The start of the BootKit age

From Green Corps

The start of the BootKit age
If I ask you what a Rootkit is, you must have answered it skillfully. If I ask you what BootRoot is, maybe you should think about it. Then, what is Vbootkit? Have you ever said "I have never seen this thing "?

1. Rootkit

I am not going to talk about it here. The following is from Baidu Encyclopedia:
"Many people have a misunderstanding that they think that rootkit is used as a tool to obtain system root access permissions. In fact, rootkit is a tool used by attackers to hide their traces and retain root access permissions. Generally, attackers obtain root access permissions through remote attacks, or obtain system access permissions by means of password guesses or forced password deciphering. After entering the system, if he has not yet obtained the root permission, then he can obtain the root permission of the system through some security vulnerabilities. Then, the attacker will install the rootkit In the compromised host, and then he will often use the rootkit backdoor to check whether other users have logged on to the system, the attacker began to clean up the relevant information in the log. Attackers can exploit this information to access other systems after obtaining the users and passwords of other systems through the rootkit sniffer. "

2. BootRoot

By inserting third-party code to a technical project during Windows Kernel startup, it is "BootRoot ". The foreign organization eBye is using this new Rootkit startup technology and gives this technology and its derivatives-"BootKit ", that is, "Boot Rootkit ".
Since then, the BootKit era has started.

3. How does Mebroot infect and operate MBR?

Mebroot is started earlier than Windows, and then the driver code is inserted into the kernel for execution, bypassing the Defects Detected by registry HIVE. At the same time, the underlying technology used blinded most Anti-Rootkit tools-because it did not leave any startup projects in the system. Detection tools will naturally detect failures. Then, the user process is remotely injected through the DLL to open a backdoor for the system and download the Trojan to run. Under this non-traditional penetration idea, the anti-Rootkit tool cannot eradicate it.

In any version of Windows, the objects restricted by "User Permissions" are limited to registry read/write, file read/write, and Operation restrictions. However, in terms of general user permissions and higher permissions, windows does not judge or block any original disk read/write operations, which is ironic or a vulnerability. For example, if a restricted account program needs to read a file with only the Administrator's read and write permissions set, it should be blocked by the system ideally. But in fact, as long as the program directly initiates a read/write request from the underlying disk to the operation interface, Windows will be able to release it easily.
Of course, this operation designed the underlying knowledge, machine language, and algorithms. Usually few people write so many functional code for the underlying operations. However, MBR reading and writing in the zero track, zero cylinder, and one sector is a technical activity that does not require much computing, because any code that performs underlying disk operations simply opens "\. PHYSICALDRIVEO "device, and set the read/write pointer to 0. From here, the next 512 bytes will be the first sector MBR code of critical life!
In those days, the "Jiangmin disk logic bomb", which was so vigorous, used only a few simple codes to fill the MBR with junk data, it causes numerous "disk damage" faults (an error message is displayed when the BIOS jumps to the drive due to damage to the Master Boot area, and Partition Table damage leads to disk partition data loss ). Therefore, the previous MBR virus authors need to protect the original MBR, unless the authors intend to destroy others' data from the beginning.

4. Mebroot detection and removal

The main point of Mebroot's removal is to break through its Rootkit protection. Currently, the new version of RKU, GMER, and other Rootkit analysis tools can scan its existence, some anti-virus products, such as Symantec's Norton and other anti-virus software, are also able to scan and kill them. Because Mebroot has tampered with MBR, the raw MBR must be restored for Anti-Virus products to avoid another "disk damage" fault. For common users, the easiest way is to insert a system disk and use the fixmbr tool to repair the MBR in the command console. The premise is that the system cannot be guided by a virus-infected hard disk.
When the MBR becomes normal, the Mebroot and derivative products started by the MBR will naturally die.
If someone asks you, What should I do if I only use fixmbr to destroy Mebroot? In fact, at this time, because Mebroot is no longer capable of self-loading, it is naturally unable to complete the malicious damage work handed over to it by its superiors, and the virus sample is good.

5. The same robe of Mebroot

There are so many virus patterns, so Bootkit is naturally not only one type. The Bootkit guided by MBR is just a younger brother, and its eldest brother uses BootLoader to create numerous attacks.
Learn about Windows startup:
"BootLoader" is a necessary way to start the system kernel. After the BIOS self-check is completed, control is handed over to MBR, And the MBR loads the OBR (OS Boot Record, operating system Boot Record, located in the 0-cylinder 1 track 1st sectors, evolved from the DOS boot program DBR), then the DBR implements the loading of BootLoader, and finally starts loading various operating systems.
For systems in the NT architecture, their BootLoader is implemented by a file called NTLDR.
When you see the Windows Startup interface, NTLDR is complete.
Because NTLDR is so close to the kernel, you will naturally be ready for it. Especially after the BootKit concept is put forward and implemented.

When NTLDR is loaded into the memory for execution by OBR, it is first run by startup.com runtime. This is intended for hardware environment initialization, but is not a condition for booting the kernel. When osloader.exe is under control, the system boot enters the second stage --
Important environment parameters such as the memory subsystem, page table, IDT (Interrupt Descriptor Table), and GDT (Global Descriptor Table) are initialized. Then, read the boot.int file to check the disk partition and corresponding directory of the system kernel, and according to NTDETECT. the device configuration information returned by COM is further initialized, the kernel file name, driver directory, and other basic environment variables are obtained, and the memory and basic driver are loaded. Finally, NTLDR successfully completed its mission by setting control rights to the kernel.

6. BootKit debut

With NTLDR, which is equal to the kernel, BootKit naturally prefers NTLDR.
Bootkitthrough the modified ntldrli osloader.exe section to inject its own driver module during kernel startup, this operation can quietly modify Windows system sensitive files. This is because when you are addicted to surfing the Internet, there will be no rejection or alarm for a program to read, write, delete, or modify the NTLDR file at any time.
The stolen ntldrfile contains the BootKit hook code in the system startup process. This code runs automatically when the kernel is loaded into the memory, and then adds its own driver when waiting for the initialization module to load the driver, to mount the initial RootKit.

The good news is that the restoration of such BootKit is simpler than that of MBR Bootkit. You only need to copy an original NTLDR overwrite to another computer in the same system environment.

In the cyber attacks that lie in an ambush, ordinary people can only get fish, or even get stuck in the dark. If you do not die in silence, you can only install and use various anti-virus software and HIPS in silence to defend yourself. And learn the necessary security work knowledge.

Note: This article is not original, but just a piece of public opinion. Since I am illiterate, it is difficult to follow the footsteps of Daniel and I can only give a reference.

A. What is rootkit?
Http://baike.baidu.com/view/350343.htm

B. The principle and implementation of a BOOTKIT Based on NTLDR: html "> http://www.bkjia.com/Article/200811/30256.html

C. Advanced Bootkit: Tophet.
Http://tieba.baidu.com/f? Kz= 541413937