Abstract image of a woman sitting on books and studying on a laptop

Bootkits: past, present & future

Alex Matrosov, profile picture
Alex Matrosov

This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.

Technology
1 of 44
Downloaded 78 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
Modern Bootkit History Mebroot Vbootkit 22000055 22000077 22000088 22000099 22001100 22001111 22001122 22001133 22001144 eEye BootRoot Mebratix Mebroot v2 Olmarik (TDL4) Olmasco (TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit OldBoot Dream Boot (Android Bootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) bootmgr winload.efi Load kernel and boot start drivers UEFI UEFI boot code UEFI boot loader (bootmgfw.efi) winload.efi Load kernel and boot start drivers
The Target of Modern Bootkits (MBR/VBR)
Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations 0x000 0x003 0x054 0x19C 0x1FE 0x200 jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz NTFS Volume 0x200 0x1E00 MBR VBR IPL NTFS File System Number of “Hidden Sectors” 0x200 0x1E00 Infected VBR Hard Drive NTFS Volume MBR IPL NTFS File System Modified value of number of “Hidden Sectors” before infection after infection Bootkit
Olmarik (TDL4) Rovnix (Cidox) Modern Bootkits Comparison Functionality Gapz Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system FAT16 FAT32 custom type modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
HiddenFsReader as a Forensic Tool (MBR/VBR)
HiddenFsReader as a Forensic Tool (MBR/VBR)
Bootkits: past, present & future
In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
Signed BIOS Updates Are Rare • Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary No Signature Checks of OS boot loaders (MBR/VBR) • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished?
UEFI BIOS Firmware SEC S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) CPU Reset ACPI, UEFI SystemTable, SMBIOS table ExitBootServices. Minimal UEFI services (Variable)
UEFI Bootkits OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD Malware
Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
UEFI Bootkits Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables
Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
UEFI Bootkits Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables
Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
UEFI Bootkits Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012
UEFI Bootkits Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT)
Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
What about Secure Boot?
OS Kernel / Early Launch Anti-Malware (ELAM) UEFI OS Loaders (winload.efi, winresume.efi) UEFI App DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi I/O Memory Network Graphics Signed BIOS Update UEFI OROM UEFI App DXE Driver UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
Secure Boot bypass possible? OS Driver OS Exploit UEFI OS Loaders UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi I/O Memory Network Graphics Signed BIOS Update DXE Driver OS Kernel Modify Secure Boot FW or config in ROM
First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
Bootkits: past, present & future
BIOS Attack Surface SPI Flash Protection System FW/BIOS BIOS Update SMRAM Protection Hardware Config. SMI Handlers BIOS Settings (NVRAM, Variables) … Secure Boot Summary of Attacks Against BIOS and Secure Boot
Bootkits: past, present & future
From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
CHIPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec @CHIPSEC
CHIPSEC: Platform Security Assessment Framework
CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
How to dump BIOS firmware directly from chip?
How to dump BIOS firmware directly from chip?
DEMO TIME
Bootkits: past, present & future
Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog

More Related Content

ODP
4. linux file systems
Marian Marinov
 
PPSX
What is firewall
Harshana Jayarathna
 
PPTX
Intrusion detection
CAS
 
PPTX
Virtual Machine Forensics
primeteacher32
 
PPTX
Mobile Forensics
primeteacher32
 
PDF
Explore Android Internals
National Cheng Kung University
 
PPTX
Wireshark
Sourav Roy
 
PPTX
Basics of Maltego
Yash Diwakar
 
4. linux file systems
Marian Marinov
 
What is firewall
Harshana Jayarathna
 
Intrusion detection
CAS
 
Virtual Machine Forensics
primeteacher32
 
Mobile Forensics
primeteacher32
 
Explore Android Internals
National Cheng Kung University
 
Wireshark
Sourav Roy
 
Basics of Maltego
Yash Diwakar
 

What's hot (20)

PPTX
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
PPT
Registry Forensics
Somesh Sawhney
 
PPTX
Intrusion detection
Umesh Dhital
 
PDF
Telecom Security in the Era of 5G and IoT
PositiveTechnologies
 
TXT
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
PPT
Arp spoofing
Luthfi Widyanto
 
PDF
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
PPTX
Introduction to penetration testing
Nezar Alazzabi
 
PPTX
Wi Fi Security
yousef emami
 
PPTX
N map presentation
ulirraptor
 
PPTX
CCNA3 Verson6 Chapter1
Chaing Ravuth
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
PPTX
Penetration testing overview
Supriya G
 
PDF
Ch 11: Hacking Wireless Networks
Sam Bowne
 
PPTX
Android Security
Arqum Ahmad
 
PPTX
IP Multimedia Subsystems Overview - My Training on IMS
Inam Khosa
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
PPTX
Aircrack
MuhammadHanzalah6
 
PDF
Nessus Software
Megha Sahu
 
PPTX
Session Hijacking ppt
Harsh Kevadia
 
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Registry Forensics
Somesh Sawhney
 
Intrusion detection
Umesh Dhital
 
Telecom Security in the Era of 5G and IoT
PositiveTechnologies
 
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
Arp spoofing
Luthfi Widyanto
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
Introduction to penetration testing
Nezar Alazzabi
 
Wi Fi Security
yousef emami
 
N map presentation
ulirraptor
 
CCNA3 Verson6 Chapter1
Chaing Ravuth
 
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Penetration testing overview
Supriya G
 
Ch 11: Hacking Wireless Networks
Sam Bowne
 
Android Security
Arqum Ahmad
 
IP Multimedia Subsystems Overview - My Training on IMS
Inam Khosa
 
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Aircrack
MuhammadHanzalah6
 
Nessus Software
Megha Sahu
 
Session Hijacking ppt
Harsh Kevadia
 
Ad

Similar to Bootkits: past, present & future (20)

PDF
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
PPTX
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
PPTX
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
PDF
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
PPTX
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
PDF
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
PDF
Boot process: BIOS vs UEFI
Alea Soluciones, S.L.
 
PPTX
Uefi and bios
Shubham Pendharkar
 
PDF
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
PPT
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
Moabi.com
 
PDF
[Hackito2012] Hardware backdooring is practical
Moabi.com
 
PDF
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
PPTX
Bootkits step by-step-slides-final-v1-release
Eric Koeppen
 
PDF
Linux kernel booting
Ramin Farajpour Cami
 
PPT
05 - BIOS.ppt
AliyuAhmed9
 
PPTX
Unified Extensible Firmware Interface (UEFI)
k33a
 
PPTX
Bootloaders (U-Boot)
Omkar Rane
 
PDF
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery
 
PDF
File000124
Desmond Devendran
 
DOCX
bios.docx
SUBIRKUMARPANDA1
 
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Boot process: BIOS vs UEFI
Alea Soluciones, S.L.
 
Uefi and bios
Shubham Pendharkar
 
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
Moabi.com
 
[Hackito2012] Hardware backdooring is practical
Moabi.com
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
Bootkits step by-step-slides-final-v1-release
Eric Koeppen
 
Linux kernel booting
Ramin Farajpour Cami
 
05 - BIOS.ppt
AliyuAhmed9
 
Unified Extensible Firmware Interface (UEFI)
k33a
 
Bootloaders (U-Boot)
Omkar Rane
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery
 
File000124
Desmond Devendran
 
bios.docx
SUBIRKUMARPANDA1
 
Ad

More from Alex Matrosov (18)

PPTX
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
PDF
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
PDF
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
PDF
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
PDF
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
PDF
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
PDF
Festi botnet analysis and investigation
Alex Matrosov
 
PDF
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
PDF
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
PDF
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
PPTX
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
PPTX
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
PDF
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
PDF
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
PPTX
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
PDF
Cybercrime in Russia: Trends and Issues
Alex Matrosov
 
PPTX
Stuxnet msu
Alex Matrosov
 
KEY
RusCrypto'2009
Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Festi botnet analysis and investigation
Alex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Cybercrime in Russia: Trends and Issues
Alex Matrosov
 
Stuxnet msu
Alex Matrosov
 
RusCrypto'2009
Alex Matrosov
 

Recently uploaded (20)

PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Chapter 5: Probability Theory and Statistics
RandyFin
 

Bootkits: past, present & future

  • 1. Bootkits: Past, Present & Future Alexander Matrosov @matrosov Eugene Rodionov @vxradius David Harley @DavidHarleyBlog
  • 2. Agenda  Modern Bootkits History  Legacy BIOS vs. UEFI Boot Environment & Proof of Concept vs. In the Wild  Legacy BIOS Bootkit Classification  UEFI Bootkits  Bootkit Implementation Strategies  Attacks against Secure Boot  Forensic Software  HiddenFsReader  CHIPSEC
  • 3. Modern Bootkit History Mebroot Vbootkit 22000055 22000077 22000088 22000099 22001100 22001111 22001122 22001133 22001144 eEye BootRoot Mebratix Mebroot v2 Olmarik (TDL4) Olmasco (TDL4-based) Vbootkit x64 Vbootkit x64 Rovnix Evil Core Stoned Bootkit Mebromi DeepBoot Stoned Bootkit x64 Gapz VGA Bootkit OldBoot Dream Boot (Android Bootkit) Microsoft x64 platform gains popularity Secure Boot implemented in Windows 8 In the Wild Proof of Concept
  • 4. Legacy BIOS vs. UEFI  No more MBR and VBR/IPL code  Different hard drive partitioning scheme: GPT (GUID Partition Table)  Secure Boot technology is implemented in Windows 8 BIOS BIOS boot code MBR (Master Boot Record) VBR/IPL (Volume Boot Record/ Initial Program Loader) bootmgr winload.efi Load kernel and boot start drivers UEFI UEFI boot code UEFI boot loader (bootmgfw.efi) winload.efi Load kernel and boot start drivers
  • 5. The Target of Modern Bootkits (MBR/VBR)
  • 6. Classification of MBR/VBR Bootkits Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
  • 7. IPL Code Modification: Rovnix  Win64/Rovnix overwrites bootstrap code of the active partition MBR VBR Bootstrap Code File System Data VBR Malicious Code File System Data Bootstrap Code MBR NTFS bootstrap code (15 sectors) Before Infecting After Infecting Malicious Unsigned Driver Compressed Data “Hasta La Vista, Bootkit: Exploiting the VBR” http://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
  • 8. Gapz VBR Bootkit Main features:  Relies on Microsoft Windows VBR layout  The infections result in modifying only 4 bytes of VBR  The patched bytes might differ on various installations 0x000 0x003 0x054 0x19C 0x1FE 0x200 jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA transfer control “Mind the Gapz: The most complex bootkit ever analyzed?” http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
  • 9. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 10. Gapz NTFS Volume 0x200 0x1E00 MBR VBR IPL NTFS File System Number of “Hidden Sectors” 0x200 0x1E00 Infected VBR Hard Drive NTFS Volume MBR IPL NTFS File System Modified value of number of “Hidden Sectors” before infection after infection Bootkit
  • 11. Olmarik (TDL4) Rovnix (Cidox) Modern Bootkits Comparison Functionality Gapz Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system FAT16 FAT32 custom type modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack implementation     
  • 12. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 13. HiddenFsReader as a Forensic Tool (MBR/VBR)
  • 15. In The Beginning… In 1998-99 CIH (Chernobyl) virus written by a student of Taipei Tatung Institute of Technology in Taiwan infected ~60 million PCs CIH (Chernobyl) erased BIOS ‘ROM’ boot block and boot sectors on a hard drive causing ~1B US dollars in damage
  • 16. Signed BIOS Updates Are Rare • Mebromi malware includes BIOS infector & MBR bootkit components • Patches BIOS ROM binary injecting malicious ISA Option ROM with legitimate BIOS image mod utility • Triggers SW SMI 0x29/0x2F to erase SPI flash then write patched BIOS binary No Signature Checks of OS boot loaders (MBR/VBR) • No concept of Secure or Verified Boot • Wonder why TDL4 and likes flourished?
  • 17. UEFI BIOS Firmware SEC S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) CPU Reset ACPI, UEFI SystemTable, SMBIOS table ExitBootServices. Minimal UEFI services (Variable)
  • 18. UEFI Bootkits OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD Malware
  • 19. Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
  • 20. UEFI Bootkits Replacing Windows Boot Manager EFI System Partition (ESP) on Fixed Drive ESPEFIMicrosoftBootbootmgfw.efi UEFI technology: say hello to the Windows 8 bootkit! by ITSEC Replacing Fallback Boot Loader ESPEFIBootbootx64.efi UEFI and Dreamboot by Sébastien Kaczmarek, QUARKSLAB Adding New Boot Loader (bootkit.efi) Modified BootOrder / Boot#### EFI variables
  • 21. Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
  • 22. UEFI Bootkits Adding/Replacing DXE Driver Stored on Fixed Drive Not embedded in Firmware Volume (FV) in ROM Modified DriverOrder + Driver#### EFI variables
  • 23. Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
  • 24. UEFI Bootkits Patching UEFI “Option ROM” UEFI DXE Driver in Add-On Card (Network, Storage..) Non-Embedded in FV in ROM Mac EFI Rootkits by @snare, Black Hat USA 2012
  • 25. UEFI Bootkits Replacing OS Loaders (winload.efi, winresume.efi) Patching GUID Partition Table (GPT)
  • 26. Malware OS Kernel / Drivers UEFI OS Loaders DXE Driver DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI Boot Loader Bootx64.efi Bootmgfw.efi UEFI OROM UEFI OROM I/O Memory Network Graphics HDD UEFI Bootkits
  • 28. OS Kernel / Early Launch Anti-Malware (ELAM) UEFI OS Loaders (winload.efi, winresume.efi) UEFI App DXE Driver UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi I/O Memory Network Graphics Signed BIOS Update UEFI OROM UEFI App DXE Driver UEFI Secure Boot OS Driver OS Driver Windows 8.1 Secure Boot Secure Boot on MS Windows 8.1
  • 29. Secure Boot bypass possible? OS Driver OS Exploit UEFI OS Loaders UEFI DXE Core / Dispatcher System Firmware (SEC/PEI) Hardware DXE Driver UEFI Boot Loader Bootx64.efi Bootmgfw.efi I/O Memory Network Graphics Signed BIOS Update DXE Driver OS Kernel Modify Secure Boot FW or config in ROM
  • 30. First Public Windows 8 Secure Boot Bypass (Aug 2013) A Tale Of One Software Bypass Of Windows 8 Secure Boot
  • 32. BIOS Attack Surface SPI Flash Protection System FW/BIOS BIOS Update SMRAM Protection Hardware Config. SMI Handlers BIOS Settings (NVRAM, Variables) … Secure Boot Summary of Attacks Against BIOS and Secure Boot
  • 34. From Analytics, and Scalability, and UEFI Exploitation by Teddy Reed Patch attempts to enable BIOS write protection (sets BIOS_CONTROL[BLE]). Picked up by Subzero
  • 35. CHIPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec @CHIPSEC
  • 36. CHIPSEC: Platform Security Assessment Framework
  • 37. CHIPSEC: Platform Security Assessment Framework chipsec_main.py runs modules (see modules dir below) chipsec_util.py runs manual utilities (see utilcmd dir below) /chipsec /cfg platform specific configuration /hal all the HW stuff you can interact with /helper support for OS/environments /modules modules (tests/tools/PoCs) go here /utilcmd utility commands for chipsec_util
  • 38. Known Threats and CHIPSEC modules Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 2008 SMRR Configuration common.smrr ITL 2009 CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009 CanSecWest 2013 Black Hat 2013 NoSuchCon 2013 Flashrom SPI Controller Locking common.spi_lock Flashrom Copernicus BIOS Interface Locking common.bios_ts PoC 2007 Access Control for Secure Boot Keys common.secureboot.keys UEFI 2.4 Spec Access Control for Secure Boot Variables common.secureboot.variables UEFI 2.4 Spec
  • 39. BIOS/Firmware Forensics Live system firmware analysis chipsec_util spi info chipsec_util spi dump rom.bin chipsec_util spi read 0x700000 0x100000 bios.bin chipsec_util uefi var-list chipsec_util uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F db.bin Offline system firmware analysis chipsec_util uefi keys PK.bin chipsec_util uefi nvram vss bios.bin chipsec_util uefi decode rom.bin chipsec_util decode rom.bin
  • 40. How to dump BIOS firmware directly from chip?
  • 41. How to dump BIOS firmware directly from chip?
  • 44. Thank you for your attention! Eugene Rodionov @vxradius Alexander Matrosov @matrosov David Harley @DavidHarleyBlog