with very big money (not necessarily states, just competitors). The principle prevails here - quickly “leaked” the necessary information and disappeared. In the process of stealing secrets, an important role is played by the fact that the fact of theft should not be detected. Therefore, there are stolen signatures of large vendors, and zero-day vulnerabilities, and other "expensive" things. That is, simpler bypass techniques (in the technical sense - bought, compiled, works) at rather big prices. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. works) at rather big prices. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. works) at rather big prices. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars per year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars per year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected.
TDL-4
TDL developers keep up with the times. This time their eyes turned to 64-bit systems not previously covered. In early August 2011, there is a 4 version of TDL with new "chips." Firstly, the separation of working files into 32 and 64 bit versions has appeared. Secondly, the startup algorithm has changed once again after a reboot. Previously, a similar algorithm was used in Sinowal malware, well known for its innovations to antivirus companies. TDL version 4 now infects the master boot record(MBR). This method allows it to boot before the operating system, immediately after starting the computer. Thus, TDL-4 from a rootkit “mutated” into a bootkit. As before, the TDL-4 components were stored in a special area of the hard disk with a size of no more than 8 Mb, encrypted with the RC4 algorithm. The code in the MBR passed control to the ldr16 component (from the repository). After the transfer of control, ldr16 intercepted the functions of working with the hard disk (the OS is not yet loaded). To download TDL-4, we used the substitution of the kdcom.dll file (by installing the interceptor on Int 13h and searching for a specific signature of kdcom.dll), which is necessary to initialize the operating system kernel at the loading stage. Instead of kdcom.dll, the malicious component ldr32 or ldr64 (from the repository) was downloaded as a result, depending on the bit depth of the target OS. The binary code ldr32 and ldr64 are almost identical, as they are compiled from the same source code. But, in addition to the difference in code, in 64 bit systems, starting with Windows 2003 x64 (XP x64 and then Vista, Seven), several technologies have appeared that are aimed at protecting against malicious exposure. One of them is Patch Guard, which tracks changes in critical objects of the OS kernel, such as:
- global descriptor table - GDT;
- interrupt descriptor table - IDT;
- system services descriptor table - SSDT;
- some system files, for example, NTOSKRNL.EXE, NDIS.SYS, HAL.DLL;
- service MSR registers STAR / LSTAR / CSTAR / SFMASK.
When loading, as part of the Patch Guard, the OS calculates checksums for the above objects, saves them and periodically checks whether the current values are saved. Having discovered the modification of objects (by changing the checksum), the OS crashes with the BSOD display. In addition to Patch Guard, another protective mechanism has appeared - mandatory verification of digital signatures for drivers loaded by the system. However, the applied loading algorithm allowed to successfully circumvent both of the above mechanisms, since TDL-4 receives control before loading the OS. To bypass the integrity check of the kdcom.dll file, ldr16 changed Boot Configuration Data (BCD) for a while, a registry branch that is used by the Windows boot manager and has been supported since Windows Vista (this mechanism replaced boot.ini).
- BcdLibraryBoolean_DisableIntegrityCheck - force check off (most often used for debugging purposes);
- BcdOSLoaderBoolean_WinPEMode - shutdown in OS installation or recovery mode;
- BcdLibraryBoolean_AllowPrereleaseSignatures - allow loading modules that have a test digital signature.
TDL-4 switched boot mode to BcdOSLoaderBoolean_WinPEMode. After a successful boot, ldr32 (ldr64) loaded the main modules (rootkit and payload) and this mode was turned off. The function interception technique itself was similar to that used in TDL-3. Together with MBR infection, it allowed to reliably hide its functioning from antivirus products of that time.
In April 2011, Microsoft released the KB2506014 update, the task of which was to make several changes to the winloader.exe module of 64 bit OS versions to counteract the loading of unsigned drivers. As a result, BCD lost the option BcdOSLoaderBoolean_WinPEMode, which TDL-4 used to boot. Its developers reacted by issuing an updated version of TDL-4, in which, instead of switching to WinPE mode, the I_CheckImageHashInCatalog procedure was modified. Using this procedure, the integrity of the modules loaded by winload.exe is checked. TDL-4 changed the algorithm of its work, so that if the hashes do not match, the result would still be returned, that everything is correct. True, this mechanism did not work quite stably ( source ).
In the work of the new version of TDL, the distribution method remained unchanged - through affiliate programs. Compared with the previous version, the protocol encryption algorithm used to communicate with the command center has been updated. Instead of RC4, a “self-made” encryption algorithm using the XOR operation began to be used. A new bsh parameter has appeared in the configuration file - an identifier that is set by the managing server the first time the bot connects to it. Protocol encryption was now based on it. Thus, the data stream from each bot was encrypted with different keys, which further complicated the monitoring of traffic by means of malware detection by antivirus companies.
TDL-4 has acquired a kind of “anti-virus” component, which removes about 20 malicious programs, for example, Gbot, ZeuS, Clishmic, Optima, etc. This “anti-virus” helps to fight competitors, as well as reduce the likelihood of detection caused by the presence on an infected computer other malware.
The arsenal of “payloads” was replenished with the SOCKS proxy module. The presence of such a module allows you to anonymously visit the resources of the Network. You can find a large number of sites on the network that offer, on a paid basis, the services of providing IP addresses of anonymous proxies, most of which are addresses of computers infected with malware.
A bit later, the emergence of a module for generating Bitcoin cryptocurrency was revealed.and additional parameters in config.ini for the operation of this module, such as the Bitcoin server domain name and credentials for connecting to it.
Despite the measures taken by the attackers to protect the botnet's control servers, knowing the TDL-4 communication protocol with the control servers, anti-virus companies received statistics on the number of infected computers. An analysis of the data revealed about 60 domain names of the command centers, which were redirected to three different servers using the Double Fast Flux technology.
The term "Fast Flux" (literally translated as "fast flow" or "flow") refers to the rapid multiple changes to the DNS record, which leads to a constant change in the IP address to which the domain name belongs. Fast Flux technology itself is not “malicious,” since it does not exploit any DNS vulnerabilities and is usually used to distribute the load on servers. In the classical scheme, a single domain name corresponds to several dozen IP addresses that change every few minutes (Single Fast Flux scheme). This already makes blocking bot traffic by IP addresses ineffective. The attackers somewhat improved the scheme - the DNS server does not return the final address of the command center itself, but the address of one of the large number of infected computers, each of which is a proxy to the real management server (Double Fast Flux scheme). MySQL databases supporting the botnet functioned on 3 servers located in Moldova, Lithuania and the USA. According to information from these databases, in the first three months of 2011, about 4.5 million computers worldwide were infected with TDL-4, about 28% of them were in the United States.
The most interesting innovation was the appearance of the “payload” kad.dll, designed to exchange information between TDL-4 bots via a P2P network. Botnets using P2P are no longer uncommon, but most of their implementations are based on their own private network. TDL-4 uses the existing public file sharing network Kad. In this case, the P2P network architecture was partially decentralized (more details here ). The kad.dll library downloaded a list of peers (bootstrap list) from one of the command servers in the form of a nodes.dat file. On one of the computers on the Kad network ("clean" or "infected"), the ktzerules file was placed, which contained an encrypted list of commands to bots and was digitally signed. The list of commands that could be in ktzerules:
- SearchCfg - search for a new ktzerules file on the Kad network;
- LoadExe - load and run the executable file;
- ConfigWrite - make an entry in cfg.ini;
- Search - search for a file on the Kad network;
- Publish - publish a file on the Kad network;
- Knock - download a new nodes.dat file from C&C that contains a list of IP addresses of Kad network servers and clients, including infected TDSS computers.
As you can see, through the Kad network, attackers could gain access to any file on the infected computer.
Thinking out loud
As you can see, the creators of TDL have taken a more laborious path, writing kernel level rootkits is a rather non-trivial task. In all this, a certain “old school” is guessed, that is, attackers not only pursue financial goals, but also in some way constantly prove to antivirus companies and Microsoft that "their kung fu is better." The methods used by TDL developers are ahead in their development of ways to counteract antiviruses and OS protection components. At the same time, most APT attacksaimed at obtaining confidential information, is content with a simple method of signing the code, to bypass the means of protection, without using any concealment. This has a certain economic meaning. TDL developers minimize losses, develop code themselves, do not use stolen certificates for signing, use common exploits. Their method is continuous work in invisibility. Behind cyber spies there are people with very big money (not necessarily states, just competitors). The principle prevails here - quickly “leaked” the necessary information and disappeared. In the process of stealing secrets, an important role is played by the fact that the fact of theft should not be detected. Therefore, there are stolen signatures of large vendors, and zero-day vulnerabilities, and other "expensive" things. That is, simpler bypass techniques (in the technical sense - bought, compiled, works) at rather big prices. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. works) at rather big prices. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. works) at rather big prices. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. On the other hand, if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars a year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars per year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected. if we take as a basis the figure of $ 20 for 1000 installations in the framework of the "affiliate" program and the figure of 20 million infections from 2009 to 2011 (16 TDL-3 and 4 TDL-4), it turns out that the creators of TDL spend about 200 thousand dollars per year only for distribution. That is, they have money. It should also be noted that to monetize profits TDSS uses methods that "steal" the computing power of infected computers, but do not directly harm the user financially. These methods - banner wrapping, Black Seo, the provision of anonymization service - were probably chosen so that the law enforcement agencies were less interested in the investigation. Plus, the group itself, apparently, is Russian-speaking, so computers in the countries of the former USSR, if possible, are not infected.