KB2506014 kills TDL4 on x64

[An interesting snippet from my colleagues Aleksander Matrosov and Eugene Rodionov - DH]

Not so long ago, Microsoft released a security patch addressing the way Windows x64 operating systems check integrity of the loaded modules. In our recent report (The Evolution of TDL4: Conquering x64) we described a method used by the TDL4 bootkit to load its malicious unsigned driver on 64-bit systems, even though those systems have an enforced kernel-mode code signing policy. The new security update is intended to fix the “feature” (vulnerability) in x64 OS's (Windows Vista and later) exploited by TDL4.

On unpatched systems there are three BCD (Boot Configuration Data) options that determine the way the OS checks integrity of the kernel-mode modules:

  • BcdLibraryBoolean_DisableIntegrityCheck – instructs the system to disable kernel-mode code integrity checks (used for debugging purposes, for instance)
  • BcdOSLoaderBoolean_WinPEMode – instructs the system to disable kernel-mode code integrity checks (switched on when OS is loaded in preinstallation mode) ¬ exploited by TDL4
  • BcdLibraryBoolean_AllowPrereleaseSignatures – instruct the system to use special prerelease digital certificates to verify digital signatures of kernel-mode modules.

On a patched system only two of these are left: BcdLibraryBoolean_DisableIntegrityCheck and BcdLibraryBoolean_AllowPrereleaseSignatures. BcdOSLoaderBoolean_WinPEMode BCD option is no longer used in the initialization of code integrity policy. The routine BlImgQueryCodeIntegrityBootOptions in winload.exe returns the value that determines code integrity policy. In the figure below the patched BlImgQueryCodeIntegrityBootOptions routine is presented.

Here we notice that BcdOSLoaderBoolean_WinPEMode is no longer used (as it was in the unpatched routine) and therefore TDL4’s trick of substituting kdcom.dll won’t work.

There is one mode module patched in the security update: kdcom.dll. This reinforces the conjecture that the security update specifically addresses TDL4 infection. As we already know, TDL4 replaces the kdcom.dll library with its own malicious component at boot time. The bootkit identifies kdcom.dll by the size of its export directory (it is compared with 0xFA): 


 

In the patched version of kdcom.dll, the size of the export directory has been changed. If we look into its export directory (figure below) we notice that an exported symbol KdReserved0 has been added which is not present in unpatched library.

 

This function is added with only one obvious purpose: to increase the size of the export directory and as a result prevent the TDL4 bootkit from replacing it.

The security update won’t necessarily help users who have already been infected with the bootkit as TDL4 blocks the Windows Update service on x86 machines. As a result, infected x86 machines won’t be able to download and install the patch automatically. On an x64 OS things are rather different and the Windows Update Service is not blocked by the bootkit, so the security update can be downloaded and installed.

Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ (VirusTotal). This uses quite a different approach to load its unsigned driver.

Eugene Rodionov, Malware Researcher
Aleksandr Matrosov, Senior Malware Researcher

 

Author David Harley, ESET

9 Responses to “KB2506014 kills TDL4 on x64”

  1. MariaCristina says:

    Hello.
    I am member of an antimalware comunity and I use to help people to remove nasty infections through a forum support. I wish to ask you two things I ever wanted to know from a trusted source: is the malicious MBR code successfully removed by formatting the hard drive? And, the second one: in the event an user have two or more hard drives, will the bootkit install its MBR code in any of hard drives aleatory, or does it needs to be the one which loads the OS?
    Thanks in advance.

    • David Harley says:

      MariaCristina, I’ll take the last question first. I think it would be seriously odd for malware to modify an MBR at random, but it might try to modify every MBR it can find on a system.

      I wouldn’t use anything with an /MBR parameter for generic malware removal: if a good security program detects it, the chances are it will remove it properly, and if there’s a problem, you should be able to get help from the vendor. If malware messes about with the MBR, there’s a chance that replacing it will cause direct damage. Aryeh Goretsky, who knows MS internals much better than I do and has the certs to prove it, says this:

      ‘I think FIXBOOT (for a disk volume’s boot sector) and FIXMBR (for the
      master boot record of a hard disk’s partition) replaced “FDISK /MBR”
      sometimein the XP timeframe. I’m thinking that if a disk was infected
      by a bootkit, I’d probably wipe the first sector of the disk before
      repartitioning it just to be sure. This can be done via the command
      line DISKPART utility.’

      ‘Of course, that assumes a wipe of the disk. A “FIXMBR” is probably a
      better approach if they want to keep anything that’s on it.’

      HTH.

  2. MariaCristina says:

    Hello, David. Thanks for your response.
    About Aryeh Goretsky's words, I'll assume that even formatting the disk, the MBR must be rewritten to ensure that any piece of code has not be left behind.

  3. Misha says:

    Would you please let me know of the exact command to use to wipe the first sectors of a disk.There are discrepancies in the begining and end sectors of my disk.I don't think it is a hardware problem because it is happening to more than just one pc and I can only find the "FIXMBR" and "FIXBOOT" commands when I search online. Both my notebooks appear to be still infected after wiping them with different utilities as if they are write protected.                                                         Thank you for your help and time.
     

    • David Harley says:

      I’m afraid I wouldn’t feel comfortable answering that question without a lot more information, and we really can’t offer one-to-one support through this blog. Apart from anything else, the bloggers here aren’t support specialists. You may be able to get better help via the support tab on the main eset.com web page, but I think you need help identifying the problem. Wiping the first sectors without knowing what the problem is could actually make it worse.

  4. Josh says:

    do|JJust how can browser redirects operate? Are these really a virus or does an individual manually edit a record on your pc to direct the browser to a different web page? I’m not technical enough to know how someone could do this with a virus. Do you kno

    Would you recommend disconnecting your Internet connection while running an antivirus scan? The reason I ask is temporary files are regularly being written to when browsing the Web. It’s really feasible that something will get skipped in the scan unless you disconnect your connection?

    • David Harley says:

      If I understand your questions correctly… A redirect isn’t something that happens on your PC (unless you’re talking about some form of DNS poisoning, where malware modifies your system to control which sites your browser or other software can access). It can be a legitimate function of code on the server, or built into malware that downloads other malware in order to make it harder to detect.

      Some AV functionality will actually be hampered if you disconnect, depending on the AV you’re using. Temporary files written by the system or running apps aren’t usually a problem unless you’re in the process of inadvertently installing something malicious. In which case you’re really relying on your on-access scanning to protect you by checking code as it executes, not an on-demand scan of the whole system.

  5. Kristy Morrill says:

    Had a nasty ecperience 2 days ago with Trend Micro Titanium Premium and rude tech help with no help at all: I was loaded with virus, trojans, mrb, etc and had to change to kaspersky Pure 2 after extensive help from Supportrix.com to get rid of malware and more.
    My PC shows an Action Center flag for update required : KB2506014. I chose the download for WIN 7 x64bit for PC and it states " I already have it" but I do not. 2nd try it states it is "incompatible with my system".
    Could another trijan or malware be blocking it?

Leave a Reply

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
15 Apr 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.