This article is more than 1 year old
So you've decided you want to write a Windows rootkit. Good thing this chap's just demystified it in a talk
Demirkapi shows how drivers can be misused for deep pwnage
DEF CON Writing a successful Windows rootkit is easier than you would think. All you need is do is learn assembly and C/C++ programming, plus exploit development, reverse engineering, and Windows internals, and then find and abuse a buggy driver, and inject and install your rootkit, and bam. Happy days.
Alternatively, write your own malicious driver, sign it with a stolen or leaked certificate or your own paid-for cert so that Windows trusts it, and load it.
This is according to undergraduate bug-hunter Bill Demirkapi in a talk he gave at the now-virtual DEF CON hacking conference, which you can watch below. He told the web audience on Thursday many common Windows drivers provide the conduit rootkit writers need to compromise PCs at a level most antivirus can't or won't reach.
A rootkit is a type of malware that, once it has gained all-controlling kernel-level access on a machine, modifies the system to ensure it retains that power while remaining out of sight of users, and ideally the operating system and any installed antivirus. Thus any subsequent malicious code launched by the rootkit inherits its high privileges, allowing it to snoop on the PC, steal passwords, and so on.
The trick to pulling this off is gaining code execution at an administrator or kernel level – and leveraging that to hook into the OS and stay out of sight. One way of doing this is by exploiting security flaws in drivers that wind up granting normal applications that level of access, or by exploiting the dozens of elevation-of-privilege flaws Microsoft patches every month in its software.
"There are a lot of publicly available vulnerable drivers out there," said Demirkapi, "and with some reversing knowledge, finding your own zero-day [vulnerability] in one of these drivers can be trivial."
Demirkapi gave the infamous Capcom driver as an example of insecure kernel-level software that can be tricked into granting any application-level code complete control over a machine. Some of these buggy driver APIs require administrator privileges to exploit, though. The holy grail is one that grants, on x86 machines, unprivileged ring-3 code unhindered ring-0 code execution.
Another way into the kernel is to write your own malicious driver, sign it with a stolen or leaked code-signing certificate or a paid-for one, and load it. Antivirus tools pretty much leave kernel drivers alone and focus on application-level software, and the operating system is rather lax in checking certs are legit. If you use a certificate you've paid for, the rootkit can be traced back to you, if or when it's discovered.
Using a signed malicious driver is a more stable route into the heart of Windows, as exploiting vulnerable drivers requires tailoring your exploit code for particular versions and conditions.
However you manage it, from there it's just a matter of opening a stealthy connection to a remote command'n'control server and phoning home for instructions, if necessary, while blending in with the noise on the system and hooking into the OS to intercept operations, such as file access. The rootkit should also ensure it runs all the time so that it doesn't lose control of the box, and blocks attempts by security tools to uncover it.
It's not impossible for antivirus to detect these sorts of rootkits, we're told, though it will involve monitoring all the points where the the malware can insert its tentacles into the operating system. "It's going to be pretty expensive, because an antivirus would need to replicate our hooking procedure," the Trend Micro driver botherer said.
Check out the above technical talk for more details. ®