Bootkits: Past, Present & Future - Virus Bulletin

ESET
ESETESET
Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
Modern Bootkit History 20072007 20082008 20092009 20102010 20112011 20122012 2013201320052005 20142014 eEye BootRoot Mebroot Vbootkit Mebratix Mebrootv2 Olmarik(TDL4) Olmasco(TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit Dream Boot OldBoot(AndroidBootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code bootmgr Load kernel and boot start drivers winload.efi MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) Load kernel and boot start drivers winload.efi UEFI boot loader (bootmgfw.efi) UEFI boot code UEFI
The Target of Modern Bootkits (MBR/VBR)
Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
Modern Bootkits ComparisonFunctionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
HiddenFsReader as a Forensic Tool (MBR/VBR)
HiddenFsReader as a Forensic Tool (MBR/VBR)
Bootkits: Past, Present & Future - Virus Bulletin
In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
• Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary Signed BIOS Updates Are Rare • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished? No Signature Checks of OS boot loaders (MBR/VBR)
UEFI BIOS Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset
UEFI Bootkits Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi DXE Driver UEFI OROM UEFI OROM OS Kernel / Drivers HDD Malware
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables UEFI Bootkits
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables UEFI Bootkits
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012 UEFI Bootkits
Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT) UEFI Bootkits
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
What about Secure Boot?
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders (winload.efi, winresume.efi) System Firmware (SEC/PEI) UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update UEFI OROM UEFI App UEFI App DXE Driver DXE Driver OS Kernel / Early Launch Anti-Malware (ELAM) UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update DXE Driver OS Kernel OS Driver OS Exploit Modify Secure Boot FW or config in ROM Secure Boot bypass possible?
First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
Bootkits: Past, Present & Future - Virus Bulletin
BIOS Attack Surface System FW/BIOS SPI Flash Protection BIOS Update SMRAM Protection Hardware Config. SMI Handlers Secure Boot BIOS Settings (NVRAM, Variables) … Summary of Attacks Against BIOS and Secure Boot
Bootkits: Past, Present & Future - Virus Bulletin
From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
CHIPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec @CHIPSEC
CHIPSEC: Platform Security Assessment Framework
CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
How to dump BIOS firmware directly from chip?
How to dump BIOS firmware directly from chip?
DEMO TIME
Bootkits: Past, Present & Future - Virus Bulletin
Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog
1 von 44

Bootkits: Past, Present & Future - Virus Bulletin

Technologie

Presentation from ESET researchers Eugene Rodionov and David Harley, featured by Alex Matrosov about the history and evolution of bootkits.

ESET
ESETESET

Recomendados

Is Linux/Moose endangered or extinct? von
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? ESET
16.1K views55 Folien
Unpack your troubles*: .NET packer tricks and countermeasures von
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresESET
16K views22 Folien
Code Injection in Windows von
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
4.2K views22 Folien
Embedded Rust on IoT devices von
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devicesLars Gregori
514 views52 Folien
Reconstructing Gapz: Position-Independent Code Analysis Problem von
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
4.6K views89 Folien
Indicators of compromise: From malware analysis to eradication von
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
1.4K views29 Folien

Más contenido relacionado

Was ist angesagt?

Advanced Evasion Techniques by Win32/Gapz von
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
4.4K views65 Folien
Fighting Malware Without Antivirus von
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
1.9K views36 Folien
Linux advanced privilege escalation von
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
8.1K views11 Folien
Auditing the Opensource Kernels von
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
888 views81 Folien
Reverse engineering von
Reverse engineeringReverse engineering
Reverse engineeringDaniel Stenberg
2.7K views36 Folien
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011] von
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
2.4K views45 Folien

Was ist angesagt?(20)

Advanced Evasion Techniques by Win32/Gapz von Alex Matrosov
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov4.4K views
Fighting Malware Without Antivirus von EnergySec
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
EnergySec1.9K views
Linux advanced privilege escalation von Jameel Nabbo
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo8.1K views
Auditing the Opensource Kernels von Silvio Cesare
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare888 views
Reverse engineering von Daniel Stenberg
Reverse engineeringReverse engineering
Reverse engineering
Daniel Stenberg2.7K views
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011] von RootedCON
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON2.4K views
Programming Embedded linux von Liran Ben Haim
Programming Embedded linuxProgramming Embedded linux
Programming Embedded linux
Liran Ben Haim3.3K views
Arm device tree and linux device drivers von Houcheng Lin
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin17.5K views
44CON 2014 - Breaking AV Software von 44CON
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON2.6K views
How security broken? - Android internals and malware infection possibilities von FFRI, Inc.
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilities
FFRI, Inc.1.5K views
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access von Igor Korkin
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin7.3K views
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces von Igor Korkin
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Igor Korkin3.5K views
Exploiting Llinux Environment von Enrico Scapin
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
Enrico Scapin840 views
Anton Chuvakin on illogic Rootkit Analysis von Anton Chuvakin
Anton Chuvakin on illogic Rootkit AnalysisAnton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin on illogic Rootkit Analysis
Anton Chuvakin3.4K views
Introduction to forensic imaging von Marco Alamanni
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni1.1K views
Linux Interview Questions Quiz von Utkarsh Sengar
Linux Interview Questions QuizLinux Interview Questions Quiz
Linux Interview Questions Quiz
Utkarsh Sengar2.4K views
Radare2 - An Introduction by Anto Joseph von Anthony Jose
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
Anthony Jose1.4K views
Security Onion Conference - 2016 von DefensiveDepth
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
DefensiveDepth2.3K views
A Quick Introduction to Programmable Logic von Omer Kilic
A Quick Introduction to Programmable LogicA Quick Introduction to Programmable Logic
A Quick Introduction to Programmable Logic
Omer Kilic3.5K views
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013 von midnite_runr
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr8.7K views

Similar a Bootkits: Past, Present & Future - Virus Bulletin

Bootkits: past, present & future von
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
2.2K views44 Folien
Defeating x64: Modern Trends of Kernel-Mode Rootkits von
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
4.3K views59 Folien
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht von
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtFelipe Prado
126 views87 Folien
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated von
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
17.8K views73 Folien
UEFI Firmware Rootkits: Myths and Reality von
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
991 views95 Folien
Slimline Open Firmware von
Slimline Open FirmwareSlimline Open Firmware
Slimline Open FirmwareHeiko Joerg Schick
2.1K views37 Folien

Similar a Bootkits: Past, Present & Future - Virus Bulletin(20)

Bootkits: past, present & future von Alex Matrosov
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov2.2K views
Defeating x64: Modern Trends of Kernel-Mode Rootkits von Alex Matrosov
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov4.3K views
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht von Felipe Prado
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado126 views
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated von CanSecWest
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest17.8K views
UEFI Firmware Rootkits: Myths and Reality von Sally Feller
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller991 views
Slimline Open Firmware von Heiko Joerg Schick
Slimline Open FirmwareSlimline Open Firmware
Slimline Open Firmware
Heiko Joerg Schick2.1K views
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing von BlueHat Security Conference
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference866 views
Embedded Linux BSP Training (Intro) von RuggedBoardGroup
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup782 views
Boot process: BIOS vs UEFI von Alea Soluciones, S.L.
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
Alea Soluciones, S.L.11.1K views
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu... von Nicolas Collery
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery52 views
BIOS and Secure Boot Attacks Uncovered von Alex Matrosov
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov3.4K views
Upgrade Ubuntu 18.04 Security with Secureboot von Jonathan MICHEL-VILLAZ
Upgrade Ubuntu 18.04 Security with SecurebootUpgrade Ubuntu 18.04 Security with Secureboot
Upgrade Ubuntu 18.04 Security with Secureboot
Jonathan MICHEL-VILLAZ132 views
Let Me Pick Your Brain - Remote Forensics in Hardened Environments von Nicolas Collery
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsLet Me Pick Your Brain - Remote Forensics in Hardened Environments
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Nicolas Collery1.3K views
Linux kernel booting von Ramin Farajpour Cami
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami60 views
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?" von Piotr Król
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Booting UEFI-aware OS on coreboot enabled platform - "In God's Name, Why?"
Piotr Król456 views
Bootloaders (U-Boot) von Omkar Rane
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
Omkar Rane642 views
U-Boot Porting on New Hardware von RuggedBoardGroup
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
RuggedBoardGroup2.1K views
[Hackito2012] Hardware backdooring is practical von Moabi.com
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
Moabi.com1.4K views
WinFE: The (Almost) Perfect Triage Tool von Brent Muir
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir13.9K views
Grub2 Booting Process von Mike Wang
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting Process
Mike Wang5.5K views

Más de ESET

ESET Cybersecurity students von
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity studentsESET
4.5K views5 Folien
ESET Cybersecurity training von
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity trainingESET
2.4K views5 Folien
How to implement a robust information security management system? von
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?ESET
9.7K views1 Folie
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N... von
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...ESET
2.6K views1 Folie
Visiting the Bear Den von
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
17.5K views229 Folien
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its... von
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...ESET
16.3K views27 Folien

Más de ESET(20)

ESET Cybersecurity students von ESET
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity students
ESET4.5K views
ESET Cybersecurity training von ESET
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity training
ESET2.4K views
How to implement a robust information security management system? von ESET
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
ESET9.7K views
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N... von ESET
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
ESET2.6K views
Visiting the Bear Den von ESET
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
ESET17.5K views
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its... von ESET
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
ESET16.3K views
ESET Quick Guide to the EU General Data Protection Regulation von ESET
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET1.9K views
Operation Buhtrap - AVAR 2015 von ESET
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
ESET15.9K views
Advanced Persistent Threats von ESET
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET2.2K views
Shopping Online von ESET
Shopping OnlineShopping Online
Shopping Online
ESET4.1K views
Banking Online von ESET
Banking OnlineBanking Online
Banking Online
ESET2.6K views
Is Anti-Virus Dead? von ESET
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
ESET879 views
ESET: #DoMore With Our Comprehensive Range of Business Products von ESET
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET2.7K views
ESET: Delivering Benefits to Enterprises von ESET
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to Enterprises
ESET945 views
ESET: Delivering Benefits to Medium and Large Businesses von ESET
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large Businesses
ESET834 views
#DoMore with ESET von ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESET
ESET995 views
2014: Mid-Year Threat Review von ESET
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
ESET2.2K views
Learn more about ESET and our soulutions for mobile platforms von ESET
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platforms
ESET904 views
Trends for 2014: The Challenge of Internet Privacy von ESET
Trends for 2014: The Challenge of Internet PrivacyTrends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet Privacy
ESET1.1K views
ESET Technology From von ESET
ESET Technology FromESET Technology From
ESET Technology From
ESET771 views

Último

Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... von
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...ShapeBlue
146 views15 Folien
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... von
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...ShapeBlue
123 views28 Folien
Data Integrity for Banking and Financial Services von
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
78 views26 Folien
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... von
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...Bernd Ruecker
50 views69 Folien
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates von
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesShapeBlue
210 views15 Folien
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive von
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
50 views35 Folien

Último(20)

Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... von ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue146 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... von ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue123 views
Data Integrity for Banking and Financial Services von Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely78 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... von Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 views
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates von ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue210 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive von Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum50 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... von TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc160 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... von ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue158 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows von Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software385 views
The Role of Patterns in the Era of Large Language Models von Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li80 views
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool von ShapeBlue
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue84 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue von ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue94 views
Network Source of Truth and Infrastructure as Code revisited von Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum52 views
Uni Systems for Power Platform.pptx von Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.61 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... von ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue132 views
Business Analyst Series 2023 - Week 4 Session 7 von DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10126 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... von ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue85 views
20231123_Camunda Meetup Vienna.pdf von Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH50 views
"Surviving highload with Node.js", Andrii Shumada von Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays53 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... von ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue144 views

Bootkits: Past, Present & Future - Virus Bulletin

  • 1. Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
  • 2. Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
  • 3. Modern Bootkit History 20072007 20082008 20092009 20102010 20112011 20122012 2013201320052005 20142014 eEye BootRoot Mebroot Vbootkit Mebratix Mebrootv2 Olmarik(TDL4) Olmasco(TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit Dream Boot OldBoot(AndroidBootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
  • 4. Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code bootmgr Load kernel and boot start drivers winload.efi MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) Load kernel and boot start drivers winload.efi UEFI boot loader (bootmgfw.efi) UEFI boot code UEFI
  • 5. The Target of Modern Bootkits (MBR/VBR)
  • 6. Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
  • 7. IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
  • 8. Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
  • 9. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 10. Gapz MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
  • 11. Modern Bootkits ComparisonFunctionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
  • 12. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 13. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 15. In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
  • 16. • Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary Signed BIOS Updates Are Rare • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished? No Signature Checks of OS boot loaders (MBR/VBR)
  • 17. UEFI BIOS Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset
  • 18. UEFI Bootkits Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi DXE Driver UEFI OROM UEFI OROM OS Kernel / Drivers HDD Malware
  • 19. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 20. Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables UEFI Bootkits
  • 21. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 22. Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables UEFI Bootkits
  • 23. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 24. Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012 UEFI Bootkits
  • 25. Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT) UEFI Bootkits
  • 26. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) UEFI Boot Loader Bootx64.efi Bootmgfw.efi OS Kernel / Drivers Malware DXE Driver DXE Driver UEFI OROM UEFI OROM HDD UEFI Bootkits
  • 28. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders (winload.efi, winresume.efi) System Firmware (SEC/PEI) UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update UEFI OROM UEFI App UEFI App DXE Driver DXE Driver OS Kernel / Early Launch Anti-Malware (ELAM) UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
  • 29. Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders System Firmware (SEC/PEI) DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update DXE Driver OS Kernel OS Driver OS Exploit Modify Secure Boot FW or config in ROM Secure Boot bypass possible?
  • 30. First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
  • 32. BIOS Attack Surface System FW/BIOS SPI Flash Protection BIOS Update SMRAM Protection Hardware Config. SMI Handlers Secure Boot BIOS Settings (NVRAM, Variables) … Summary of Attacks Against BIOS and Secure Boot
  • 34. From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
  • 36. CHIPSEC: Platform Security Assessment Framework
  • 37. CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
  • 38. Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
  • 39. BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
  • 40. How to dump BIOS firmware directly from chip?
  • 41. How to dump BIOS firmware directly from chip?
  • 44. Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog