Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 15th, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment |

Recently my colleagues and I have been analyzing TDL4 — a variant of the well known malware family TDSS. TDSS, as we know, is and advanced malware that evades detection by going back to where we stopped looking long ago: in the boot sector. Back in the 16-bit DOS days, boot viruses spread from disk to disk, wreaking havoc on our computers– until 32-bit Windows came along and made those viruses obsolete. But the boot sector as a malware container is making a comeback, and bootkits such as TDSS are at the forefront.

Malware writers have figured out that the boot sector is a good way to circumvent detection—a lot of antivirus software does not have as rigorous checks as it had in the past, and it is a good way to circumvent Microsoft’s security settings.

So how does the malware do it?

After getting a handle to the disk through ZwOpenFile, it then uses ZwDeviceIoControlFile to directly access the disk. This allows ZwDeviceIoControlFile to directly access an object (in this case, the disk), instead of looking up its name.

.text:00401780 push 48h ; OutputBufferLength
.text:00401782 mov eax, edx
.text:00401784 shr eax, 8
.text:00401787 mov [ebp-2Dh], al
.text:0040178A lea eax, [ebp-50h]
.text:0040178D push eax ; OutputBuffer
.text:0040178E push 48h ; InputBufferLength
.text:00401790 push eax ; InputBuffer
.text:00401791 push IOCTL_SCSI_PASS_THROUGH_DIRECT ; IoControlCode
.text:00401796 lea eax, [ebp-8]
.text:00401799 push eax ; IoStatusBlock
.text:0040179A xor eax, eax
.text:0040179C push eax ; ApcContext
.text:0040179D push eax ; ApcRoutine
.text:0040179E push eax ; Event
.text:0040179F push FileHandle ; FileHandle
.text:004017A2 mov [ebp-50h], cx
.text:004017A6 mov byte ptr [ebp-4Ah], 0Ah
.text:004017AA mov byte ptr [ebp-49h], 12h
.text:004017AE mov dword ptr [ebp-40h], 1388h
.text:004017B5 mov [ebp-2Fh], bl
.text:004017B8 mov [ebp-2Ch], dl
.text:004017BB call ds:ZwDeviceIoControlFile

However, using ZwDeviceIoControlFile is not an easy task, as it needs to set up a lot of structures before being able to access the disk directly. Notice here that aside from pushing arguments into the stack, it also is filling in values to a structure that is also needed for the operation– which explains the push statements interspersed with “mov [ebp+location], register” statements.

This is because the arguments to the function also need a structure that will tell it what to do. Particularly for the IoControlCode IOCTL_SCSI_PASS_THROUGH_DIRECT, it uses the following structure:

typedef struct _SCSI_PASS_THROUGH_DIRECT {
USHORT Length;
UCHAR ScsiStatus;
UCHAR PathId;
UCHAR TargetId;
UCHAR Lun;
UCHAR CdbLength;
UCHAR SenseInfoLength;
UCHAR DataIn;
ULONG DataTransferLength;
ULONG TimeOutValue;
PVOID DataBuffer;
ULONG SenseInfoOffset;
UCHAR Cdb[];
}SCSI_PASS_THROUGH_DIRECT, *PSCSI_PASS_THROUGH_DIRECT;

This structure is fed to the function as InputBuffer. As you might have observed, the structure has members that represent the Data Buffer and the Data transfer length. But where is the information from the disk going to/coming from?

The last member of the structure, is the command descriptor block (CDB) that describes how to access the disk. The SCSI (Small Computer System Interface) command descriptor block for this sample uses this structure:

UCHAR Operation;
BYTE Lun;
DWORD LBA;
BYTE Reserved;
WORD XferLen;
BYTE CtrlByte ;

Operation indicates what type of action to do, LBA is the Logical block address of the data in the hard disk, and XferLen is the length of cdata that will be transferred.

Here the malware writer tries to be efficient and creates a wrapper to the function so that it may be called in other parts of the program. An example of implementation follows:

.text:00401C2F lea eax, [esp+94h+arg_2BC]
.text:00401C36 push eax ; ioBuffer
.text:00401C37 push 1 ; mode
.text:00401C39 push 28h ; SCSI_command
.text:00401C3B push edi ; filehandle
.text:00401C3C mov edx, 200h
.text:00401C41 call DirectDiskAccess
.text:00401C41 ; DWORD filehandle
.text:00401C41 ; DWORD SCSI Commands:
.text:00401C41 ; 25h = read capacity
.text:00401C41 ; 28h = read
.text:00401C41 ; 2Ah = write
.text:00401C41 ; DWORD mode
.text:00401C41 ; 0 = write to disk
.text:00401C41 ; 1 = read from disk
.text:00401C41 ; DWORD ioBuffer => input/output buffer
.text:00401C41 ; edx contains size
.text:00401C41 ; ebx contains LBA location to access

The previous listing is how the malware reads the boot sector. The value of ebx in this part of the program is zero, indicating LBA 0, which is the first sector of the disk. Also, note value of edx as 200, which is the size of one sector. The SCSI command 28h then indicates a read operation.

The malware backs up the boot sector to its own mini filesystem, which is then written to the end of the disk.

.text:00401DF3 mov edx, [esp+0B4h+_cmd_dllBuffer]
.text:00401DF7 mov ebx, [esp+0B4h+var_A8]
.text:00401DFB push esi ; ioBuffer
.text:00401DFC mov eax, edx
.text:00401DFE push 0 ; mode
.text:00401E00 shr eax, 9
.text:00401E03 push 2Ah ; SCSI_command
.text:00401E05 push [esp+0C0h+var_A0] ; filehandle
.text:00401E09 sub ebx, eax
.text:00401E0B inc ebx
.text:00401E0C call DirectDiskAccess

In this instance the ebx contains LBA 00FA8532, which is near the end of the disk. We can try to see the changes in the disk by using the program called Winhex. First. open a disk by pressing F9, and select your physical drive. Then, to see the TDSS filesystem:

1. 1. Press CTRL+G
2. Enter the decimal equivalent of the LBA (16418098)
3. Press enter.

Now, for solutions. If your disk’s master boot record has been modified, your installer of Microsoft Windows usually contains the tools that will help you restore it. Windows XP and Windows 2000 users may run the fixmbr command from the recovery console in order to restore the good MBR. You may refer to this link for more information:

• Description of the Windows XP Recovery Console for advanced users
• Description of the Windows 2000 Recovery Console

Windows Vista and Windows 7 users may refer to this link: How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows.

Also, in this month’s Patch Tuesday, Microsoft released a possible security patch that strengthens Windows against kernel-mode rootkits. This patch specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. More information can be found in the security bulletin for MS11-034.

I hope this bit of information has helped you in some way.

Post from: TrendLabs | Malware Blog – by Trend Micro