Friday, 14 March 2014

Uroburos Malware Defeats Microsoft's PatchGuard

Uroburos
Introduced years ago for 64-bit editions of Windows XP and Windows Server 2003, Microsoft's Kernel Patch Protection, or PatchGuard, is designed to prevent malware attacks that work by modifying essential parts of the Windows kernel. If a rootkit or other malicious program manages to tweak the kernel, PatchGuard deliberately crashes the system. This same feature made life tough for antivirus vendors, as many of them relied on benignly patching the kernel to improve security; they've since adapted. However, a new report from G Data states that a threat called Uroburos can bypass PatchGuard.
Hooking Windows
Rootkits hide their activities by hooking various Windows internal functions. When a program calls on Windows to report the files present in a folder, or the values stored in a Registry key, the request goes first to the rootkit. It in turn calls the actual Windows function, but strips out all references to its own components before passing along the information.
G Data's latest blog post explains how Uroburos gets around PatchGuard. A function with the bulky name KeBugCheckEx deliberately crashes Windows if it detects this kind of kernel hooking activity (or several other suspect activities). So, naturally, Uroburos hooks KeBugCheckEx to hide its other activities.
A very detailed explanation of this process is available on the codeproject website. However, it's definitely an experts-only publication. The introduction states, "This is no tutorial and beginners should not read it."
The fun doesn't stop with subverting KeBugCheckEx. Uroburos still needs to get its driver loaded, and the Driver Signing Policy in 64-bit Windows forbids loading any driver that's not digitally signed by a trusted publisher. The creators of Uroburos used a known vulnerability in a legitimate driver to turn off this policy.
Cyber-Espionage
In an earlier post G Data researchers described Uroburos as "highly complex espionage software with Russian roots." It effectively establishes an espionage outpost on the victim PC, creating a virtual file system to securely and secretly hold its tools and stolen data.
The report states, "we estimate that it was designed to target government institutions, research institutions or companies dealing with sensitive information as well as similar high-profile targets," and links it to a 2008 attack called Agent.BTZ that infiltrated the Department of Defense via the infamous "USB in the parking lot" trick. Their evidence is solid. Uroburos even refrains from installing if it detects that Agent.BTZ is already present.
G Data's researchers concluded that a malware system of this complexity is "too expensive to be used as common spyware." They point out that it wasn't even detected until "many years after the suspected first infection." And they offer a wealth of evidence that Uroburos was created by a Russian-speaking group.
The Real Target?
An in-depth report by BAE Systems Applied Intelligence cites the G Data research and offers additional insight into this espionage campaign, which they call "Snake." Researchers gathered over 100 unique files related to Snake, and teased out some interesting facts. For example, virtually all of the files were compiled on a weekday, suggesting that "The creators of the malware operate a working week, just like any other professional."
In many cases, researchers were able to determine the country of origin for a malware submission. Between 2010 and the present, 32 Snake-related samples came in from Ukraine , 11 from Lithuania, and just two from the U.S. The report concludes that Snake is a "permanent feature of the landscape," and offers detailed recommendations for security experts to determine whether their networks have been penetrated. G Data also offers help; if you think you've got an infection, you can contact intelligence@gdata.de.
Really, this isn't surprising. We've learned that the NSA has spied on foreign heads of state. Other countries will naturally try their own hands at building cyber-espionage tools. And the best of them, like Uroburos, may run for years before they're discovered.

No comments:

Post a Comment