Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Code signing stop Kernel Mode Rootkit?


  • Please log in to reply
19 replies to this topic

#1 cunikcz

cunikcz

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 25 April 2018 - 12:47 PM

Hi,

 

I have an question about Code signing. The question is, can Code signing stop Kernel Mode Rootkits from patch kernel and hooking.

 

Thank you



BC AdBot (Login to Remove)

 


#2 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 26 April 2018 - 11:10 AM

Hi, cunikcz!

Newest integrated security mechanisms on the modern Windows 10 x64 such as Kernel Mode Code Signing (KMCS) and Kernel Patch Protection (KPP) also known as PatchGuard are unable to prevent malicious activity.
 
Please read more here: https://arxiv.org/ftp/arxiv/papers/1705/1705.06784.pdf

Regards,
midimusicman79

Edited by midimusicman79, 27 April 2018 - 07:02 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#3 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 27 April 2018 - 10:16 AM

Ok, thank for your reply. I read about Alureon Bootkit. It infect MBR and load driver to Kernel. Most Rootkit about which I read, infect MBR, to load their driver to Kernel. It's the only tactic to infect Kernel? I heard Patchguard (KPP) is not much sensitive for Kernel modification



#4 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 27 April 2018 - 11:37 AM

Hi again, cunikcz!

A rootkit can infect the Kernel via the Master Boot Record (MBR) and the Volume Boot Record (VBR).

I think this article should answer any/all your questions about rootkits and bootkits, so please read more here: https://heimdalsecurity.com/blog/rootkit/

Regards,
midimusicman79

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#5 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 27 April 2018 - 05:52 PM

A rootkit can infect the Kernel via the Master Boot Record (MBR) and the Volume Boot Record (VBR).

 

 
Yes only on MBR. GPT and UEFI have Secure Boot and other security functions.  This is the only way to patch Kernel and hooking? Otherwise, thanks for link

Edited by cunikcz, 28 April 2018 - 04:08 AM.


#6 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 28 April 2018 - 07:00 AM

Hi again, cunikcz!
 
Which version of Windows do you have?
 
Sorry I did not initially realize that the first article I posted was rather outdated, since it is dated May 2017, but gradually, Windows 8/10 Defender Antivirus has been improved to include enhanced protection against rootkits and bootkits, but it also requires new hardware to work properly.
 
Please read quietman7's details on Windows 8/10 Defender Antivirus, here: Choosing an Anti-Virus Program.
 
However, if you follow quietman7's Best Practices of Safe Computing, you are unlikely to be infected with rootkits and bootkits. :thumbup2:
 
And, as the saying goes: An ounce of prevention is better than a pound of cure.

Good luck! :)

Regards,
midimusicman79

Edited by midimusicman79, 28 April 2018 - 11:30 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#7 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 28 April 2018 - 12:21 PM

I do not believe Antivirus will protect me from Rootkits. Prevention is better than cure, because sometimes you need to use Combofix. Combofix does not work on Windows 10. And I heard about signing the code is a big obstacle for Kernel Mode Rootkits. When, i used GPT and UEFI. I am immune against Kernel Mode Rootkits? I use Anti-Rootkit software (TDSSKiller,MBAR,NPE), but prevention is better than cure :). I have Windows 10

Edited by cunikcz, 29 April 2018 - 01:00 AM.


#8 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 29 April 2018 - 09:34 AM

Hi again, cunikcz!
 
Yes, it is true that Antivirus mostly operates at Ring 3 (Applications), has some access to Ring 2 (Device Drivers) and does not have full access to Ring 1 (Device Drivers), but does not operate at the Ring 0 (Kernel).
 
However, as for using ComboFix for general rootkit removal, quietman7 has a dedicated and dissuading article, here: ComboFix usage, Questions, Help? - Look here.
 
If using GPT and UEFI, you are not likely to get infected with MBR and VBR rootkits and bootkits, but there are also GPT and UEFI rootkits and bootkits, although only a few Proof Of Concept (POC) viruses, meaning that this latter category neither is very common nor much exploited.
 
This is a quote from quietman7:
 

Bios/UEFI (firmware) virus's exist but are very rare.

 
And again, if you follow at least the numbered recommendations (1-10) in quietman7's Best Practices of Safe Computing, you are preventing rootkits and bootkits. :thumbup2:
 
Of course, you are free to run Anti-Rootkit tools on your own to generally detect rootkits/bootkits and remove them, but these tools do not prevent rootkits and bootkits.
 
Regards,
midimusicman79

Edited by midimusicman79, 30 April 2018 - 06:44 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#9 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 30 April 2018 - 03:21 PM

Yes, Combofix is Advanced tool for Advanced users. II do not use Combofix because I have Windows 10 and I'm not an advanced user
 
Can you link me please one of GPT Bootkit? Typically user are not meet with Proof Of Concept Malware.
 
There is a other way to bypass Code Signing?

 

And, if Rootkit hook SSDT, IRP, Inline and Kerne Filters hooking, it must to be loaded driver in Kernel?

 

And when the file is changed, it loses the digital certificate? When certificate expire is OK?


Edited by cunikcz, 01 May 2018 - 05:32 AM.


#10 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 01 May 2018 - 09:30 AM

Hi again, cunikcz!
 
Yes, I know you and I do not use ComboFix, as you and I have Windows 10 and ComboFix does not work on this OS, but there are also other users reading this thread who may have previous versions of Windows.
 
So I felt it was necessary to post the link to warn about ComboFix since it is not a usual anti-rootkit tool, but instead a powerful diagnostic anti-malware tool only for helpees' use under the supervision of the Bleeping Computer Malware Response Team in the MRL Forum, and also because we are not in the AV/AM/PS Forum in this thread, in which the ComboFix pinned topic is located.
 
I cannot link you to any GPT bootkit, because neither do I know of any such nor would it be allowed within the Forum Rules, and besides, the only way for GPT bootkits to exist, is if cybercriminals steal and/or sell digital certificates, as explained in these articles:
 
https://arstechnica.com/information-technology/2016/03/to-bypass-code-signing-checks-malware-gang-steals-lots-of-certificates/
 
https://www.zdnet.com/article/hackers-are-selling-legitimate-code-signing-certificates-to-evade-malware-detection/
 
And, as for Rootkit hooking and digital certificates, you are probably right, and there are some articles on the Internet pertaining to this, but I cannot post these either, as someone (even cybercriminals) could read this thread and use it for nefarious purposes.
 
Regards,
midimusicman79

Edited by midimusicman79, 01 May 2018 - 11:12 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#11 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 02 May 2018 - 12:45 PM

I heard from people that Combofix had destroyed their system. Yes, this is not typically Anti-Rootkit, but it detects Rootkits very good

 

 

  the only way for GPT bootkits to exist, is if cybercriminals steal and/or sell digital certificates

 

GPT Bootkit can not write itself in GPT without digital certificate?


Edited by cunikcz, 02 May 2018 - 02:38 PM.


#12 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 03 May 2018 - 09:21 AM

Hi again, cunikcz!
 
Yes, that is correct, as a GPT bootkit needs a digital certificate in order to infect the GPT, and like you said in Post #7; "And I heard about signing the code is a big obstacle for Kernel Mode Rootkits." This also goes for bootkits.
 
But I am at a loss as to why you keep referring to ComboFix as an Anti-Rootkit when it actually has a much bigger search scope for malware than a usual one, and as such, it is not intended for general rootkit detection and removal, but only for heavily malware-infected computers.
 
Additionally, there are so many other usual Anti-Rootkits available, both for download from the Bleeping Computer Downloads Section as well as downloads from the Internet in general (a Google search for "Anti-Rootkit" is enough to find most, if not all of them).
 
Moreover, as it has been repeated, ComboFix does not work on Windows 10, and like I said in Post #8; "Of course, you are free to run Anti-Rootkit tools on your own to generally detect rootkits/bootkits and remove them, but these tools do not prevent rootkits and bootkits."
 
However, be warned that some Anti-Rootkit tools generally might crash and/or cause BSODs for whatever reason, which BTW might vary between different bigger version updates/upgrades of Windows 10, and some of the Anti-Rootkit tools are even only available in BETA, at least that is my personal experience, and I have tried pretty much all of them. :exclame:
 
Regards,
midimusicman79

Edited by midimusicman79, 04 May 2018 - 06:44 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#13 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 May 2018 - 04:56 AM

And computer infected by Rootkit isn't heavily infected? I know, Combofix is Advanced Anti-Malware utility. Not Anti-Rootkit. But it detects Rootkits very good.

And if I have Secure Boot off, GPT still needs signed driver? Has this function MBR too?

And i read about testsign mode. User Mode Rootkits can turn it off and load their driver to kernel. Is it true?

I use Anti-Rootkit software. MBAR, TDSSKiller and NPE

Edited by cunikcz, 05 May 2018 - 06:50 AM.


#14 midimusicman79

midimusicman79

  • Members
  • 677 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:43 AM

Posted 05 May 2018 - 09:10 AM

Hi again, cunikcz!
 
If a computer is infected with a rootkit, then it is seriously infected in terms of the rootkit being difficult to remove as it is equipped with self-protection, hence needing Anti-Rootkit tools to be removed, and there are many fewer such tools than Anti-Virus and Anti-Malware tools.
 
However, it is not heavily infected in terms of there being lots of different types of malware that probably would be easier to remove with Anti-Virus and Anti-Malware tools, and there are many more such tools than Anti-Rootkit tools.
 
If you have Secure Boot off, then you break the complete functionality of the UEFI boot, and as such, it would be easier for GPT bootkits to infect the computer, although they still need signed drivers for this purpose.
 
The protective MBR area on a GPT partition table exists for backward compatibility with disk management utilities that operate on MBR, so that if the computer is booted in BIOS mode, then the GPT is not automatically overwritten, however, you should only boot in UEFI mode.
 
Please read more on this Windows and GPT FAQ (Frequently Asked Questions) here: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-and-gpt-faq/
 
Yes, it is true that User Mode Rootkits can turn the testsigning mode off and load their driver to the Kernel, but that only goes for MBR and VBR rootkits and bootkits, not GPT rootkits and bootkits.
 
You have already mentioned which Anti-Rootkit software you use, and like I have already mentioned, you are fully aware that these tools only detect and remove rootkits and bootkits, but do not prevent them.
 
Regards,
midimusicman79

Edited by midimusicman79, 05 May 2018 - 11:10 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#15 cunikcz

cunikcz
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 07 May 2018 - 01:28 AM

Yes, I use MBAM and KVRT. Otherwise Rootkits can hide other malware. Trojans, Miners, Keylogers and much more

I saw how simple can disable Code Signing with bcedit in Windows 10. Can this disable User Mode Rootkit and load his driver into Kernel?

Rootkits can infect kernel via ntoskrnl.exe? Or inject itself to this file? I read about ntoskrnl.exe that is Kernel image

Edited by cunikcz, 07 May 2018 - 07:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users