Comments on: Using Procmon for finding malware https://grey-panther.net/2009/04/using-procmon-for-finding-malware.html Just another WordPress site Wed, 29 Apr 2009 15:02:43 +0000 hourly 1 https://wordpress.org/?v=6.7.1 By: Cd-MaN https://grey-panther.net/2009/04/using-procmon-for-finding-malware.html#comment-406 Wed, 29 Apr 2009 15:02:43 +0000 https://grey-panther.net/?p=308#comment-406 It is my pleasure to provide quality security information. The most probable reason for GMER not finding the “bootkit” is because it doesn’t try to hide. The one GMER has detection for tries to return the original MBR when you try to load it.

As for PGP (or other full disk encryption products – like Truecrypt) protecting: unless they can use TPM to validate the MBR before executing it, they are bypassed, since the bootkits usually do it the following way:

1. save the old MBR somewhere
2. write themselves in the MBR
3. now, when the system is booted, they hook the disk access and the start running the old MBR
4. if this one was a full-disk encryption product, it will prompt the user for authentication and start decrypting the files

While it is true that current bootkits only look at the bytes effectively read from the disk, and thus encryption will thwart them, they are still in control and nothing stops them from accessing the decrypted files in the memory and patch them. The only 100% sure way is to use TPM to validate the fact that the MBR hasn’t changed before executing it.

]]>
By: Claus Valca https://grey-panther.net/2009/04/using-procmon-for-finding-malware.html#comment-407 Wed, 29 Apr 2009 14:50:49 +0000 https://grey-panther.net/?p=308#comment-407 cdman83 – Thanks for the perspective and linkage.

I’ve done some quick looks and this is awesome stuff.

I’m going to be studying them for a while!

We do use PGP WDE on our systems at work so the particulars of that process (PGP’s own proprietary boot sector code) should prevent any access to the encrypted main Windows boot sector/kernel via a boot-disk hack like this one seems to use.

I’ve tossed GMER and MBR.exe on a non PGP WDE system I tested the Kon-Boot program on and it doesn’t find any mods to the MBR were done (to the degree that these latest version can detect it at least.

Thanks a million for taking the time to indulge me on this question.

Cheers!

–Claus V.

]]>
By: Cd-MaN https://grey-panther.net/2009/04/using-procmon-for-finding-malware.html#comment-408 Wed, 29 Apr 2009 06:23:53 +0000 https://grey-panther.net/?p=308#comment-408 PS. If you want something other scary, take a look at the firewire attack: http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation

]]>
By: Cd-MaN https://grey-panther.net/2009/04/using-procmon-for-finding-malware.html#comment-409 Wed, 29 Apr 2009 06:21:42 +0000 https://grey-panther.net/?p=308#comment-409 I couldn’t find much detail on the site, but from the modus operandi and from the fact that it has “boot” in the name, I theorize that it is an other “bootkit”.

There are a couple of these proof-of-concepts out there (for example Vbootkit – http://blogs.msdn.com/michael_howard/archive/2008/01/08/vbootkit-vs-bitlocker-in-tpm-mode.aspx) and even some malware which uses this technique (here is a good technical description on one of them: http://www2.gmer.net/mbr/) and they all work in a similar fashion: they write themselves to the MBR to get control of the machine before the OS does and the “hook” the function which reads from the hard-disk and lie to the OS (when it tries to load its file, the bootkit includes some of its code in the loaded file, so that when the OS executes its components, the malicious code also gets executed).

Currently the best defense against them is to use a drive encryption software which can co-operate with the TPM chipset (currently the only one I know of is the Vista BitLocker). Of course, you must take into account how this affects other IT procedures (like backups, re-imaging, data recovery, etc). An other low-level threat is the one of “BIOS rootkits”, when the BIOS gets re-flashed with some malicious code. From what I know, these are only present in proof-of-concept forms and have not been actually used in malware, but it is something to consider. You can defend against them by setting the “write-protect” jumper on the motherboard. Unfortunately many of the newer systems don’t have this jumper :-(.

]]>
By: Claus V. https://grey-panther.net/2009/04/using-procmon-for-finding-malware.html#comment-411 Wed, 29 Apr 2009 05:11:52 +0000 https://grey-panther.net/?p=308#comment-411 cdman83

Off topic question:

Have you seen this yet?

Kon-Boot

Kon-Boot “root a box” on the fly .. it’s a kind of magic ! – Security Database Tools Watch

http://www.security-database.com/toolswatch/Kon-Boot-root-a-box-on-the-fly-it.html

I learned about it from a tipster earlier this week and tested it on a lab-box. Worked to bypass the Windows profile without any issues.

I’m not sure what is going on and if it is a Windows vulnerability or what.

Useful as a sysadmin but disconcerting from a security standpoint.

Would welcome your perspective if you have a chance.

Cheers,

–Claus V.

]]>