TDL3 The Worst Best Rookit Ever
Occasionally, I do computer repair.
I fixed that computer in 5 seconds flat.
At one point it was my primary source of income after I quit a job where I wasn't valued as an employee. (I am sure we've all been there once.) In my many years of doing computer repairs, I occasionally would run into that one piece of malware that would throw a wrench in the spokes and just make me stop dead in my tracks. Whether it was in awe of innovation or frustration in removal, there have been those few moments where I just had to step back and re-evaluate my troubleshooting methodology, adjust my dropped jaw or walk away before I made smash smash like bam-bam. The last time I had a moment like that happened when I had my first rootkit run-in 2 to 3 years ago. If you don't know what a rootkit is ( are you living under a rock???) read here. It was after a few years elapsed from Greg Hoglund's NT based rootkit. It's cited as the first rootkit for NT systems but I believe otherwise as there is always someone who beat you to innovation- if you want to call it that. You know, kind of like how Alexander Graham Bell and Tesla were gamed on for credit by Thomas Edison for various inventions- but I digress. The community evolved over night and some of the more elitist computer repair community saw the rootkit as a mythical creature that just couldn't exist (whether by cognitive dissonance or otherwise) and went the route of the ostrich with it's head in the sand until it couldn't be ignored anymore.
Then it happened. An arrogrant Sony/BMG wrote some DRM software that caused quite a ruckus and shook things up while propelling the term "rootkit" into the media spotlight like so many Britney Spear's head shaving incidents: Sony included a rootkit on music cds as a means to combat piracy with much fail. The rootkit served to enable malware writers to cloak objects from windows with little effort and thus the class action lawsuits started rolling in like seaweed after a hurricane as a new era of malicious code got some traction.
Yesterday (♫ Virus removal was such an easy game to play ♫)
Yesterday (well this post has been drafted for a week or so- not quite yesterday anymore), I had the moment I spoke of above where I had to re-evaluate my methodology. I have seen some pretty ridiculous infections in my time but this one takes the cake as of December 14, 2010- the worst piece of malware I have ever had the displeasure of removing but credit for innovation. The customer dropped the PC off on a Friday. Generally, with my experience I can fix almost any issue inside of 20mins to an hour depending on the pc's specs and infection severity. Mostly, the issues I see are of the spyware/malware/trojan series and are easy to remedy. This include your occasional rootkit.
Troubleshooting
Generally when I am fixing computers I ask a line of questions to deduce how much the customer is computer savy, if they know enough to get themselves in trouble, then ask about the symptoms. Based on their responses you can usually make an educated guess of what you are dealing with and what tools you will be focusing on using to fix the pc. When I troubleshoot a system, the very first thing I do is boot the machine up and see how it behaves. Can I replicate the symptoms that the customer described? If I can then I am on the right track. If not, then perhaps the problem is intermittent, customer gave bad information, problem is different than as described or a combination of all of the above.
As a rule of thumb, I NEVER EVER, I really mean NEVER EVER using any removable writable media when working on a system. It is amateur, irresponsible and common place for many shoddy computer repairmen/repairwomen. Rather, I will burn CD's with my toolkit and the most up-to-date revisions. (Thanks be to scripting and wget.)
The troubleshooting work-flow is generally as follows (AND I DO MEAN VERY GENERAL):
- Boot machine normally. Observe. Replicate symptoms? Disable system restore.(If password protected backup SAM and remediate password in PE environment. restore when finished fixing machine)
- Google symptoms for known issues but don't waste time on anything but exact string matches. (works 20% of the time)
- Run combofix
- Boot machine from PE Environment / Hirens BootCD
- mount registry hive for OS
- Run autoruns to see what is on the startup, it's location, etc.
- Google suspicious entries
- Disable suspicious entries without false positive info.
- Disable all non-microsoft startup items.
- Scan machine for viruses/malware with third party utilities
- Boot machine in safe mode with networking.
- run combofix again
- Run Autoruns - check startup entries, Process Explorer - check hooked dll's and Tcpview - currently active connections --- to monitor for strange activities.
- Restart normally.
- Run Autoruns, Process Explorer and Tcpview to monitor for strange activities. Look for removed startup entries back on startup.
- Cleanup pc, defrag and update all AV and Windows Updates after taking System Restore snapshot.
- Return to customer.
This generally succeeds in fixing 98% of the issues that I run into with computers. When I tried to run procexp.exe it would instantly terminate. Hmmm.
Now, if it had of ran, I would have see that the context switch delta on atapi.sys was awfully high because of TDL3 among other anomalies but I am getting ahead of myself. I thought I might have not double clicked it, so I click again twice and get an error that I don't have permissions to run this executable. Okay, probably a dirty malware dll that has an MD5 on my utility and is blocking it accordingly. I run HxD and hex edit a section of plain-text to alter the MD5 of the executable and rename it. Once again it appears to have started but quit. I attempt to run again and... can you guess the error message? Correct, I do not have permissions to run this executable.
For about 5 seconds I stopped and thought about what I might have missed.
I run cacls and change the permission on the utility to everyone. It runs once then the permission error occurs again.
From this I deduce that my phantom malware is observing what system dll's are getting called by the utility and terminating the utility based on those calls then changing permissions on the executable. This is getting to be a complete pain in the ass whereas I normally would have been home free and now it is apparent that I am dealing with something a little more "advanced" then my run of the mill malware.
It's time to change tactics.
Knowing that there is a low likely hood that I will be able to run some of my more advanced utilities, I try anyway. I theorize that some of this more advanced activity is related to a rootkit and I run GMER and Rootkit Unhooker.
And that is when I discover the name of the rootkit via google. TDL3. After removing the associated driver and restoring order in the operating system there is one last surprise waiting for me.
GRLDR is missing or cannot be found.
Wouldn't you know it, the rootkit create it's own MBR that then bootstraps the OS. Only, it's much more cooler and technical than that.
You can find a full dissection of TDL3 here.
To fix the last part of this rootkit you need to restore the MBR. Run fixboot and fixmbr and you'll be home free.
PHPIDS
Well, well.
It certainly has been a while since I've had any really meaningful posts. The truth is that I have been super busy working, studying or being lazy and playing Call of Duty: Black Ops. You know, 'Tango sucka!!"
At any rate, I've neglected to post on my blog for quite some time so I figured why not post about what I am working on currently.
Mein Kampf ("My Struggle" for the uninitiated)
I run a phpbb3 bulletin board system (not going to mention it here) and one of the struggles I deal with are the unknown hacks that malicious people in the darkest corners of the internet use to create un-approved users in the board db and post spam, steal email accounts to spam later or just be general jerks.
Actual screen shot from phpbb3 administration console. Note that the joined date is showing October 11th 2007, 12AM. Those users were created in the db on June 4th 2010 at 9:00pm. Very sneaky although amateur as user pruning would have removed these accounts next time it ran. The hack performed did not specify post counts and recent posts in the database and as a result user pruning takes a look and says "Who hasn't posted in X amount of days?" then prunes everyone who hasn't. (Prune means deletes the accounts or deactivates them depending on your forum's individual settings.)
The solution up to this point has been to ban APNIC, LAPNIC, RIPE via htaccess and constantly update revisions of phpbb3. Basically, a determination is made like this:
"Your not from the United States? No entry for you."
This reduced the spam issues I was having drastically in addition to not completely scaring me away from phpbb3 for insecurity. I also disabled new user requests since I personally know everyone on the board. This way it's invitation only no exceptions. My concern however is with the other fraction of ruffians hammering away from their computers in the United States or overseas kiddies proxying through US computers/botnets to do nefarious things. I see it everyday in my profession as I monitor intrusion attempts and attacks on networks.
I asked myself the other day if a guy who's profession is in the information security sector gets his WordPress hacked or his bulletin board system is defaced, does that make him bad at his job? Do others look down on him?
The truth is that, it happens. I've been fairly lucky thus far but the inevitability is that compromises can and will occur. The answer depends on whether or not there are known good backups, layered security and adherence to policy. What I mean by adherence to policy: no weak passwords, password cycling, log checking, etc.
For everything else, there is phpids.
Enter PHPIDS
PHPIDS acts as a filter over input that will do regular expressions and treating on that input then flag suspicious tags, keywords, etc and take action according to your configuration. Using php.ini and pre-append you can setup phpids pretty quickly. The project has good support through the forums and a pretty loyal following of the most hardcore security guru's to average Joe.
Initially, false positives were a problem, but that was easily remedied by utilizing the white listing function adding the post and pm message fields.
This is a really great tool for the developers out there who have security concerns and would like to do something about them. Even with the "proper" sanitization of user supplied input, your adding of an additional layer of security that will keep you aware of one-off's and steady attacks as well as the newest attacks that might circumvent the common methodology.
A False Sense of Security: An Explanation Of Terms
UPDATE: If you came here looking for more information about UPX, NETCAT and PACKING executables, see the third part of my series on Defeating AV.
When posting the conclusion of my antivirus study, I glazed over some core concepts and definitions of terms I was using because I wanted to complete the post.
This post is for those of you who's heads were spinning in that post.
Executable
An executable is a program. A program is a collections or group of functions that accomplish specific tasks as designed. For instances, internet explorer is a program that allows you to browse the web.
Executable Compression (UPX for example)
Executable compression is similar to a self-extracting Winzip archive except in terms of an application itself. Primarily, it's use is to shrink file size.
EXE Packing
Packing is the process of taking an executable and making it's code un-decipherable but still executable by an operation system. This process can be done a few ways and is generally accomplished with the use of a 3rd party program such as Aspack, Armadillo or any other industry standard. These commercial packing programs are used by game developers, software engineers and other industry professionals to thwart hackers from cracking thier applications and releasing them on P2P networks. Unfortunately, anything that can be done to an executable can be un-done as there is always a finite point of entry and people who are exceptionally good at reverse engineering.
Manually Packing Executable
Manually packing an executable is something more advanced. This is the process by which one develops a custom encryption routine and applies that routine to an executable (like we did in my previous post following instructions from google.)
Morphine
Morphine is an aptly named executable developed to cloak nefarious application from AV. In it's hayday Morphine would trounce AntiVirus solutions with no problem. It's use coupled with UPX would leave the most common virus or trojan executable undetected by AntiVirus and additionally, it still serves to this date to mask packed malware from AntiVirus solutions.
Batch Script
Batch scripting is built right into windows. It allows for automation of operations a user would normally have to follow through with manually. In my previous post, I used a batch script to automate running NetCat through a UPX packer and then through Morphine. I specified the input and output path in variables at the top of our script, then prompted for the imagebase address from LordPE and set a variable from that input so Morphine could do it's work on our executable.
LordPE
LordPE is yet something else I glazed over. LordPE is a tool when working with executables that allows for absolute control and easy execution of advanced operations. The sum of which is more complex and convoluted to describe in a single post. Perhaps some other day?
Tell me what you think?
A False Sense of Security : AntiVirus Part III
Previously, we touched on the concept that AV is not infallible as you would be lead to believe by advertisers. This post is the continuation of that study.
PART III
continued from here
To begin, I decided to compress NetCat with UPX. The syntax and flags used were as follows:
"upx C:\NetCat\nc.exe --best --ultra-brute --compress-icons=3 --strip-relocs=1"
Now that it has been compressed, let's take a look at the virgin executable's virus total scan first to find out what AV's detected it.
From the results, we see that these 21 different AntiVirus solutions were the only ones to detect our UNPACKED executable. Technically, NetCat is not a virus or malware but the potential for it to be used as such exists; as a result of this it should be flagged by all and an optional detection in their configurations.
Now that it's been packed, I decided to see if our simple one time packing of the executable would be sufficient to hide from any of our antivirus solutions, so I uploaded it to Virus Total expecting to have 21 total detections once more.
Out of our list of AV's, only 15 detected NetCat as it was before and 1 just flagged that it was packed not even detecting the real threat.
But were not done yet are we? Dig in, it's only going to get messier from here.
I decided to write a batch file that would process the executable sequentially through UPX compression and something I haven't touched on until right now called "Morphine".
The actual code for the batch was:
@ECHO OFF
REM: Variables
REM:************************
SET INPUT=C:\HackTools\NetCat\nc.exe
SET OUTPUT=C:\Users\Admin\Desktop\nc.exe@echo.
@echo ******************************************
@echo * Compressing Executable with UPX *
@echo ******************************************
@echo.C:\HackTools\Packers\upx\upx --best --ultra-brute --compress-icons=3 --strip-relocs=1 %INPUT% -o %OUTPUT%
@echo.
@echo ******************************************
@echo *** Opening LordPE to Obtain Imagebase ***
@echo ******************************************
@echo.start "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE" "C:\HackTools\exetools\LordPE\LordPE.exe"
@ECHO Path of executable is %OUTPUT%
@echo.
@echo.
@echo.:imagebase
set IMAGEBASE=
set /P IMAGEBASE=Type input: %=%
if "%IMAGEBASE%"=="" goto input
echo Your input was: %IMAGEBASE%Pause
@echo.
@echo.
@echo.
@echo ******************************************
@echo * Morphine is crypting the executable *
@echo ******************************************
@echo.
@echo.
@echo.C:\HackTools\Packers\Morphine\morphine.exe -b:%IMAGEBASE% -o:%OUTPUT% %OUTPUT%
PAUSE
Morphine which has been around for quite some time in the underground blackhat hacker circles, is used to make executables "KAV undetectable". I downloaded a dated version of Morphine in hopes that a 2004 release of the tool would have been reverse engineered by AV companies and easily unpacked to reveal the executable being masked. KAV (which is short for Kaspersky Antivirus) is apparently used as the benchmark of detection when it comes to masking malware by the underground of virus and remote access trojan writers. Floating in IRC (Internet Relay Chat) chatrooms and researching for this post in google, I find numerous posts referencing Kaspersky as the antivirus to beat and as such my expectations of it's performance are naturally higher than that of the others.
It was time to process our executable.
As you can see from the video above, I run our batch script which compresses our executable then packs our executable with Morphine. Then I upload it to Virus Total and take a look at the results.
As you can see, the majority of antivirus solutions are only detecting that the file has been packed and some even identify the packer. Few detect the true identity of our executable, which is NetCat.
This is a double edged sword.
On one hand we are being flagged which is good, but on the other hand if we cannot identify the true identity of an executable and are subverted by packing, then we may subject to its true intentions. Additionally, we have false positives of different viruses by some av's.
We have seen that Morphine is for the most part detected now and unfortunately only a handful of Antivirus solutions even identify our masked executable as NetCat. But we must keep in mind we did not have a 100% detection ratio and additionally we used a tool that was dated. To me it is un-acceptable for any Antivirus to not detect Morphine after this much elapsed time. Just think to yourself, what happens when we use the most current releases?
Since I am not part of the underground group of people who specialize in these activities, I frankly don't know where to go to get the latest release. I am sure with some crafty googling I could find it but I don't need to at this point. If a tool that is 5-6 years old can still mask an executable, it's not a stretch to assume the most current release slips under the radar as well, which brings me to the last and final stage in this demonstration.
From the research I had done, I found that many virus and trojan writers wrote their OWN packing/encrypting routines to mask their malware leaving Morphine out of the equation altogether. This is a HUGE problem for AV and you. If your AV doesn't have a signature to compare with there will be no detection.
Packing It Myself
I decided to finish this post by attempting to pack an executable myself based on information gleaned from google and google I did. I searched google with this search string "exe packing" and clicked the first result with skepticism.
In 30 seconds or less, I had enough information from google to not only write my own encrypting routine but mask NetCat from 31 out of 39 AntiVirus solutions!!!!!!!!!
Following the instructions from google result http://davidiorg.blogspot.com/2008/06/exe-packing-hard-way.html, I was able to evade 31 out of 39 antivirus solutions.
NOTE: David has a pretty clear explanation on his site that someone who has intermediate knowledge of the topic could easily understand and execute.
The results of packing netcat are chilling.
As you can see, with little effort and google, I was able to successfully bypass all but 8 AntiVirus solutions. Few of those solutions which were mainstream and advertised even had a detection let alone identified NetCat.
Conclusion and Q & A
When I started this post, I decidedly set out to expose that of which I already knew to be true. I didn't expect however that a google would give me enough information to pack netcat and evade that many av solutions with little know-how or effort especially since the information posted was done so in 2008. Antivirus solutions need to reinvent the wheel and get with the times if they are to survive in the wild wild west ages of the internet.
What antivirus is the best for me to use?
In my opinion there are a couple different solutions available that I would recommend. I personally use AntiVir XP which is free for non-commercial use. Kaspersky from what I have seen in hacking forums researching, shows the highest level of visibility in that it's very good at thwarting coders; which is why it appears to be the standard to beat. However, the results of manually packing the executable did not look favorably on Kaspersky so I really don't know what to think about KAV. Additionally, KAV may have intentionally not detected netcat as netcat can be used for good or bad. Sophos also appears to have high visibility and NOD32 is allegedly the best hueristical scanner available however NOD32 failed to catch NetCat... Intentional?
My company uses XXX Anti Virus and we've never had any issues. How is your "study" relevant?
Rootkits. The idea that if your not showing symptoms you can't be infected is a fallacy that many believe. Blackhat hackers aren't you average novice banging away at their keyboard 2:30 in the morning, rather they silently continue to monitor and steal information without you ever knowing any different. This is more dangerous than a conventional threat because a virus or trojan will rear it's ugly head eventually and you will take the nessesary precautions to protect your credit/identity/credentials/etc. A rootkit is similar to a trojan except it's a completely silent killer that modifies it's host operations system. It does this in such a manner that it's exceptionally hard to find or detect and often the best policy is to completely wipe the system.
What else can I do to protect myself?
Read. Read as much as you can about how viruses and malware work. Become familiar with common methods and common viruses. Monitor or subscribe to hacker publications.
I didn't understand some of the terms you used.
Go here -> A Glossary of Terms!
A False Sense of Security : AntiVirus Part II
Previously, we touched on the concept that AV is not infallible as you would be lead to believe by advertisers. This post is the continuation of that study.
What better way to test AV then to use a well known "hacker" tool NetCat for our test?
To begin, I needed a baseline to work from. Using Virus Total I scanned the binary and took note of the results. You can view the page here.
NetCat is a tool that has had it's code ported across multiple platforms. NetCat is dubbed "The Network Swiss Army Knife" and it lives up to it reputation and then some. If you need more information about NetCat, go here. For this purpose however, all you need to know is that it is detected by at least half the anti-virus solutions that are cataloged at virus total because of it's classification as a hacker tool and this AV listing is by no means a complete list rather the most popular / visible / etc.
To test our list of AV's, I thought it would be interesting to upload solitaire (SOL.EXE) which is bundled with Windows renamed as "netcat.exe" and "nc.exe".
Before doing this however, I needed to alter the MD5 checksum of the executable so that it would do a fresh scan of the binary instead of loading the results based on an MD5 match of another users upload.
Using MD5Generator.info, I determined our virgin executables MD5 to be:
SOL.EXE - MD5 4b27277692bbbfa196e9b3013000781e
Then, using a hex editor I changed it. as you can seen in the screenshot below.
Then I checked for a new MD5.
File Upload: sol.exe
SOL.EXE - MD5 4b27277692bbbfa196e9b3013000781e - Original MD5
SOL.EXE - MD5 d8be1ecd116115decb64c318339bcbfe - New MD5
After uploading the executable, there was no detection so it's safe to say there is no file name based detection, which is a good sign because that would in my eyes completely discredit that AV product.
Switching gears, it was time to make NetCat invisible. In order to accomplish this, we must take the mindset of a nefarious individual. We need to use a packer or two so I downloaded the open source executable packer UPX to start with for two reasons. Firstly, it is open source so it is free and secondly it supports an un-packing routine to undo those packing actions on an executable. This is relevant because a good antivirus should support unpacking a known trivial packer such as UPX. For context, a packer is legitimately used to compress an executables file size. Unfortunately it can essentially mask an executables true identity.
In A False Sense of Security : AntiVirus Part III, I will conclude the series with video and screenshots of my results. Because of the comprehensive amount of information, I decided to split this series into three separate parts saving the biggest for last.
You may not expect the results.
Stay tuned and while your at it, tell me what you think.
Live Chat
Recent Posts
Archives
Related Sites
Follow Us!
Log In
Translate
