McAfee Labs Report Explains Dangers of Rootkits Bypassing Windows Kernel Security

Today McAfee Labs published a report on how malware can operate at the kernel level and bypass Microsoft’s security for 64-bit Windows systems. “Defeating PatchGuard: Bypassing Kernel Security Patch Protection in Microsoft Windows” explains the danger of positioning operating system security at the kernel level.

Now for a little background: The evolution of malware has posed two major problems for security developers. One is the use of polymorphic and packing techniques that make it difficult for security researchers to write signatures. The second is fiddling with internal OS data structures, kernel modules, and kernel memory to hide the presence of malware on a system; this rootkit behavior.

Rootkits are not new, but in recent years we have seen malware patching kernel data structures at numerous places to hide their presence. Windows, the most prevalent OS in homes and offices, cannot protect the kernel from legitimate third-party device drivers because they are loaded in kernel memory space and run at the same CPU privilege level. Some third-party software  relies on undocumented kernel-patching mechanisms to implement their functionality.

In an attempt to protect the kernel on 64-bit platforms, Microsoft introduced the security component PatchGuard, which runs periodically and detects kernel patching. If PatchGuard finds a problem, it halts the system and informs the user that critical structures have been compromised.

Although 64-bit processors are now common, the adoption of 64-bit Windows lags. PatchGuard and kernel driver signing enforcement have certainly restricted the number of kernel malwares and rootkits on 64-bit systems. However, there are already detailed studies published on bypassing PatchGuard. Malware such as TDL can defeat kernel-mode signing and Xpaj can defeat PatchGuard protections.

McAfee has worked jointly with Intel to counter the problem of illegal access to kernel memory and platform hardware. The latest 64-bit processors from Intel come with hardware-assisted virtualization (VT-x), which enables hardware to run code at a level more privileged than the kernel. VMXROOT can set memory protections on a guest kernel, which still runs at its intended CPU privilege level, i.e., level zero. DeepSAFE technology, developed jointly by McAfee and Intel, leverages the benefits of VT-x and provides protections against illegal access to key kernel memory and key CPU hardware registers. DeepSAFE keeps the operating system completely under its control and monitors the key areas. We are certain to see threats that bypass kernel mode signing and PatchGuard and thus compromise a system. DeepSAFE raises the bar for malware developers by preventing the illegal access of kernel memory and hardware registers.