Malware Buried Deep Down the SPI Flash: Sednit's First UEFI Rootkit Found in the Wild

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so we're gonna start now hi everyone good morning thank you for being here and we're pretty happy to be talking about a research we did in the past few months about a ufi rootkit we found in the wild and what makes this thing very very interesting is that it was actually the first one that was found in the world weary found an infection that was and then I could I was using this UEFI rootkit to target their other victims right so before we dive in I just wanted to introduce ourselves so my name is Ryan good time and together with my colleague Phil aggression we are both malware researcher we're both based in Montreal we work as more researcher for an security firm called ESET and we do maori research as as a work right so we do reverse engineering mostly and we try to piece together our different campaigns so if you looked at our title or you saw that we actually attribute these this UFO rootkit to a threat actor we called Senate but it also goes with different names so a fancy bear a PT 28 strontium C all aliases for the same group and before we dive in into the tools these guys are using I just want to make sure that you are familiar with this is channel truth so just let me let me ask you a question first how many people know of this trial actor and ok cool so about half people probably so it's an espionage true so they don't do cyber crime for really money they do it to gain information on the victim system right they've been active since the early 2000 and they were very visible in the past few years because they did some very notorious hack so I'm just gonna highlight some of them so maybe you remember the act of the Democratic National Committee or the DNC that happened in 2016 it was leading to the u.s. presidential election and they compromised a lot of systems and they were able to leak emails and leak them online and a lot of people were seeing the conversation happening inside again see the other act that happened recently is the world anti-doping agency or wada so these guys are literally behind this actually were able again to compromise systems deal email signal information and they also leaked it online under hack since were close to friends here maybe some of you noticed TV five moment which is a French broadcaster that air program throughout the world and this group is again allegedly behind a hack and they were able to cut their signal down for a couple of hours and there's a lot of other hacks that these guys did and isolated Lee because at he said we don't do attribution so what we call the Senate group is Murli campaigns that these guys are doing or tools that these guys are using in their campaigns but other groups actually try to to attribute these attacks to a specific group and there was something very interesting that happened last July which is an indictment from the United States Department of Justice where they were naming specific people and they were and this one actually saying that these guys were behind be DN C AK so this is of course another hint that these guys were linked to this and why it's important for us is because they are actually naming a lot of the backdoors that the Senate operators are using and the backdoors that we are seeing and that are targeting our customers right so this is one another proof that these guys are behind these hacks and there was another one quite recently in October this year where there was also linking this group to the water hack as well as other hack and naming people and naming the tools the backdoor said these guys were using so as the last step I just want to show you how they are operating so they usually use email so this is an example with phishing email that would send to the targets you can see here the email says that your personal data has been found on Google and then there's a link that if you click on it you know if you direct it to the real Google server you're in fact redirected to a page that is owned by the Senate group right this is an example of the type of phishing page that you would see if the user goes ahead and enter their credentials it will then be actual traded to the same it operators which can then reuse them of course they're not only using phishing emails they're also using emails to try to distribute their malware so they will have an attachment another such attachment that will try to install one of his tools they use to spy on on their victims right so that you can think of backdoors keyloggers screenshot capture all type of tools that allow them to know what is going on on a victim and steal information from them so this kind of brings us to our main topic which is the UFO rootkit so not only are they they have sophisticated backdoors that are trying to be persistent but through our research what we found is that they actually also have a very sophisticated ufi rootkit and not only they had this but they also had the tooling to install it remotely on a computer so of course if you have physical access to computer it's actually quite easier to reflash the firmware to install these type of UFO rootkit in that case as we will show you they actually use a software tool to patch it framework so this concludes our introduction so what we're gonna see today is first what is LoJack so I will explain why it is important to look at this anti-theft software and we're going to take a quick look at the past research on insecurities and probabilities that were found in this in this software and then we'll read I will begin the meat of the presentation where how we found this UEFI rootkit also we will show you the analysis of all the components how its works and also finally we will do some remediation so how you can protect yourself from this threat so LoJack it's an anti-theft software it wasn't only for us compute race maybe a lot of people here know about this this software it's made by a company called absolute software and it's present in a lot of laptops so there's a good possibility that on your laptop you have this tool and install in the on your system and what it does is that if you laptop is ever stolen or you lose it it has different services to try to locate it using Wi-Fi sing or GPS vacation you can also send different commands so you can try to lock your computer you can also try to wipe it remotely so that a hardware tap will not result in to a data leak and you can try to read to locate it through this this computer through this software and you need to activate it and it's usually use Bourg to make sure that he can track back some of their laptops should it be stolen right and there was a lot of past research on this why because of course if you have an anti-theft software like this one you want to make it as persistent as possible so how these guys were doing it is that they had a UEFI module that will put back the agent if the thief would go ahead and reinstall windows or replace the artist let's say so if they do go ahead and do that well the system is starting up the UEFI module was able to still reinstall the agent that could locate the laptop to the first research that I want to show you is this one it was presented at blackhat us in 2009 so as you can see this is pretty old research and I want to stress that out right now like the vulnerabilities that we will outline today for this software is reload runner abilities the newer version of the software does not have this insecurities built in but still as we will see the old version we use to come from I systems right so in this research they expose design vulnerabilities in the agent insecurities and it also document and the architecture of the LoJack solution and I want to show it to you because as you will see later on the Senate operators actually make quite a bit the architecture will see right now so the first step is of course the bias or the ufi module so it contains the agent in its dropper and it will go ahead and replace a file called Auto Check the THC that is present on all Windows system you might know what to check the techs he is it's basically an integrity check for our disk so as Windows is booting up you will see sometimes a percentage on your boot up screen and this is this auto type it will check the integrity but what LoJack is doing is that it will replace it so that it can actually install its own agent which is the second step which is only the the main idea is to install the small agent as a service once the service started in step 3 you have the small agent and the role of the small agent is to make sure that the full recovery agent is always running on the system and how it does this is that if it's not there it has the ability to connect to a distance server some code and then execute it so you can see right away the vulnerability that could happen if someone could actually control how the agent is where the agent is connecting itself to and how we'll do it is also very strange in terms of a legitimate software because how you'll do it is that it will first pawn a services process then inject the DLL inside then from there we'll spawn an Internet Explorer process inject the DLL again and we'll use this as a point to reach out to its distant server which is not something we see regularly in editing software in fact this is something we see all the time in malware right so this is kind of a strange behavior for legitimate software and then the last step which is a fourth one is a normal operation the record the recovery agent is running on the system and you have basically the mean - to locate and recover and at the laptop so you might wonder how the small agent is actually trying or to reach out to the server how can it know the distance server domain name or IP address well it has a configuration file embedded in its code and this is the part of the small agent code that contains it and it's encrypted as you can see we cannot see anything but the encryption is actually pretty bad in terms of security because it's a single by just or key so it's very easy to decrypt it and you can see here the domain name which is search name query comm which is legitimate absolute software domain name that is used to send and that the agent will connect to and try to get will be able to have commands such as the lock command that we've seen a bit earlier on and the four bytes preceding this domain is actually an IP address so the bad thing about this one is that there's no integrity check so the file is not signed so anyone that has access to your to your system and is able to override this configuration file can actually make the small agent connect to a server of its choosing right and I'm only showing this particular vulnerability to you because it's the only one that matters in our case because this is how the Senate operator actually did it so although these vulnerabilities quite also we saw the research was in 2009 we didn't see widespread use of disparate ability in the wild until May 2018 where the cert team from our networks published this blog post which was called a title LoJack becomes a double agent in this in this blog post what they found is that there were a lot of small agent modifications in the wild where the attackers would change the configuration file to point to a domain that they own an IP address and what was very interesting is that these domains these IPS were already seen before in fact they were used by some Senate tools so that's how that's what the first link was that this small agent might be related to to to Senate right so we we saw this and we thought okay so what's the most likely hypothesis that this small agent would come in a system and if we go back to the architecture slide of course sub-tree is a likely scenario where we already know that Senate operators have a lot of backdoors order disposal so they could only use these backdoors to just drop a small agent so of course you don't benefit from all the persistence mechanism that the or the total solution of LoJack is giving you you don't have the ufi module but since you're only changing a few bytes and small agent and that it is legitimate software you're still benefiting from the fact that a lot of EDS are actually white listing this the small agent so it's it's like it's a likely scenario that they would just rely on the small agent and that's it but at that time we just began our telemetry and try to find out what exactly we could find and how big this thing was right so this is a configuration file and that I showed you earlier and what we found is that all these small agent that will link to the LoJack's campaign were based on the same small agent so it was all small aged and compiled in 2008 and all they were doing was changing configuration file in a couple of bytes ear and there but in in totality the vast majority of the changes was only in the configuration file but it allowed us to retry and do a white spray and try to find who he was targeted and we found some organizations that were targeted by this LoJack's campaign so they were mostly in the Balkans Central and Eastern European victims and there were only a few organizations and I want to stress that out because we know let's send it is targeting a lot of people a lot of organizations worldwide but what we found is that it's only a subset of these targets that were actually targeted by the hello.tex campaign it was mostly military and diplomatic organizations which is in line with the target that the Senate group usually targets and what's interesting is that in all of these organizations we were also able to find traces of other Senate tools which reinforces our thinking that this tool is really linked to send it so we're now at the point where we're wondering okay like is it the end of it is it only the small agent or we're actually going to find something better or something more deeper than that right so before we dive in it was I want to show you an interesting blog post which was published in Virus Bulletin by cousin ryu the director of great kaspersky where is saying that it's wondering where all where are all the a is an apt and of course a main advanced and what he says is that there are many cool research going on in the security industry and that no nation state actor has actually used it and one of them is actually this one which says we have yet to observe a real-world UEFI malware and what's funny because we were about to publish our report and this is definitely something we knew that would probably be crossed out pretty soon so before we look at the different tools that we found that led us to the ufi rootkit I just want to show you this tool so it's called readwrite everything it's a tool that is available online that read write everything calm and it's basically a tool that allows you to read and write the name is the pretty convenient it allows you to read and write a lot of information about your hard work so you have access to platform configuration registers and it gives you a whole lot of information about the the art where that is that your system is using and how it does this well it needs a kernel driver right and of course when newer version of Windows all required the kernel driver to be signed so this is the legitimate code sign certificate that is used by the kernel driver and we found this specific driver in a lot of the networks that we investigated in length with the LoJack's campaign and it's funny because it's not the first time that this driver is reused for nefarious purposes but in in in our case it was really the first hint that they were really maybe after the odd way sell the firmware so the first tool that I want to show you is this one was called info EFI @hc and it's using the kernel driver and it was just dumping a lot of information on a platform logging it in a log file here I'm only showing a small excerpt of it but the log file would be very big compared to that and as you might know if you are trying to target the system framework you need to have a lot of information of detail information on the platform itself so by running a tool like this you get information on the manufacturer of the of the firm of the motherboard and it can allows you to see whether there are some known vulnerabilities and there are some miss configuration that can then reuse to actually patch the firmware so if we go back to the architecture style so we already know that step 3 could have been where would it what these guys were doing just using a regular backdoor to install the small agent but let's see what is the step before that it's actually this to check the THC so the the executable that is responsible to check integrity and that was used by logic to replace my logic to install the the small agent so we went in and tried to find something similar something that would tell us that these guys might be after the the firmware itself and we found an interesting file so instead of being caught to check the THC it was Auto cheap the THC so only one letter change but the behavior of the executable was very similar so you can see here it's installing a service with this name so this is the same name that the LoJack solution is using a service and we'll then point to the the location of the executable of the small agent suitable so from there the behavior of this touchy the THC and the LoJack replaced Auto check the ticks is very similar but there was one difference that really caught our eyes which is which you can see here so it's building a string and this string is actually the default value of this registry key so the boot executes one that you see in the bottom and this is actually the registry key that all the path to the auto check the THC so we didn't know what was the value before that but we know that this at Uchee the THC is actually putting it back to its default value probably an attempt to I'd that it was ever changed right so that was at that point we knew that they were at least trying to get to the framework because you don't do all of this you don't go through all this trouble if you did not have something in mind so we kept on digging and then we found the jackpot so this is a tool called every writer read the THC and it's a tool that is used to dump the SPI flash memory and write it to this right it still uses the readwrite everything driver and uses this for ioctl code to writes to write in read memory mapped i/o and also to read and write a configuration configuration register so if the the attacker will use this tool to dump the firmware of the machine so we of course reverse engineer that there were a lot of debug strings actually so it kind of indicate that this tool was probably under every development but it also helps us because as reverse engineers you have debug strings it makes your life a lot easier so it consists of mainly three operations so it will first log the information of bias control register and Fredrik will explain you why is doing this and why it's important for the attacker to have this information then it will locate the bias region base address and will finally read the ufi for more content and dump it to a file so it does not have the capability to actually upload the file to a malicious server but as senator operators already have a lot of different backdoors at their disposal they could actually just pull the file out without the need for this tool to actually being able to communicate with a C&C server and just want to show you really quickly how it reads the year flash memory so this is very common this is how you basically interact with the SPI flash memory you first just initiate the transaction you will say to the chip that you want to read it how much byte you want to read it how much in the blog that you want to read and then you will just cycle through the OL memory map region and be able to recover all the firmware on the on the chip and then dump it to disk so this is how this tool was working so now lyric will talk to you about the other tool we found okay so I'm the one of the tools that we found on some compromised machine is called re writer binary and it is very similar to re write your read as its name suggests so it also contains a lot of debug strings it also uses RW everything's driver and it does basically two things the first thing it will do is that it will add the UEFI rootkit to the previously dumped from work and it will write it back to the spi flash memory so let's look at the patching of the UEFI firmware so before before we dig into this subject there's just a couple things here doesn't want to introduce just just to make sure that we're on the same page the first thing I want to talk about is UEFI so UEFI stands for unified extensible firmware interface and it is a standardized specification that defines the software interface that exists between the operating system and the firmware so a UEFI compliant system will provide a set of services to UEFI applications here read operating system loader there could be some other UEFI application but usually it is an operating system loader so one of these services are the boot services so these services are available to the firmware but once the operating system is loaded these services are not available anymore and there are the runtime services which are some other type services that are also available to the firmware but when the operating system is is running these services are still running so a kernel driver for instance can make calls into these services and from a security standpoint what's interesting with UEFI is that there's no more Master Boot Record or volume Boot Record involved so there's no easy way to hijack the the boot control flow so okay the second thing I want to talk about are the driver execution driver execution environment drivers so the so-called XE drivers so the XE drivers are PE cough images so basically windows executables and there are kind of the core of UEFI firmware so they can do many things some of them will be used if straggly hardware some of them will be used to produce the UEFI standard interface so the boot services and the runtime services that I just spoke about and they can also be used by firm or vendor to extend the firmware by adding by registering new services the so-called protocols in the UEFI specification the XE drivers are loaded during the Dixie phase of the platform initialization and they are loaded by the exe dispatcher that will also refer to as the hexa core in this presentation the last thing I want to introduce for now is the UEFI firmware layout so the UEFI firmware is located in the bias region of DSP a flash memory and the bias region contains multiple volumes let's look at it in a bit more detail in UEFI - which is an open source tool for manipulating UEFI images so here I loaded the typical content of a spi flash memory dump and UEFI - and yeah let's look at what we have so the first thing that we see here is the descriptor region which contains metadata about the remaining of the data and the SPI flash memory then we have the ME region which contains the Intel management and join firmware and finally we have the bias region which is really what we're interested in today as I mentioned the bias region contains multiple volumes so let's look at one volume in a little bit more details so here we have a volume which is of type firmware file system v2 and so this volume contains multiple multiple files these files are identified by by googas that's what we can see under the name column and with if we look at what's inside the file well in a file there are multiple sections one of these section will be the actual UEFI executable image but there are other sections like the Dixie dependency section which allows to define dependencies for this specific UEFI executable and we also see here a version section as well as a user interface section so the user interface section is used to give a human readable name for for the file instead of the the gooood and that's what we can see under the text column here ok so now now that we have all this in mind let's go back to re-write your binary and look at at what it does so re-read your binary will parse all of the firmware volumes that it that it finds in the bias region of the UEFI firmware and it will look for for specific files it looks for IP for Dexy NTFS dec c SMI flash and the hexa core so why does it look for IP foredeck C and D DX e core well these files are used to define the firmware volume where to install the UEFI rootkit so usually in a you fi firmware all of the taxi drivers will be in the same firmware volume so when the tool finds IP Ford XE it knows that it is currently parsing the volume will the Dixie drivers on it so it will keep the this volume as a candidate for the UEFI will get installation and in some UEFI firmware the DEXA core maybe in a different volume than the taxi drivers so when it finds the Dixie chord will also keep the volume where it is located as a candidate for the you if I root kit installation and finally it will choose the volume where there is enough free space available in it so NTFS sexy NTFS lexi is the American Megatron incorporated in TFS driver and the reason why it looks for it is as we'll see later during this talk the UEFI rootkit comes with its own ntfs driver so to avoid any conflict it just removes the American megatrend ntfs driver and finally SMI flash so the tool the version of the tool that we analyzed looks for this specific driver it keeps some metadata in a structure about it but it never uses uses it in in the tool so what we believe is that signal spreader might have been fiddling with some kind of exploit for this well what I forget to mention is that this exe driver is actually vulnerable so yeah what we believe is that settings' operator might have been fiddling with some exploit for this vulnerable Dexy driver in order to be able to bypass write protection mechanism to the spi flash memory so now that it has found the volume were to install the rootkit the next thing is to add the rootkit to the to the volume so what I will do is that it will create a firmware file system file header and then it will happen the rootkit file to it so the rootkit file is a compressed section that contains two sections one of these sections is the actual UEFI be the curable and the other one is a user interface section defining the name for this root case of the rootkit is called SEC exe and then it will write this file at the end of the selected volume ok so now that the UEFI rootkit is inside of the UEFI firmware the next step is to write it back to the SPI flash memory once again there's there are a couple things that I want to introduce here so I want to talk about bias write protection mechanisms so the platform read here the chipset exposed is write protection mechanisms that need to be properly configured by the firmware so there are no such thing as write protection mechanism enable by default it's really the the firmware job to configure them today will only cover relevant protection mechanisms to our search so we'll only cover the prediction mechanism that are checked for by re re writer binary when the the production mechanism we'll talk about are exposed via D bias control register so if you want to write to the bias region of the SPI flash memory the first thing that you need to do is to set the bias right enable field of the bias control register to one and then you can write to the B to the T bias right I'm sorry to the bias region without any problem but of course you don't want any kernel driver to be able to mess with the content of the spi flash and potentially corrupt it so there's a protection mechanism here which is another field in the bias control register and this field is called bias lock enable and it allows to lock bias right enable to zero and this field is readable and right locked once right lock once means that once the firmware has set this this bit to one there are no other way to set it back to zero than performing a full platform I reset but there's a problem here the problem is that the implementation of bias lock enable is actually vulnerable so how it works is if if ble is activated and a kernel driver tries to set bias right enable to one bias right enable will be set to one for shorter short amount of time and then the platform will issue a system management interrupt and the SMI handler will set by us right enabled back to zero let's not hear that the SMI handler must be implemented by the firmware otherwise this mechanism is worthless but that's not the biggest issue here but maybe you've guessed it but what happens if we write to the spi flash memory before the SMI handler sets by us right enable to zero so there's a race condition vulnerability here there's a paper about it which is called a speed racer and it is trivial to exploit how you do it is you have one thread that continuously set by us right enable to one while another thread tries to read the data to the SP a flash memory and according to due to the Speed Racer vapor it works on multi-core processors as well as on single core processors with hyper-threading enabled so Intel came up with a fix for for this vulnerability and what they did is that they added a field in the bias control register and it was introducing the platform controller hub family of Intel chipsets around 2008 so this field is called SMM bias write-protect disabled the name is a bit misleading but if you remove disable that's actually what it does so how it works is if this mechanism is activated it won't be possible to write to develop to the bias region unless all of the cores of the processor are running in system management mode and once again this this bit must be set by by the firmware okay so now let's go back to our ear ITER binary so of course if I introduce all of these mechanisms it's because re writer binary checks for them so it will check if the platform is properly configured and it implements the exploit for for the race condition ok let's look at the writing process decision tree so the first thing that our a writer will I write or binary will little check for is biased right enable so it will check if it is activated and if it is activated there's nothing nothing stopping it from writing to writing to the SPI flash memory so it will just write the Trojan Eyes UEFI image but if it is not set to one then it will check is bias lock enable activated and if it is not activated then it will just flip by us write enable to 1 and then it will write the UEFI image and finally it will also check for SMM bias right product and if it is not set it will exploit the race condition that we just spoke about otherwise it will just fail so we spoke about the SMI flash the vulnerable exe driver so yeah we believe that sudden it's operator might have been fiddling with an exploit for for this specific driver to be able here not to fail if everything is properly configured but to be able to write to the SPI flash memory even if you know everything is the firmware does the job correctly so this tool only works on either fairly old system or misconfigured system so as you can see here if firm or vendors would have done their job correctly the tool would have fail at flashing the malicious Mouse just firmware and it would have required way more resources from the attackers side to be able to deploy their and their rootkit okay so now let's look very quickly at how you write to the SPI flash memory it's kind of the standard way of doing this so the first thing that you need to do is to set up the right operation and then you can write all you just loop around these operation and write each data block one after the other to the SPI flash until you you have your whole firmware flashing to the SPI flash memory so here let's take a step back and look at what we're looking at so what we have here is a software implementation to deploy UEFI rootkit and flash it in to the spi flash memory remotely post exploitation so that's really something it's very convenient for for for the attackers to use that kind of that kind of tool so they can just begin to infect the victim the way they will usually do it for instance by sending a phishing email and once they have a foothold on the machine they can use this tool to deploy their the rootkit what do we knew about in the past was hacking teams UEFI rootkit and as far as we know it required physical access to be deployed so once again it's so much more convenient to be able to do it remotely it's not here that there's no proof of hacking teams rootkit being used in a cyberattack it has never been found on a victim's machine or at least it if it has it been publicly disclosed so what we did then is that we extracted the UEFI rootkit from re writer binary and we looked at ESET UEFI scanner telemetry and yeah turns out that we found the rootkit in the SPI flash memory of a of a system making it the first publicly known UEFI rootkit to be used in a cyberattack and at this point yeah we're pretty confident that would be accepted the blackhat to share our research with you guys so yeah here we are right so if we go back to customs Ray statement where he said that we have yet to observe real-world UEFI malware well we can cross that one out okay so let's go back to the technical part of this presentation and look at the UEFI rootkit itself so the if I rootkit is a taxi driver that is loaded by the DEXA dispatcher every time the machine will boot it's finally means sec dixie as we've already seen and here i put the file good for future reference so now let's look at the UEFI rootkit workflow so a EFI firmware will go through multiple phases when it boots so the first phase it will go to is the security phase and then we'll go through the pre fi initialization phase and then it will go through the driver execution environment phase and that's when that's when it it gets interesting for us so that's that's when the DEXA core is running and all of the exe drivers will be loaded so one of these the XE drivers will be the UEFI rootkit and what it will do at this point is that it will create an event attached to the efi even group ready to boot and it will bind a notify function which is basically a callback containing the malicious code so when the firmware will go to the next phase the boot device selection phase the boot manager will run and at some point it will signal the efi even group ready to boot event and at this point the notify function will be called so none of the Phi function does three things the first thing it will do is that it will install in an NTFS driver then it will use this ntfs driver to drop out to cheated Xin our PC net period eggsy and finally it will patch a value in the Windows registry for persistent purposes so the ntfs driver well the ntfs driver is is needed to get file based access to Windows partition and said net separator did not write their own ntfs driver what did it is that they took hacking teams ntfs driver from hacking teams leak and they compile their own version that they bundle with the UEFI boot kit now here's the code responsible for dropping the two files so here we have the code dropping our PC net Peter digsy and here the code wrapping up to chi that exit and finally it will patch if a value in the Windows registry so how it does that is that it will open the file backing the htlm system registry hive and it doesn't have all the logic to to be able to parse windows to do structures so what it does is that it will look for a text I textual pattern and this textual pattern is AutoCheck a to check and star and when it finds it it will change it for us to check out to chi start and it happens to be to be modifying the boot execute key that Ryan spoke about earlier so what will happen then is that the operating system will will be loaded and at some point it will run a to chittering Z instead of to check that exit a note achieve will drop our vicinity and so on but what's interesting here is that o to cheery vert back the modification in the Windows registry so it will change o to chip back to auto check so that as a end user for instance if I look in in the registry Keys I won't see that any modification happen so that's a pretty interesting stealth mechanism that is that is enabled by the fact that the malware is coming from the firmware ok so now we have a little demo for you just get there it's not a live demo sorry I'll make it there it is okay let's really really used to work with your trackpad I'll just restart it real quick okay so here we have a Windows 10 machine this machine is is clean and it has a clean firmware so the first thing I'll show here is just that Oh to cheat that eggs and RPC not PR not on the file system just to prove that it is clean so it's going to sis 1264 and looking for our PC net P and as we can hopefully see our PC net P is not it's not there then I'm going into system 32 showing that to cheetah diggsy is not there either okay so the next step then I'll I'll go into VMware directory to where the UEFI firmware is located and I'll change the firmware the clean firmware for and infected for more with the UEFI rootkit so just to show that I'll I'm opening it in UEFI tool and I'm just showing that second xcd UEFI rootkit is really in the UEFI firmware as we can see it is right here and then I'll yeah I'll change the firmware so this one is the clean firmware so I'll just rename it and I'll put the infected for more instead of it okay so now I'll just shut down the Windows 10 machine and start it all over again just so and so that the machine will boot and the UEFI boot kit will be loaded and it will do all these and nasty things okay but here there's another machine which is a Linux machine which is on the same network and it act as a gateway for the windows 10 machine and also as a DNS server and it also has an HTTP server on it so I'll go Andy in the Linux machine and I'll start a network capture there and then I'll just keep it a bit so when Windows will be boarded booted we'll see that it will make the malware will make a query to its commanding control server should happen soon okay so yeah there was a DNS request was performed for remote PF net which is a command control server and there was also an HTTP POST requests with the wholesaler set to remote PX dotnet so just to show that everything happen as expected I'll go back in the Windows 10 machine and show that the files were properly dropped and that there's also a process running there so I'm going to see Windows 6 12 64 so I'm looking for RPC net P here so as we can see our PC net P is there there's a dealer and in executable the reason for that is that the executable once it's runs it drops itself ID as a DLL so that's why there's another file there and then yeah as we can see how to cheap is is there too alongside so to check and finally I'll go in this task manager just to show that there's a process running there and yeah as we can see there's our PC net thief running there so yeah that's pretty much it for the for the demo okay so the last thing that I want to talk about today is prevention remediation so what can you do to prevent such an ad and attack from from happening and also if you find out that you're compromised with a you if I would kit what can you do right okay so prevention the first thing in probably the most important thing is that you should really keep your UEFI for more up to date so that all of the latest patches are available on your system yeah so that's probably the most accessible and most important thing to do then you should enable secure boot but let's not hear that secure boot would not have protected against this specific attack and the reason for that is that secure boot takes the content of the SPI flash memory as its root of trust so everything that is inside the SPI flash memory is not subject for for validation so what is it you're used for then well it will validate what's coming from outside of the SPI flash memory namely the option roms and most importantly the operating system loader so what can we do then well what we need is a hardware root of trust so we need a root of trust that is in a one-time programmable chip that is programmed during manufacturing time and that cannot be written to ever after and such technologies exist an example of that would be Intel boot guard but also Apple's t2 security chip has a or hardware root of trust then you kind of need to hope that your firmware configures your the security mechanism properly there's not much you can do well if you updated your UEFI firmware there's not much you can do but thankfully there are for more security assessment tools available out there and an example of that would be Intel chipset so you can put this tool on on a USB stick and run it on your machine and this tool will check for all of the security mechanism that we spoke about today in even more of them and also it will check for the this specific UEFI rootkit so if you have it and solve until chip sack will we'll find it and yeah the last thing that I want to talk about is remediation it's a pretty short part the only thing you can do is really reflash your UEFI firmwares we kind of need an SPI programmer and to be able to you know you need to have a clean version of the firmware and write it to the SPI flash memory yourself it's definitely not something that is easy to do for anybody but yeah that is pretty much with with you you can do otherwise it's not an option for you well you can just get rid of your I have computer basically and get a new one so that's how serious this this attack is now in conclusion our research shows that UEFI rootkit are not toys for researchers to play with that they are real-world threats use in actual cyber attacks so it might be something that you want to keep in mind the next time you'll be finding your threat model and yeah we won't stress this enough a firmware must be built with security in mind from the bottom up and things are getting better because there are more and more security researchers looking into this and reporting the issues that they find but there are still still work to do there and yeah also hopefully this talk helps you to know how to prevent and mitigate this kind this kind of attack so that's pretty much it for us so thank you for having us last thing I want to mention is that if you're interested to know more to have more details about our research the white paper is available at we live security that come and unfortunately we won't have time for question here but it's still early in the conference so we'll be for the next two days so only shy just come come see us and ask a question if you have any so thank you very much [Applause]

Info

Channel: Black Hat

Views: 14,843

Rating: undefined out of 5

Keywords:

Id: sObGrnesxv4

Channel Id: undefined

Length: 49min 56sec (2996 seconds)

Published: Wed Jan 15 2020