Introduction to Bootkit Virus technology

Abstract: Bootkit virus refers to a virus that is stored in the main boot area of a disk and is activated by the system (this is referred to as the boot area virus). The primary boot area of a disk (the abbreviation MBR, hereinafter referred to as the boot area of the MBR), refers to the first sector of the computer that is set as the startup disk.

The Bootkit virus is a virus that is stored in the main boot area of the disk and is initiated by the system to carry out the right (this is referred to as the boot area virus). The main boot area of the disk (abbreviated MBR, hereinafter referred to as the MBR boot area), refers to the computer is set as the first sector of the boot disk, which is stored by the BIOS (standard input and output services, the completion of basic system hardware initialization, and provide the operating system with basic hardware access interface) after the initialization of the code to be loaded into memory and the partition information of the hard disk, usually this code runs after the storage on the hard disk, the system began to start up. And the computer infected with the boot zone virus will not disappear due to the updating of the operating system, but the newly installed system will be re-infected again. Therefore, some anti-virus software manufacturers dubbed these viruses as "ghost" and "Mordor" virus, take this to see the people-the virus in the computer like "ghosts." is the boot zone virus really so mysterious? This article will be in an easy-to-understand way, starting from the origin of the Bootkit virus, and gradually explore their mechanism, as well as their future development trend.

Technical origin

Infection in the boot area of the virus in the history of the virus, especially in the DOS era, is a common method of the virus, but with the popularity of Windows NT system, the infection of the boot area of the virus seems to have encountered trouble. From the code inside the MBR to the start of the operating system, there are three stages: real mode, protected mode, and memory paging mode. When the Windows NT system is started, according to the functions and permissions of the program, it is divided into the user mode that the application runs in (known as RING3, limited access to system resources, strong code tolerance) and operating system kernel and system driver running in kernel mode (known as RING0, All system resources are accessible, but the code is poorly tolerant, and if a kernel program fails, it can cause a system crash, usually a blue screen of the system.

Figure 1:x86 The permission level of the processor in protected mode

The above mentioned is the operating system to start the general process, and a virus in the boot area, if the operating system to play the effect after the full start, you need to have the boot with the operating system, The ability to obtain the highest system permissions during the execution of the 16-bit code from the initial real mode to the start of the first Win32 program. The process itself is very complex, and the official documentation provided by Microsoft is often avoided in the details of the Windows system boot process. Therefore, the quality of the author who can develop an effective infection-guided virus is very high, the author needs at least three aspects of the ability: proficient in real-mode program development, proficient in Windows Application layer and kernel Layer program development and strong enough binary program reverse analysis capabilities, Ability to understand the operating mechanism of Windows startup-related modules from a reverse engineering perspective. The author of the future production of infected guide virus, see this article will inevitably because of their own ability and feel "gratified."

Based on our analysis of the current prevalent infection-guided virus sample process logic, it is found that this way from the MBR can play a role in the Windows NT system permissions, in fact, from a "eEye" of foreign security vendors named "Bootroot" public code. The author of this code is the company's two researcher Derek Soeder and Ryan Permeh, which was publicly shown as early as 2005, and this method can be called a bootkit (boot tool). In addition, at the end of 2007, the Mr Team also found its updated version of the--stealth MBR Rootkit, which can hide the MBR's empowerment tool.

Virus authors use the technology used in such a security community to produce and distribute malicious virus programs. In recent years, the virus samples have been collected, compared with the infection of the leading area of the virus, mainly the earlier "ghost" virus and the current popular "Mordor" (Kaspersky named TDL) virus, and they use the technology is derived from the "EEye" Company code.

Mechanism Introduction

Although the "Ghost" and "Mordor" appear in different time, the implementation of the way there are many differences, but they are in the way to access the implementation of the method is the use of traditional hooks, the difference is that the location of the hook sub-difference, the content of the filter is different. The key approach is to mount the BIOS disk read-write interrupt (INT 13h) function in real mode through the code in the MBR.

Figure 2: Boot-zone virus modification of disk read and write data via INT13h hook function

In the processing function of int 13h, the contents of the disk read are filtered, the byte pattern matches the specified code content of the file to be loaded, and when matched, the returned buffer content is modified to jump to the protected mode code of the virus body. This enables the execution of the virus from the actual mode to the execution permission of the protected mode. Depending on where the hook is located, the virus can control whether the virus code is being executed at different times during the operating system startup. During startup, if the system module is needed, the operating system reads the file out of the disk and loads it into memory. On a computer without an infected boot area virus, the contents of the file that the system loads into memory are the file contents of the hard disk, but when the INT13 is hooked up by the virus, the execution flow that the operating system loads will be modified by the virus, and the virus will be executed again when the operating system executes the code modified by the virus.

Figure 3: Boot zone virus modifies the system load flow in INT13h

In the concrete implementation, "ghost" Virus and "Mordor" virus thinking similar, are in real mode hook int 13h Hook, the read out of the protection mode of the program installation hooks, get protection mode execution rights. However, the subsequent operation of the "Mordor" virus is different from the "ghost" virus and the code provided by the "EEye" company. To be precise, the "Mordor" virus is a further optimization of the boot area virus and simplifies the process. Unlike security software, viruses are often required to protect themselves from detection and analysis by means of counter-debugging. Therefore, the "Mordor" virus in the Int 13h processing function, and did not take "ghost" virus, etc. to take a further hook way to further accompany Windows boot, Instead of the COM port debug drive provided in the system to replace the Kdom.dll in memory to the virus's own driver, this method for the virus is stone, this approach not only through the virus's kernel state drive to obtain the system's highest authority, and the system's online debugging port failure, to a certain extent, to prevent others on the analysis of its working principle.

Figure 4: "Mordor" Virus replaces system module during system boot

When the virus is executed again, the system usually completes the initialization of all basic operating environments, and the virus can take advantage of the resources provided by the operating system for the next steps. The Windows NT system described earlier divides the permissions of the program access into two levels-the kernel level (RING0) and the application level (RING3), while the common virus and user programs run more at the application level. However, in order to gain full control of the system, the virus typically installs drivers running at the kernel level for the operating system. Once the virus program obtains operating system kernel level, at this time the virus control ability is equivalent to the operating system and anti-virus software, any software in the form of security software will be completely ineffective, so kernel-level system security becomes a battleground for viruses and security software. For binary programs, who first gain control of the system kernel, who will be able to push opponents out of the system, and gain complete control of the system. For the infection of the boot zone virus, because the ability to choose their own code in the specific stage of the system to run, will naturally choose an anti-virus software has not been loaded, and the system has been basically initialized to complete the system to install a system running at the kernel level of the back door, in order to get complete control of the system.

For disk restore cards and disk boot area monitoring and backup tools, these seemingly effective professional disk tools for defensive boot-zone viruses also have no effect on some infected boot-zone viruses. For example, the "Mordor" virus is read and written to the disk by sending SCSI instructions directly to the disk, a very low-level, straightforward method that first appears in the "Robotic dog" virus and proves that this method can bypass any disk-restore card interception. In addition, the "Mordor" virus also incorporates the stealth MBR rootkit as mentioned in the disk device (\driver\disk) Hook method to hide and protect the virus files stored in the MBR and the end of the disk. In the hook function, the virus will pre-determine whether the upper system to read the location of the virus body in the sector, if so, the data returned will be forged data, and if the system requires the write location in the virus sector, then the call will fail. Using Winhex to open the physical disk to see if the boot area has been modified, for the "Mordor" virus is already in the machine is not valid, because the "Mordor" virus before overwriting the boot area data, saved a boot zone image, when the system fully started, The content of the boot area that the user reads is completely mirrored in the boot area of the virus backup, not the actual data.

Figure 5: Access control of the "Mordor" virus to the disk

The primary boot area exists on the first sector of the disk, and the size of a sector is 512 bytes. But as far as the current size of the virus is concerned, the small one is thousands of kilobytes, the larger is dozens of kilobytes. The contents of a sector are not sufficient to accommodate the entire virus, so usually the boot area virus is generally divided into two parts, stored in the boot section of the MBR and the body portion of the disk's other sectors. Taking "ghost" virus as an example, the main part of the virus is stored in the boot area, and the 0x228 sector is not used by the system, and its contents are encrypted. The "Mordor" virus establishes a separate partition at the end of the user's disk, and the file system used by the partition is also a custom file system. This partition from the disk partition table is not query, in other words, the partition for the user and the system is hidden, and its content is CR4 encrypted, only the virus can correctly parse and read the contents of the file saved. Since the disk space used by the virus overlaps with the existing file system, although it is in several sectors at the end of the disk, its contents can grow, which may cause the virus to overwrite files on the user's file system, causing the user's normal file corruption.

Figure 6: File system structure of the "Mordor" virus

For the boot area virus, whether it is "ghost" or "Mordor", the infection boot area is only to be able to conceal itself, in order to gain the highest system authority during system startup. And its ultimate purpose is not only so, the effective hiding and the powerful authority all build a good platform for the execution of its load task. For example, "Mordor" virus is a well-designed platform, the function of each module is very clear, their ultimate goal is to inject the specified function module (cmd.dll) into the specified process, and play a role in it.

Figure 7: Functional Division of the "Mordor" virus

This function module is actually an EXE file, stored in the virus file system, its name can be arbitrarily specified by the virus. In the virus file system, there is also a file named Cfg.ini, through which you can control which files in the virus file system are injected into which process. As shown in Figure 8 below, the position of "*" indicates the name of the process to be injected, followed by the "=" number to be injected, stored on the virus file system file name. If the "*" indicates that all processes are injected, then the virus file will be injected into all processes, then you can write a specific kill program for this virus, modify the Cfg.ini, through this platform to inject into all processes, and then the virus module one by one uninstall.

Figure 8: Configuration file Cfg.ini file for "Mordor" virus

Trend Outlook

Boot zone viruses Use the disk access method to hang memory hooks The key technique is long-term effective. Through the analysis of "Mordor" virus, we can know that "Mordor" virus can not only run on the x86 system, but also can run on the x64 system. After incomplete testing, the system affected by Windows XP and all of its subsequent operating systems so far, the boot zone virus compatibility is high. Moreover, because the boot area virus uses the operating principle that accompanies the operation system to start, has the ability which obtains the highest privilege to the system and does not be detected by the anti-virus software, makes the boot area virus's breaking ability very big. The characteristics of the boot area virus described above show that the current boot-area virus in Windows system is only the beginning, the future of the development of the boot region virus will have a vast space, the damage will become more huge, more covert.

Original link: http://www.rising.com.cn/newsletter/news/2011-07-21/9593.html