Jump to content

Internet - Open heart surgery The TDL4 rootkit the most technically sophisticated malware in existence.


anuseems

Recommended Posts

FYKI

It's one of those rare Saturday afternoons when the sun is actually shining. I'm just wondering how much meat to buy for the barbecue when my mobile rings. It's Hans – he nervously confesses to me that he thinks he's caught himself a virus.

As I innocently enquire how that might have happened, my normally supremely confident mechanical engineering student friend breaks into a stutter, "Well, the thing is, I, well yesterday I bought a new computer, with Microsoft Office pre-installed. But it was only a 30 day test version, and I don't have the money for the full version. So I thought…" I finish his sentence for him, "I thought I'd just download a hacked version and save myself a bit of cash. And now strange things have started happening. Right?"

"Yeah, exactly, how did you know that?" asks Hans. "Because there's one born every minute", I think to myself. "Because you're not the first person to call me up with this kind of problem", I tell him.

I draw out from him the full chain of events. "After launching what was supposed to be a hacked Office version, as if by magic the executable vanished from my desktop. Other than that, nothing happened, or at least nothing I could see. But since then, my router has been signalling almost constant internet traffic, even though no applications which should be generating traffic are running. After restarting, everything looked OK for a little while, but then the router LEDs started blinking away again." Since I owe him one, I jump on my bike and head on over to Hans' place.

A quick look at the system and I already have a hunch that I'm not going to find anything superficial, and will need to drill down deeper. It's too bad that I've left my memory dump analysis system in the office. So I'm going to have to analyse the computer directly. Local kernel debugging – it's like open heart surgery.

The phrase "No risk, no fun!" runs through my brain while I roll my metaphorical sleeves up. Less metaphorically, I install Microsoft's Debugging Tools for Windows from my write-protected USB flash drive – principally for its excellent WinDbg debugger. It requires .NET, but that's already installed.

Normally the debugger would be run on a separate analysis system and would control the computer running the code we want to analyse via a serial cable or FireWire. In the absence of a second computer, I'm going to have to debug locally. But then what are tools like Mark Russinovich's LiveKd for? I sling it into the WinDbg installation directory and also copy Moonsols' useful callbacks.wdbg script for WinDbg into the scripts\ subdirectory.

We're ready to roll. I launch LiveKd with the argument –w, which calls WinDbg. LiveKd starts by asking me whether I want to download the current file symbols from the Microsoft Symbol Server at http://msdl.microsoft.com/download/symbols. You bet I do – this is what tells the debugger the addresses for all of the Windows functions and data structures. Since this varies between Windows versions, languages, service packs and even individual updates, the right symbols for the particular system are always required.

Firstly, I'd like to find out whether the malware has embedded itself within the system and, if it has, how deep it's embedded. This is where callbacks.wdbg can help me. Various events can cause the Windows kernel to activate callback handlers. Creating a new process, for example, triggers an event which you can register with the kernel as PspCreateProcessNotifyRoutine.

Pretty much every sophisticated kernel mode rootkit I've come across over the last few years uses one of these options to hook itself into process launches. This allows it to deactivate security software on loading, or to inject user mode components into trusted Windows processes such as svchost, winlogon and services.exe.

So I launch the callback script from the kernel debugger prompt. It runs through the events in sequence and lists all of the handlers registered for these events:

kd> $$>

Link to comment
Share on other sites

  • Replies 2
  • Views 1.2k
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...