Forensic analysis plays a crucial role in cybercrime group investigation, as it allows investigators to obtain such information as bot configuration data, C&C URLs, payload, stolen data and so on. Some of the modern malware falling into the class of complex threats employs various tricks to resist forensics and conceal its presence on the infected system. This paper will present technical and in-depth analysis of the most widely used anti-forensic technique, the implementation of hidden encrypted storage, as used by complex threats currently in the wild:
Win64/Olmarik (TDL4)
Win64/Olmasco (MaxSS)
Win64/Rovnix/Carberp
Win64/Sirefef (ZeroAccess)
Win32/Hodprot
These complex threats use hidden encrypted storage areas to conceal their data and avoid relying on the file system maintained by the operating system. In the presentation the authors will focus on the details of hidden storage implementation as well as the ways in which it is maintained within the system by various kinds of malware. The analysis begins with the initialization procedure and the mechanisms behind it. It is shown which system mechanisms are used to store and retrieve data from the hidden container and the degree to which the malware depends on them. Close attention is paid to the self-defence mechanisms employed by the malware in order to conceal the content kept in its hidden storage areas and protect those contents against modification by the system or by security software. Also a detailed description of the hidden file system is presented for each threat considered, as well as a comparison of its features to the other threats analysed here.
To conclude, an approach is presented on the retrieval of data from hidden storage. We will discuss the steps that should be taken to defeat self-defence mechanisms, locate hidden storage on the hard drive and read plain data.
7. One of the most frequently used droppers in 2011 for delivering
banking trojans in Russia: Carberp, Sheldor, RDPdoor.
Relies on system registry to keep its modules and payload
HKLMSOFTWARESettings
Win32/Hodprot
Loader Code Main Module C&C URLs
ErrorControl CoreSettings HashSeed
8. One of the most frequently used droppers in 2011 for delivering
banking trojans in Russia: Carberp, Sheldor, RDPdoor.
Relies on system registry to keep its modules and payload
HKLMSOFTWARESettings
Win32/Hodprot
Loader Code Main Module C&C URLs
ErrorControl CoreSettings HashSeed
9. Winlogon Address Browser Address
Space Space
Setupapi.dll
Assemble Payload
Inject Payload
Update
Payload
sfcfiles.dll Payload
System Registry
User-mode
Kernel-mode
Inject Payload
Install & Load Assemble Payload
Driver
sfc.sys
10. Configuration data are stored in a resource of the Flame main module
Configuration data are encrypted with custom algorithm and
compressed with DEFLATE algorithm
Block Data
BYTE Length Data
1 Byte 4 Byte Data Length Bytes
Block Data Offset of the
block with
Offset of the
next item
Unicode string
(name of the item)
BYTE Length item data block
1 Byte 4 Byte Data Length Bytes
11. Configuration data are stored in a resource of the Flame main module
Configuration data are encrypted with custom algorithm and
compressed with DEFLATE algorithm
Block Data
BYTE Length Data
1 Byte 4 Byte Data Length Bytes
Block Data Offset of the
block with
Offset of the
next item
Unicode string
(name of the item)
BYTE Length item data block
1 Byte 4 Byte Data Length Bytes
12.
13. Applications Malware payload
user-mode address space
kernel-mode address space
Malicious kernel-mode driver
File system interface
OS file system driver
Physical storage interface
OS storage device driver stack
Hidden FS
Hard drive area
16. First widely spread bootkit targeting Microsoft Windows x64 platform
Infects MBR of the bootable hard drive to receive control before OS
Abuses Windows PE (Preinstallation Environment) boot mode to
disable kernel-mode code signing policy
Keeps payload in the hidden file system
Hijacks pointer to the driver object of the lowest device object in
storage device stack
17. One One
Variable length Not more than 8 Mb
sector sector
Infected MBR
Disk partitions TDL4 Hidden FS
Growth direction
typedef struct _TDL4_FS_ROOT_DIRECTORY typedef struct _TDL4_FS_FILE_ENTRY
{
{
// File name - null terminated string
// Signature of the block char FileName[16];
WORD Signature; // Offset from beginning of the file system to file
// Set to zero DWORD FileBlockOffset;
DWORD Reserved; // Reserved
DWORD dwFileSize;
// Array of entries corresponding to files in FS
// Time and Date of file creation
TDL4_FS_FILE_ENTRY FileTable[15]; FILETIME CreateTime;
}TDL4_FS_ROOT_DIRECTORY, *PTDL4_FS_ROOT_DIRECTORY; }TDL4_FS_FILE_ENTRY, *PTDL4_FS_FILE_ENTRY;
19. MBR Code MBR Code
Partition Table Entry #1 Partition Table Entry #1
Partition Table Entry #2 Partition Table Entry #2
Employs the same approach for Partition Table Entry #3
Partition Table Entry #4
Partition Table Entry #3
Partition Table Entry #4
disabling kernel-mode signing policy MBR Data MBR Data
Bootmgr Partition Bootmgr Partition
as TDL4 bootkit
OS Partition OS Partition
Modifies partition table of the
Unpartitioned Space Olmasco Partition
bootable hard drive to create
malicious partition and mark it active Before Infecting After Infecting
Empty Partition Entry Active Partition Entry Existing Partition Entry
20. MBR Code MBR Code
Partition Table Entry #1 Partition Table Entry #1
Partition Table Entry #2 Partition Table Entry #2
Employs the same approach for Partition Table Entry #3
Partition Table Entry #4
Partition Table Entry #3
Partition Table Entry #4
disabling kernel-mode signing policy MBR Data MBR Data
Bootmgr Partition Bootmgr Partition
as TDL4 bootkit
OS Partition OS Partition
Modifies partition table of the
Unpartitioned Space Olmasco Partition
bootable hard drive to create
malicious partition and mark it active Before Infecting After Infecting
Empty Partition Entry Active Partition Entry Existing Partition Entry
21. typedef struct _OLMASCO_FS_ROOT_DIRECTORY typedef struct _OLMASCO_FS_FILE_ENTRY
{ {
// Signature of the block // File name - null terminated string
// DC - root directory char FileName[16];
DWORD Signature; // Offset from beginning of the file system to file
// Set to zero DWORD OffsetInClusters;
DWORD Reserved1; // Size of the file in clusters
// Set to zero DWORD SizeInClusters;
DWORD Reserved2; // Size of the file in bytes
// Set to zero DWORD SizeInBytes;
DWORD Reserved3; // Checksum
// Size of the file system cluster DWORD Crc32;
DWORD ClusterSize; }OLMASCO_FS_FILE_ENTRY, *POLMASCO_FS_FILE_ENTRY;
// Size of file table in clusters
DWORD SizeOfSysTableInClusters;
// Size of file table in bytes
DWORD SizeOfSysTableInBytes;
// Checksum of file table
DWORD SysTableCRC32;
// Array of entries corresponding to files in FS
OLMASCO_FS_FILE_ENTRY FileTable[];
}OLMASCO_FS_ROOT_DIRECTORY, *POLMASCO_FS_ROOT_DIRECTORY;
22. Mounts a file containing payload & configuration data
as NTFS volume with transparent encryption
VS.
Keeps payload & configuration data encrypted in
“C:windows$NtUninstallKB35373$” directory
23. ZeroAccess NTFS
Driver Object Driver Object
Hidden Volume Name
ZeroAccess Related Device
Volume Device Object
DriverObject DriverObject
... ...
File with data File Object
24. First known bootkit which infects VBR (Volume Boot Record) with
polymorphic malicious bootstrap code
It utilizes debugging facilities of the hardware (debugging registers) to
persists among processor execution mode switching and set up hooks
Rovnix bootkit employs modification of FAT16 for hidden partition
Rovnix bootkit was used in Carberp banking trojan
25. •
MBR VBR Bootstrap Code File System Data
Before Infecting
Compressed After Infecting
Data
Malicious
Malicious Bootstrap Hidden
MBR VBR File System Data Unsigned
Code Code Partition
Driver
NTFS bootstrap code
(15 sectors)
26. Employs advanced bootkit techniques to load unsigned malicious
kernel-mode driver on 64-bit version of Windows OS
Combines bootkit techniques present in Olmarik (TDL4) & Rovnix
Bypasses PatchGuard by means of modifying kernel before integrity
enforcement service is started
Goblin hidden implements hidden file system in a similar way to
Olmarik (TDL4)