BootKits Bootsector viruses strikes back

Jrmy B OUTARD Camille M ONCELIER Loc G UEGUEN Thibault R OUAT

January 13, 2009

Contents
Introduction 1 2 3 What is a Rootkit ? What is the difference between a rootkit and a bootkit ? How operating system boot ? 3.1 What is a bootloader? . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 How GRUB work ? . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 What can we do at this level ? . . . . . . . . . . . . . . . . . . . . Existing bootkit 4.1 eEye BootRoot 4.2 VBootkit . . . 4.3 VMBR . . . . . 4.4 Blue Pill . . . 1 2 2 3 3 3 3 4 4 4 4 4 4 5

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

Conclusion References

Introduction
Today, one of the most powerful type of malicious code are "rootkits". Rootkits allows an attacker to keep an unrestricted access to an infected computer. A lot of products and techniques can nd and remove this kind of malware. A new subclass of rootkit could obtain a more stealth access by taking place before the OS kernel. Those are called Bootkits, as they are loaded during the boot. To understand how it works and which forensic techniques could nd it, rst we will write a state of the art about bootkit. We will rst explain whats an bootkit, how it works, which bootkits can be nd in the wild and at the end how rootkit infection could be prevented.

2 WHAT IS THE DIFFERENCE BETWEEN A ROOTKIT AND A BOOTKIT ?

What is a Rootkit ?

A rootkit is more often than not, a malicious piece of software. These software are designed to provide Administrator rights of an operating system without the consent of the system owner. A rootkit cannot infect a system by itself. To compromise a system it need Administrator rights. This is why some rootkits comes with a assortment of exploit to take over a machine and install the rootkit. Rootkits aim is stealthiness, it can hide processus, les, network connections, etc. Rootkits can also contain programs like keyloggers, networks sniffers, etc. In order to fool the entire operating system, rootkits injects themselves into the operating system by installing malicious driver or kernel modules, or by directly modifying system core les. These rootkit are especially hard to detect because, while theyre running in privileged mode, the can intercept any operations of the operating system. A software running on a compromised system, such as an antivirus or a rewall, could not be trusted anymore. Because the rootkit makes change in the operating system, it can be detected using rootkit detectors. In order to accurately nd any rootkits, this detectors use heuristics and/or signature to spot rootkits. These detectors should run from trusted media, such as a livecd. When running from a livecd, as the rootkit isnt executed by the Operating System and it cannot hide from the detection tool.

What is the difference between a rootkit and a bootkit ?

Do you remember the time when boot vector virus were in the wild ? When it was dangerous to leave a oppy in the drive while booting ? If you tough that these viruses were a thing of the past, youre wrong ! Boot sector viruses are back on track. They can be a lot trickier to detect, since they loaded during the early stages of the OS initialization, antivirus cannot be trusted. The can be installed easily, since on some Operating Systems, (Windows NT Family) MBR can be modied from user mode[4] [10] and BIOS MBR Protection is often disabled or unavailable. Bootkits, as the name suggests, are bootkits which reside in the boot sector. eEye BootRoot[11] is a proof of concept, which will be discussed later, showing a windows backdoor in the boot sector. We can think of bootkit attacking GRUB[1], allowing an attacker to load a different kernel than the one specied in the grub conguration le. An article describing this technique can be found on the Phrack website[2] There is even more touchy tricks involving hiding a backdoor inside the ACPI subsystem[5], inside a PCI card[6], running the Operating System inside a malicious hypervisor[12].

Page: 2/5

HOW OPERATING SYSTEM BOOT ?

3
3.1

How operating system boot ?

What is a bootloader?

On every personal computer, there is a little program called bootloader which, as its name says, loads an operating system from a kernel image, making some hardware and software verications. For windows, when its installed alone, this boot loader is called NTLDR (for NT Loader), but well discuss about Linux operating systems, and his main boot loader which is GRUB, standing for GRand Unied Boot Loader. To make an simple explanation on our topic, we have to begin from the machines power on. The rst software that will run on the booting machine is the BIOS, embedded in a hardware microchip on the system motherboard. This one will check reliability of the hardware conguration, and if passed, will seek any hard drive to boot on and give the control to the MBR (Master Boot Record) of this hard drive which corresponds to the 512 rst bytes on the drive.

3.2

How GRUB work ?

Here is the main role of GRUB, nowadays the Linux default (and strongest) boot loader. Since the MBR part is small (512 bytes as you know), GRUB splits his own boot action in several stages. The rst one named stage1 will be stored in the MBR,and will load other stages on the disk (in order to load kernel images), thats why GRUB is an advanced boot loader. To pick out stages les on the disk, GRUB embeds several modules like disk inputs/outputs, string handling, and another one that will be interesting or us, ext2/3 le system handling. So on, the Grub stage1 will load either stage1,5 if present, or stage2 directly if stage1,5 is missing. After, the boot screen menu will be displayed and the user will have to choose his operating system from the grub.conf conguration le on the disk.

3.3

What can we do at this level ?

Previously, weve seen that GRUB displays operating systems from a conguration le. The aim here is to force it to load our code, without any conguration le modication ! But we have to do that before stage2 end, to avoid any OS verications. Well focus on the stages load : we know that GRUB loads a ext2/3 systemle handling (e2fs_*), and will be able to read the grub conguration le. So we could play with le inodes in order to change the physical le pointed on the disk (like mentioned in Hacking GRUB for fun and prot) The to limit border effects, we need to go on deeper in the assembler code, and to be careful with jumps, to play like we want after...

Page: 3/5

EXISTING BOOTKIT

4
4.1

Existing bootkit
eEye BootRoot

eEye BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh of eEye Digital Security company, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoor that demonstrates the implementation of this technology. Its easily detected by most anti-virus.[3]

4.2

VBootkit

VBootkit is a proof of concept to develop Bootkit for the last Microsoft R OS : Windows Vista. This bootkit can escalating cmd.exe to system privileges every 30 secs. It can make everythink that user software can. Because it becomes part of the kernel, it can do what the core of Vista can do.[8]

4.3

VMBR

Another proof of concept, VMBR is a rootkit installed on the host OS of a virtual machine. It can both Linux and Windows platforms. VMBR is harder to detect than other rootkits due to their nature of running underneath an existing OS, but theyll also be harder for intruders to develop and install. VMBR can communicate whith a target OS, but isnt necessary. The team actually developed a VMBR was able to manipulate LEDs on some computers via the system BIOS to fool users into thinking a system was shut down when in fact it wasnt ! [7]

4.4

Blue Pill

Its project presented at the Black Hat Briengs 2006 in Las Vegas on August 3rd and stopped few month after. But in April 2007 another team of researchers decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. The new code was based on different architecture with virtualization approach such as XEN 3.[9]

Conclusion and goal for our project

Their is a lot of method to hide a bootkit, ACPI, PCI, hypervisor and techniques to install them. Now we have nd how a bootkit works and how to hide/nd it in the system. The next the step for a good understanding of this concept will be to write our own bootkit. As most of existing bootkits target Windows, our goal will be to nd a way to hack grub in order to dynamicaly patch the GNU/Linux kernel as it loads. This will allow us to inject custom code into the kernel and survive kernel updates.

Page: 4/5

REFERENCES

If we have enougth time, we also try to nd a solution to allow our bootkit to survive to a grub updates.

References
[1] Grub: Grand unied bootloader. software/grub/. URL http://www.gnu.org/

[2] CoolQ. Hacking grub for fun and prot. Phrack, 2005. URL http://www. phrack.com/issues.html?issue=63&id=10&mode=txt. [3] eEye Digital Security. URL http://research.eeye.com/html/ tools/RT20060801-7.html. [4] Elia Florio. From bootroot to trojan.mebroot: A rootkit in your mbr! 2008. URL https://forums.symantec.com/syment/blog/ article?message.uid=305374. [5] John Heasman. Implementing and detecting an acpi bios rootkit, 2006. URL http://www.blackhat.com/presentations/bh-federal-06/ BH-Fed-06-Heasman.pdf. Implementing and detecting a pci rootkit, 2006. [6] John Heasman. URL http://www.ngssoftware.com/research/papers/ Implementing_And_Detecting_A_PCI_Rootkit.pdf. [7] Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, and Jacob R. Lorch. Subvirt: Implementing malware with virtual machines, 2006. URL http://www.eecs.umich.edu/Rio/papers/ king06.pdf. [8] Nitin Kumar and Vipin Kumar. Vbootkit: Compromising windows vista security. Black Hat Europe, 2007. URL http: //www.nvlabs.in/uploads/projects/vbootkit/vbootkit_ nitin_vipin_whitepaper.pdf. [9] Invisible Things Lab. Blue pill project, 2007-2008. bluepillproject.org/. URL http://

[10] Paul Laudanski. Stealth mbr rootkit, 2008. URL http://www2.gmer. net/mbr/. [11] Derek Soeder and Ryan Permeh. eeye bootroot: A basis for bootstrap-based windows kernel code. Black Hat Europe, 2006. URL http://research. eeye.com/html/Tools/download/eeyebootroot.zip. [12] Dino Dai Zovi. Hardware virtualization based rootkits. Black Hat USA, 2006. URL http://www.blackhat.com/presentations/ bh-usa-06/BH-US-06-Zovi.pdf.

REFERENCES

Page: 5/5