Bootkit: the challenge of 2008

This article presents a detailed analysis of one of the incidents of 2008 which most clearly demonstrate the threat posed by Malware 2.0. The history of the bootkit demonstrates the modern means of warfare currently being used by both virus writers and the antivirus industry and highlights the important of developing and implementing new information security technologies.

The evolution of MalWare 2.0 causes a range of problems for the antivirus industry. The most important, in our opinion, is the fact that traditional antivirus solutions, which are based exclusively on the use of signature or heuristic analysis of files, are unable to reliably combat virus attacks (and this even without addressing the problem of curing infected systems.)

The bootkit has been a technological breakthrough for the virus writing industry and it is now equipped with a range of technologies enabling it to spread and function as part of a botnet. It also uses a range of methods to prevent the program from being detected during the early stages of infection, attempts to infect as many users as possible, and also hinders attempts to take the botnet down.

Examples of these methods are the highly organized approach and the technologies used; the exploitation of dozens of vulnerabilities in other applications; the shift from the OS boot mode to the zero, third ring and back again; the creation of applications in C++ for *nix operating systems; the cryptographic protocols; the methods used to authorize bots in the system etc.

The cyber criminals used a relatively unusual method of exploiting links on sites to infect users, by substituting legitimate links for malicious ones. In order for a computer to become infected, a user has to not only open the hacked site, but also to click on a substitute link. Once this has been done, a server will process the incoming request, and obtain information on which site the user has come from, his/ her IP address, browser used, plug-ins etc. The user is then assigned a unique ID which will be stored on the server. A personalized exploit is then generated which will be run via a vulnerable application on the victim machine. The victim machine is then infected by a Trojan dropper program which is created by the server using the unique server key and the user’s ID.

Once loaded to the system, the Trojan dropper program is launched via the vulnerable application, extracts the bootkit installer from itself, and transmits the unique user ID. The installer then modifies the boot sector and places the main body of the malicious program on hard disk sectors. If this is successfully completed, the dropper will give the computer the command to reboot. The bootkit then hooks system functions and starts to run on the victim machine, hiding its presence and acting as a bot within a zombie network.

Once an initial connection has been made to the botnet’s command and control centre, the victim machine receives an encrypted packet which will be decrypted by the bootkit. This contains a DLL file which is loaded to memory by the bootkit, and which is not present on disk. This ensures that the bootkit is able to hide the presence of the bootkit both when the victim machine is analysed using traditional methods and also when it is scanned using most antivirus programs. The DLL is a password stealing module and also intercepts a user’s network traffic.

Another non-standard approach taken by the cyber criminals is the migrating command and control center used to manage the botnet. This center is shifted from site to site two or three times a day. Such botnets are very difficult to detect, and, once detected, very difficult to bring down. The malicious user can at any moment move the command and control centre to any of a dozen, or even a hundred, specially prepared domains. There is no doubt that this method is designed both to combat competitors who may attempt to steal the botnet and to hinder the efforts of antivirus companies and law enforcement bodies.

There’s no doubt that developing such a system took several months and ensuring its smooth running constant debugging and expenditure on acquiring or creating new exploits, domains, hosting etc. It’s highly unlikely that the system could have been created, planned, implemented and supported by one or two people. This is the creation of not just one, but several groups of cyber criminals who are working closely together, each taking responsibility for separate areas of the project.

The history of the bootkit reflects just how broadly information security issues affect the rank and file user. All the technologies examined above are currently actively being used in the vast majority of malicious programs. The browser as an infection vector; rootkit technologies; botnets; theft of user data; cryptography; obfuscation; anti-antivirus solution technologies – we encountered all of these individually during the third quarter of 2008. And in the bootkit they all came together.

The only way to effectively combat such complex threats is to use a broad range of defense technologies: a web antivirus, traffic filtration, a behaviour analyzer, a sandbox, network traffic analysis and a firewall. A modern antivirus solution should be able not only to combat rootkits, but also to neutralize ‘subspecies’ such as bootkits.

The full version of the report can be found at viruslist.com.