Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    My colleagues and I recently analyzed TDL4—a variant of the well-known TDSS malware family. TDSS, as you may already know, is an advanced malware that evades detection by going back to where we stopped looking long ago—in the boot sector. Back in the 16-bit DOS days, boot viruses spread from disk to disk, wreaking havoc on systems  until 32-bit Windows came along and made them obsolete. However, the boot sector as a malware container is making a comeback, with bootkits like TDSS at the forefront.

    Malware writers have figured out that the boot sector is a good way to circumvent detection—a lot of antivirus software no longer perform rigorous checks on this as in the past. As such, using it is a good way to circumvent Microsoft’s security settings.

    So how does TDL4 work?

    After getting a handle to the disk through ZwOpenFile, it then uses ZwDeviceIoControlFile to directly access it. This allows ZwDeviceIoControlFile to directly access an object (in this case, the disk), instead of looking for its name.

    .text:00401780 push 48h ; OutputBufferLength
    .text:00401782 mov eax, edx
    .text:00401784 shr eax, 8
    .text:00401787 mov [ebp-2Dh], al
    .text:0040178A lea eax, [ebp-50h]
    .text:0040178D push eax ; OutputBuffer
    .text:0040178E push 48h ; InputBufferLength
    .text:00401790 push eax ; InputBuffer
    .text:00401791 push IOCTL_SCSI_PASS_THROUGH_DIRECT ; IoControlCode
    .text:00401796 lea eax, [ebp-8]
    .text:00401799 push eax ; IoStatusBlock
    .text:0040179A xor eax, eax
    .text:0040179C push eax ; ApcContext
    .text:0040179D push eax ; ApcRoutine
    .text:0040179E push eax ; Event
    .text:0040179F push FileHandle ; FileHandle
    .text:004017A2 mov [ebp-50h], cx
    .text:004017A6 mov byte ptr [ebp-4Ah], 0Ah
    .text:004017AA mov byte ptr [ebp-49h], 12h
    .text:004017AE mov dword ptr [ebp-40h], 1388h
    .text:004017B5 mov [ebp-2Fh], bl
    .text:004017B8 mov [ebp-2Ch], dl
    .text:004017BB call ds:ZwDeviceIoControlFile

    However, using ZwDeviceIoControlFile is not an easy task, as it needs to set up a lot of structures before being able to directly access the disk. Notice here that aside from pushing arguments into the stack, it also fills in values to a structure that is needed for the operation, which explains the push statements interspersed with mov [ebp+location], register statements.

    The arguments to the function also need a structure that will tell it what to do. Particularly for IoControlCode IOCTL_SCSI_PASS_THROUGH_DIRECT, it uses the following structure:

    typedef struct _SCSI_PASS_THROUGH_DIRECT {
    USHORT Length;
    UCHAR ScsiStatus;
    UCHAR PathId;
    UCHAR TargetId;
    UCHAR Lun;
    UCHAR CdbLength;
    UCHAR SenseInfoLength;
    UCHAR DataIn;
    ULONG DataTransferLength;
    ULONG TimeOutValue;
    PVOID DataBuffer;
    ULONG SenseInfoOffset;
    UCHAR Cdb[];
    }SCSI_PASS_THROUGH_DIRECT, *PSCSI_PASS_THROUGH_DIRECT;

    This structure is fed to the function as InputBuffer. As you may have observed, the structure has members that represent the Data Buffer and the Data transfer length. But where is the information from the disk going to/coming from?

    The last member of the structure is the command descriptor block (CDB) that describes how to access the disk. The Small Computer System Interface (SCSI) command descriptor block for this sample uses this structure:

    UCHAR Operation;
    BYTE Lun;
    DWORD LBA;
    BYTE Reserved;
    WORD XferLen;
    BYTE CtrlByte ;

    The operation indicates what type of action to do, LBA is the Logical block address of the data in the hard disk and XferLen is the length of cdata that will be transferred.

    Here, the malware writer tries to be efficient and creates a wrapper to the function so that it may be called in other parts of the program. An example of implementation follows:

    .text:00401C2F lea eax, [esp+94h+arg_2BC]
    .text:00401C36 push eax ; ioBuffer
    .text:00401C37 push 1 ; mode
    .text:00401C39 push 28h ; SCSI_command
    .text:00401C3B push edi ; filehandle
    .text:00401C3C mov edx, 200h
    .text:00401C41 call DirectDiskAccess
    .text:00401C41 ; DWORD filehandle
    .text:00401C41 ; DWORD SCSI Commands:
    .text:00401C41 ; 25h = read capacity
    .text:00401C41 ; 28h = read
    .text:00401C41 ; 2Ah = write
    .text:00401C41 ; DWORD mode
    .text:00401C41 ; 0 = write to disk
    .text:00401C41 ; 1 = read from disk
    .text:00401C41 ; DWORD ioBuffer => input/output buffer
    .text:00401C41 ; edx contains size
    .text:00401C41 ; ebx contains LBA location to access

    The previous list shows how the malware reads the boot sector. The value of ebx in this part of the program is zero, indicating LBA 0, which is the first sector of the disk. Also, note the value of edx as 200, which is the size of one sector. The SCSI command 28h then indicates a read operation.

    The malware backs up the boot sector to its own mini file system, which is then written to the end of the disk.

    .text:00401DF3 mov edx, [esp+0B4h+_cmd_dllBuffer]
    .text:00401DF7 mov ebx, [esp+0B4h+var_A8]
    .text:00401DFB push esi ; ioBuffer
    .text:00401DFC mov eax, edx
    .text:00401DFE push 0 ; mode
    .text:00401E00 shr eax, 9
    .text:00401E03 push 2Ah ; SCSI_command
    .text:00401E05 push [esp+0C0h+var_A0] ; filehandle
    .text:00401E09 sub ebx, eax
    .text:00401E0B inc ebx
    .text:00401E0C call DirectDiskAccess

    In this instance, ebx contains LBA 00FA8532, which is near the end of the disk. We can try to see the changes in the disk by using a program called Winhex. First, open a disk by pressing F9 and select your physical drive. Then, to see the TDSS file system:

    1. Press CTRL+G.
    2. Enter the decimal equivalent of the LBA (16418098).
    3. Press Enter.

    Now, for solutions. If your disk’s master boot record (MBR) has been modified, your installer of Microsoft Windows usually contains the tools that will help you restore it. Windows XP and 2000 users may run the fixmbr command from the recovery console in order to restore the good MBR. You may refer to this link for more information:

    Windows Vista and 7 users may refer to the link, How to use the Bootrec.exe tool in the Windows Recovery Environment, to troubleshoot and repair startup issues in Windows.

    Also, in this month’s Patch Tuesday, Microsoft released a possible security patch that strengthens Windows against kernel-mode rootkits. This patch specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. More information can be found in the security bulletin for MS11-034.

    I hope this bit of information helped you in some way.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice