McAfee Labs Report Explains Dangers of Rootkits Bypassing Windows Kernel Security

Today McAfee Labs published a report on how malware can operate at the kernel level and bypass Microsoft’s security for 64-bit Windows systems. “Defeating PatchGuard: Bypassing Kernel Security Patch Protection in Microsoft Windows” explains the danger of positioning operating system security at the kernel level.

Now for a little background: The evolution of malware has posed two major problems for security developers. One is the use of polymorphic and packing techniques that make it difficult for security researchers to write signatures. The second is fiddling with internal OS data structures, kernel modules, and kernel memory to hide the presence of malware on a system; this rootkit behavior.

Rootkits are not new, but in recent years we have seen malware patching kernel data structures at numerous places to hide their presence. Windows, the most prevalent OS in homes and offices, cannot protect the kernel from legitimate third-party device drivers because they are loaded in kernel memory space and run at the same CPU privilege level. Some third-party software  relies on undocumented kernel-patching mechanisms to implement their functionality.

In an attempt to protect the kernel on 64-bit platforms, Microsoft introduced the security component PatchGuard, which runs periodically and detects kernel patching. If PatchGuard finds a problem, it halts the system and informs the user that critical structures have been compromised.

Although 64-bit processors are now common, the adoption of 64-bit Windows lags. PatchGuard and kernel driver signing enforcement have certainly restricted the number of kernel malwares and rootkits on 64-bit systems. However, there are already detailed studies published on bypassing PatchGuard. Malware such as TDL can defeat kernel-mode signing and Xpaj can defeat PatchGuard protections.

McAfee has worked jointly with Intel to counter the problem of illegal access to kernel memory and platform hardware. The latest 64-bit processors from Intel come with hardware-assisted virtualization (VT-x), which enables hardware to run code at a level more privileged than the kernel. VMXROOT can set memory protections on a guest kernel, which still runs at its intended CPU privilege level, i.e., level zero. DeepSAFE technology, developed jointly by McAfee and Intel, leverages the benefits of VT-x and provides protections against illegal access to key kernel memory and key CPU hardware registers. DeepSAFE keeps the operating system completely under its control and monitors the key areas. We are certain to see threats that bypass kernel mode signing and PatchGuard and thus compromise a system. DeepSAFE raises the bar for malware developers by preventing the illegal access of kernel memory and hardware registers.

Malware Uses Google Go Language

Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been gaining momentum the past three years. It is now being used to develop malware. Recently seen in the wild, Trojan.Encriyoko is a new threat associated with components which are written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it.

Figure 1. GalaxyNxRoot.exe properties

Once executed, the GalaxyNxRoot.exe file drops and launches two executable files, both written in Go:

  • %Temp%PPSAP.exe
  • %Temp%adbtool.exe

The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to the following remote location:

The dropped adbtool.exe file downloads an encrypted file from the following remote location:

This file is decrypted as a Dynamic-link library (DLL) file and then loaded. It attempts to encrypt various file formats on the compromised computer. The targeted file formats include:

  • Source code files (.c, .cpp, .cs, .php, .java, .pas, .vb, .frm, .bas, .go, .asp, .aspx, .jsp, .pl, .py, .rb)
  • Image files (.jpg, .png, .psd)
  • Audio files (.wav, .wma, .amr, .awb)
  • Archive files (.rar, .zip, .iso, .gz, .7z)
  • Document files (file extensions containing the following strings:  doc, xls, ppt, mdb, pdf)
  • Other types of files (file extensions containing the following strings: dw, dx, sh, pic, 111, win, wvw, drw, grp, rpl, mce, mcg, pag)

Figure 2. Targeted file formats

The file paths are confirmed by the Trojan in order to avoid encrypting files under certain paths, such as %Windir%, %ProgramFiles%, %UserProfile%\Local Settings, and others.

The encryption uses the Blowfish algorithm. It either reads the encryption key from D:\nepia.dud or randomly generates one. The names of all of the encrypted files are then saved to the following location:

Restoration of the encrypted files will be difficult, if not impossible.

Symantec detects all these files: GalaxyNxRoot.exe as Trojan.Dropper, PPSAP.exe as Infostealer, adbtool.exe as Downloader, and zdx.dll as Trojan.Encriyoko.

Net Neutrality Groups Challenge AT&T FaceTime Blocking

Photo: Myles!/Flickr

The he-said, she-said banter may end soon about whether AT&T is breaching so-called net neutrality rules by limiting the use of iPhone’s FaceTime video calling on cellular networks to customers who sign up for new, shared data plans.

Online rights groups said Tuesday they are asking the Federal Communications Commission to weigh in on the matter. By rule, Public Knowledge, Free Press and the New America Foundation’s Open Technology Institute can file their net neutrality complaint with the FCC in 10 days because the clock started ticking when the groups notified the nation’s second-largest carrier of their intent Tuesday.

To date, Apple’s FaceTime, which allows live video conversations between users of Apple devices, has worked only over Wi-Fi. But Apple is changing that, opening the Skype-like service to function over cellular connections. The change comes when Apple’s newest mobile-phone operating system debuts Wednesday and will spread even wider once the new iPhone 5 starts landing in hands Friday.

AT&T says it will make the video-chat service available on its cellular network for those with generally more expensive, shared data plans, which the company unveiled last month. (There are some configurations where the shared plan is less expensive for the same service for individuals).

Among other things, the company says that it is simply a business decision to use FaceTime as a hostage to move recalcitrant customers to a new plan.

At issue are FCC net neutrality rules that went into effect in November.

The rules prohibit DSL and cable companies from unfairly blocking services they don’t like and require them to be transparent about how they manage their networks during times of congestion.

Mobile carriers like AT&T and Verizon face fewer rules, but are banned from interfering with alternate calling services such as Skype that compete with the carriers’ services. The groups say FaceTime counts as this kind of alternate calling service and thus is protected by the net neutrality rules.

The nation’s largest carrier, Verizon, and the third largest, Sprint, won’t limit FaceTime over cellular. T-Mobile, the smallest of the Big Four carriers, does not carry the iPhone.

AT&T said the main reason why there is no breach of the Federal Communications Commission’s net neutrality rules is because the FaceTime application comes pre-installed on iPhones, a position the digital rights groups scoffed at.

The regulations, however, do allow for certain kinds of mobile network management during periods of congestion, but these cannot unfairly target services that compete with the carriers’ own services.


Appeals Court Blocks Indefinite-Detention Ruling

Photo: hadsie/Flickr

A federal appeals court tentatively halted a ruling that blocked legislation authorizing the government to indefinitely detain without trial individuals, including U.S. citizens, who are deemed to “substantially support” groups “engaged in hostilities against the United States or its coalition partners.”

The decision (.pdf) by the 2nd U.S. Circuit Court of Appeals came late Monday in response to an an emergency petition (.pdf) by the Obama administration earlier that day. The administration called a lower court’s ruling striking down the law a threat to national security. A New York federal judge last week found the rule to be unconstitutional as it was so vague it could apply to U.S. citizens and journalists exercising their constitutional rights, and the government immediately appealed.

Circuit Judge Raymond Lohier, appointed by President Barack Obama in 2010, issued the temporary stay of enforcement late Monday. Procedurally, the government’s emergency petition moves to a motions panel, which will decide on September 28 whether to keep the stay alive while the issue is litigated on appeal in the New York-based appeals court. Lohier did not comment in his brief order.

Those subject to indefinite detention under the 2011 National Defense Authorization Act include:

A person who was part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.

The act is a broad package of legislation that also includes both authorizations for military spending as well as additional, non-spending legislation. In his Dec. 31 signing statement, President Barack Obama said that “my administration will not authorize the indefinite military detention without trial of American citizens.”