Saturday, July 3, 2010

The Case of TDL3 Rootkit

Let us check out the new facilities of Hypersight Rootkit Detector using a sample of TDL3 rootkit. This epic rootkit was a nightmare for virus analysts recently.

Testing environment: Windows 2003 SP2 system, Intel Core 2 Duo E6700 processor. The initial conditions of the test: Hypersight RD 1.0.1233.5523 beta is installed, PC has been rebooted and “Start” button is pressed inside of the UI.

After starting the sample we can see that Hypersight has found covert code execution on the processor.

Covert code detected by Hypersight

We can observe several events. Each event is the execution of covert code on a single page (pages are 4096 bytes long in IA32/IA32e architecture). After pressing “Save All” button we can save the rootkit’s profile of execution to the compresed binary dump. Also we can press “View Dump” button and view each event dump in the separate window. Each dump contains couple of memory regions with the code and the stack, processor state and loaded kernel modules at the moment of event occurring. The format of event dumps is open. We will publish open source tool for decoding dumps soon.

Dump of code launched from TDL3 dropper

If you have reverse engineering skills, you can check out the stack for return address and see that the code has been launched from the newly loaded kernel module (3.tmp).
Another typical dump: a hook installed on IRP callback. In this case, one of registers in the dump usually points to driver object (DRIVER_OBJECT) MajorFunction callback of which has been hooked.
Dump of IRP hook installed by TDL3. ESI points to DRIVER_OBJECT structure

For sure, TDL3 is not the only rootkit which can be detected and analyzed. Hypersight Rootkit Detector provides generic detection of kernel mode rootkits. We'll keep you in touch with the information of all the other rootkits as soon as we have more details.

Detection of Rootkits: the Next Step

Everyone knows what a great challenge are modern rootkits. Millions of computers worldwide are infected with rootkit-based bots. Modern anti-virus and anti-rootkit solutions are useless to detect most of them. The common approach in recent years is the development of particular solutions detecting certain versions of some rootkit. Typically, these solutions do not work after the appearance of a new version of the rootkit.

Our company has conducted extensive research in the field of rootkit detection past 3 years. We concluded that the detection of rootkits is possible using virtualization technologies. The recent hardware virtualization technology Intel VT-x and AMD-V have facilitated this task.

We have designed Hypersight Rootkit Detector. It was the first Windows-based solution of this class. The first version of the program could intercept only a few actions, typical for rootkits: modification of control registers, modification of executable code, turning hardware virtualization on. It makes possible to detect many types of rootkits. Nevertheless, this was not enough. Detouring these interceptions was still possible from the rootkit side.

Now we are proposing a more generic criterion for detection of rootkits. For all rootkits, regardless of the technologies used (SSDT hooking, DKOM, DKOH, Shadow Walker, splicing), there is one common trait. They are executed on the processor. We have implemented the algorithm which performs basic checks on the code prior its execution. The technology was named Fast Code Test (FCT). The code executed at the privileged level, subjected to a number of basic checks. If checks fail, notification about undesirable activity is generated.

Currently, checks are quite simple. The code running outside of loaded drivers, kernel and HAL is considered as suspicious. This approach makes possible to detect the absolute majority of the currently known rootkits. Recent rootkits tend to run “covert” code in kernel non-paged pool in order to avoid detection by memory scanning. This is the activity detected by FCT.

Signature scanning and code whitelisting will be the further steps in the development of Fast Code Test.

Fast Code Test significantly complicates the task of writing "undetectable" rootkit. We plan to develop this technology in terms of productivity and efficiency. We hope it will help people to analyze new rootkits faster and more efficiently.