stoned d j vu again
play

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda - PowerPoint PPT Presentation

Sep 27, 2022 •602 likes •843 views

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits The new features Remote Surveillance Software Live Demo TPMkit Who we are Peter Kleissner: - Independent Operating System Developer - 1 year at

  1. Stoned déjà vu – again Peter Kleissner, Michael Eisendle

  2. Agenda Introduction to bootkits The new features Remote Surveillance Software Live Demo TPMkit

  3. Who we are Peter Kleissner: - Independent Operating System Developer - 1 year at Ikarus Security Software GmbH (Software Eng. / Malware An.) - startup “Insecurity Systems” together with Michael Eisendle - programmer of the Stoned Bootkit - hoster of AV Tracker Michael Eisendle: - programmer of the Remote Software Tool Vipin Kumar - developer of the Linux bootkit part Black Hat USA 2009: Stoned Bootkit Hacking at Random 2009: The Rise of MBR Rootkits & Bootkits in the Wild University of Vienna: Stoned Bootkit (private presentation) DeepSec IDSC 2009 Europe: Stoned déjà vu – again 3

  4. Why we are not finished 4

  5. Stoned Bootkit 2 “A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit.“ Robert Hensing about bootkits 5

  6. Execution flow of a bootkit BIOS Master Boot Record Partition Bootloader ntldr / bootmgr OS Loader winload.exe NT kernel 6

  7. Storage on hard disk \ Master Boot Record.bak Microsoft patched bootloader \Bootkit C: (injected instructions are loading Stoned) \Plugins\ … 1 sector 62 sectors ~ 10 MB Bootloader Partition RawFS 7C00h 1024 Loader Loader.sys 2048 System Loader System Loader.sys 8000h 8800h 1024 Textmode User Interface Textmode User Interface.sys 8C00h 9216 Disk System Disk System.sys B600h 8192 Preserved Space [Embedded Boot Application] D600h 1536 Crypto Module Crypto Module.sys DC00h 2048 Boot Module Boot Module.sys E400h 4096 Pwn Windows Windows.sys 7

  8. RawFS Used for storing files on unpartitioned space (especially for encrypted drives) File Table File 1 File 2 … File Table File 4 File 1 at sector X with size X \Bootkit … File 2 at sector X with size X File Table at sector File Table tells size, location and names (MD5) of files B05B32A085DEFC9F4299C35AC8F358CD \File Table Next block of File Table 8F58EADD7BFFF0C557D4B5E9656957A5 \Bootkit Bootkit binary 0F13C73AAB0D4E000028038C99D3125A \Master Boot Record.bak Original MBR … \… All other files 8

  9. Live CD Based on Windows PE (created using the Windows AIK) 9

  10. Native CD – infection only in memory Boot record directly loaded by BIOS ‚El Torito‘ Bootable CD-ROM Format Specification For testing purposes Sector 16 Primary Volume Descriptor Sector 17 Boot Record Volume Descriptor Sector 18 Volume Descriptor Set Terminator Sector 19 Path Table Sector 24 Root Directory Sector 25 \Stoned\ Sector 26 \Stoned\Applications\ Sector 27 \Stoned\Drivers\ Sector 28 \Stoned\Plugins\ Sector 29 Validation Entry, Initial entry (Boot Catalog) Sector 30 + Stoned Bootkit Boot Record and data of files 10

  11. Remote Surveillance Tool – Michael Eisendle What this is about… Concept Features Plugins 11

  12. About the RST The RST is a tool for monitoring and manipulating Computers (let's call it a trojan) Exactly: The RST is a toolkit utilizing various thechnologies and Web 2.0 services to control vast amounts of PCs for the use of administration, surveillance, information gathering and other uses... 12

  13. Features Different ways of communication Encryption Authentication (RSA, DSA) Scriptable Updating (stub or plugins) „Code in the wire“ „Droppers“ 13

  14. Concept Completely based on plugins Utilizes the concept of code in the wire for executing code from the cloud Hehe, another „Cloud Service“ I think I was Stoned (hehe) while coding this... Developed and tested with/for the Stoned Bootkit 14

  15. Plugins Plugins for: Communication normal TCP/IP, P2P networks, Web 2.0 Services (Twitter and co.) Authentication RSA, DSA or whatever suits you Encryption Currently only CipherSaber-2 Commands Other uses 15

  16. Communication Plugins Give the possibility of using nearly any way of communication: TCP, UDP Raw IP packets through SYN, ACK requests Twitter and co. Pastebin (or like these) One click hoster P2P (DHTs, Overnet, Gnutella...) 16

  17. Cmd Plugins and Code in the Wire An RST Server can do everything, with plugins Examples Code in the wire The code is never ever stored on disk, just for execution in memory only exists „in the wires“ → 17

  18. Scripting and „Droppers“ RST is scriptable utilizes „droppers“ to submit → information to „Dropzones“ meh. :-) Droppers for HTTP SMTP ... 18

  19. Future support Support for more platforms Linux, Mac OS X, ... Platform independent plugins Poly/Metamorphic stubs 19

  20. Stoned in 1987 First „bootkit“ Operating system independent! Only a virus (spreading over boot sector) Your PC is now Stoned! (1987) Your PC is now Stoned! ..again (2010) 20

  21. Trusted Platform Module Defeating Trusted Platform Module with TPMkit Using hardware breakpoints DR0 – DR7 to catch calls: 1. When overwriting the memory on startup (asm instructions) 2. When reading the boot sector (int 13h) Computer will be restarted so TPM-BIOS will re-send hashes (the spoofed ones) to TPM chip No fix, all TPM systems affected, TPM becomes useless 21

  22. References [1] Stoned Bootkit 1 http://www.stoned-vienna.com/ [2] Schlussbericht zur Erweiterung des Ermittlungsinstrumentariums zur Bekämpfung schwerer, organisierter und terroristischer Kriminalitätsformen („Online-Durchsuchung“) http://www.justiz.gv.at/_cms_upload/_docs/AG_OnlineDurchsuchung_Endbericht.pdf [3] Starting a Process from KernelMode http://www.codeproject.com/KB/system/KernelExec.aspx [4] “El Torito” Bootable CD-ROM Format Specification http://www.phoenix.com/NR/rdonlyres/98D3219C-9CC9-4DF5-B496-A286D893E36A/0/specscdrom.pdf [5] Windows Automated Installation Kit for Windows 7 http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34 [7] OpenNIC TLD Governing Policy and Operated Namespaces http://wiki.opennic.glue/TLDPolicy http://wiki.opennic.glue/OpenNICNamespaces [3AM]Eminem http://www.vimeo.com/5758619 22

  23. Thanks for your attention! ..again http://www.stoned-bootkit.info/ Presentation materials are published on the above website. Contact Peter@Kleissner.at for any information. Questions? Comments? Peter Kleissner (Peter@Kleissner.at) Vienna (Wien) Michael Eisendle (kiubiq@gulli.com) And have a good night =), 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical Overview 3. Windows Boot Environment 2. Stoned Architecture 1. Plugins 2. Boot Applications 3. Bootkit Installation & Usage 4. General

723 views • 38 slides
Expressing experience: Not necessarily stoned, but beautiful Chris Kennedy and Malte

Expressing experience: Not necessarily stoned, but beautiful Chris Kennedy and Malte

Expressing experience: Not necessarily stoned, but beautiful Expressing experience: Not necessarily stoned, but beautiful Chris Kennedy and Malte Willer University of Chicago University of Connecticut Annual Logic

1.1k views • 75 slides
A lynch mob, making disciples, and appointing elders Acts 14:19-23 But Jews came from Antioch

A lynch mob, making disciples, and appointing elders Acts 14:19-23 But Jews came from Antioch

A lynch mob, making disciples, and appointing elders Acts 14:19-23 But Jews came from Antioch and Iconium, and having persuaded the crowds, they stoned Paul and dragged him out of the city, supposing that he was dead. But when the disciples

610 views • 50 slides
Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions Discussion Page 2

Wireless dj vu Jason S. Chao, Ernst & Young LLP Panel: Implications for Valuation: Part 1 TFI Asset Valuation Conference and Seminar 2013 January 24, 2013 Agenda VoLTE Overview Why VoLTE Why VoLTE Initial Questions

177 views • 3 slides
DEJA-VU : DOUBLE FEATURE PRESENTATION AND ITERATED LOSS IN DEEP TRANSFORMER NETWORKS Andros

DEJA-VU : DOUBLE FEATURE PRESENTATION AND ITERATED LOSS IN DEEP TRANSFORMER NETWORKS Andros

DEJA-VU : DOUBLE FEATURE PRESENTATION AND ITERATED LOSS IN DEEP TRANSFORMER NETWORKS Andros Tjandra 1* , Chunxi Liu 2 , Frank Zhang 2 , Xiaohui Zhang 2 , Yongqiang Wang 2 , Gabriel Synnaeve 2 , Satoshi Nakamura 1 , Goeffrey Zweig 2 1) NAIST,

414 views • 17 slides
Ahmed Rami Melhem Alex Jones Abousamra University of Pittsburgh Dj Vu Switching for

Ahmed Rami Melhem Alex Jones Abousamra University of Pittsburgh Dj Vu Switching for

Ahmed Rami Melhem Alex Jones Abousamra University of Pittsburgh Dj Vu Switching for Multiplane NoCs NOCS12 Power efficiency has become a primary concern in the design of CMPs. The NoC of Intels TeraFLOPS processor consumes more than

515 views • 33 slides
Memory Hierarchies in the Era of Specialization Sarita Adve University of Illinois at

Memory Hierarchies in the Era of Specialization Sarita Adve University of Illinois at

Coherence, Consistency, and Dj vu: Memory Hierarchies in the Era of Specialization Sarita Adve University of Illinois at Urbana-Champaign sadve@Illinois.edu w/ Johnathan Alsop, Rakesh Komuravelli, Gio Salvador, Matt Sinclair, Hyojin Sung

424 views • 23 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
Isolating Failure-Inducing Thread Schedules Andreas Zeller Jong-Deok Choi

Isolating Failure-Inducing Thread Schedules Andreas Zeller Jong-Deok Choi

0/12 International Symposium on Software Testing and Analysis (ISSTA), Rome, Italy, 2002 Isolating Failure-Inducing Thread Schedules Andreas Zeller Jong-Deok Choi Lehrstuhl f ur Softwaretechnik IBM T. J. Watson Research

384 views • 20 slides
CS70: Jean Walrand: Lecture 34. Conditional Expectation CS70: Jean Walrand: Lecture 34.

CS70: Jean Walrand: Lecture 34. Conditional Expectation CS70: Jean Walrand: Lecture 34.

CS70: Jean Walrand: Lecture 34. Conditional Expectation CS70: Jean Walrand: Lecture 34. Conditional Expectation 1. Review: joint distribution, LLSE 2. Definition of Conditional expectation 3. Properties of CE 4. Applications: Diluting,

2.19k views • 191 slides
3 Ways to Improve RFP Responses When Working Remotely Presented by David Blume RFPIO Sr.

3 Ways to Improve RFP Responses When Working Remotely Presented by David Blume RFPIO Sr.

L I V E W E B I N A R 3 Ways to Improve RFP Responses When Working Remotely Presented by David Blume RFPIO Sr. Director of Sales David Blume RFPIO Sr. Director of Sales Outside of RFPIO, David has over 30 years of international sales

239 views • 9 slides
CS70: Lecture 35. Regression (contd.): Linear and Beyond CS70: Lecture 35. Regression (contd.):

CS70: Lecture 35. Regression (contd.): Linear and Beyond CS70: Lecture 35. Regression (contd.):

CS70: Lecture 35. Regression (contd.): Linear and Beyond CS70: Lecture 35. Regression (contd.): Linear and Beyond 1. Review: Linear Regression (LR), LLSE 2. LR: Examples 3. Beyond LR: Quadratic Regression 4. Conditional Expectation (CE) and

2.12k views • 132 slides
Stat 5101 Lecture Slides Deck 3 Charles J. Geyer School of Statistics University of Minnesota

Stat 5101 Lecture Slides Deck 3 Charles J. Geyer School of Statistics University of Minnesota

Stat 5101 Lecture Slides Deck 3 Charles J. Geyer School of Statistics University of Minnesota 1 Deja Vu Now we go back to the beginning and do everything again. 2 Probability Mass Functions A probability mass function (PMF) is a function

1.77k views • 164 slides
SOLID SERVICES Ond ej Kraj ek @hedragon @ysoftdevs A Little Disclaimer Today, I am

SOLID SERVICES Ond ej Kraj ek @hedragon @ysoftdevs A Little Disclaimer Today, I am

SOLID SERVICES Ond ej Kraj ek @hedragon @ysoftdevs A Little Disclaimer Today, I am trying to give you a perspective or - say - a point of view. What I am presenting today are my own opinions. But I am not presenting a new

904 views • 43 slides
Does data security rule out high performance? Adam Huffman 2018-02-04 FOSDEM HPC & Big Data

Does data security rule out high performance? Adam Huffman 2018-02-04 FOSDEM HPC & Big Data

Does data security rule out high performance? Adam Huffman 2018-02-04 FOSDEM HPC & Big Data Dev Room Adam Huffman 04/02/2018 Agenda The background brains of HPC More ambitious science HPC meets the Real World Data security dj

376 views • 36 slides
Family Reunion Incognito Pit Stops In Life Joseph will God does not pay at experience

Family Reunion Incognito Pit Stops In Life Joseph will God does not pay at experience

Family Reunion Incognito Pit Stops In Life Joseph will God does not pay at experience a divinely appointed dj vu. the end of the day, The dust of 20 plus but at the end, He pays (Anonymous years of memories 16 th Century

405 views • 15 slides
More Mechanisms for Generating Optimization Power-Law Distributions Minimal Cost Mandelbrot vs.

More Mechanisms for Generating Optimization Power-Law Distributions Minimal Cost Mandelbrot vs.

More Power-Law Mechanisms More Mechanisms for Generating Optimization Power-Law Distributions Minimal Cost Mandelbrot vs. Simon Assumptions Principles of Complex Systems Model Analysis Course 300, Fall, 2008 Extra Robustness HOT theory

1.02k views • 56 slides
SCIENTIFIC WRITING IN LINGUISTICS: WRITING ABSTRACTS Prof. Dr. Shanley Allen University of

SCIENTIFIC WRITING IN LINGUISTICS: WRITING ABSTRACTS Prof. Dr. Shanley Allen University of

SCIENTIFIC WRITING IN LINGUISTICS: WRITING ABSTRACTS Prof. Dr. Shanley Allen University of Kaiserslautern PART 1: ABSTRACTS IN GENERAL WHAT IS AN ABSTRACT? Short summary of your work for: journal article book chapter thesis /

511 views • 31 slides
More $ (caches, yes) Trick or treat! Midterm

More $ (caches, yes) Trick or treat! Midterm

University of Washington More $ (caches, yes) Trick or treat! Midterm ques>ons? Note: prac+ce midterms posted HW 2 due today Lab

1.15k views • 70 slides
OSPF Traffic Engineering (TE) Express Path draft-giacalone-ospf-te-express-path-00.txt

OSPF Traffic Engineering (TE) Express Path draft-giacalone-ospf-te-express-path-00.txt

OSPF Traffic Engineering (TE) Express Path draft-giacalone-ospf-te-express-path-00.txt Spencer Giacalone, Alia Atlas, John Drake, Dave Ward Agenda Introduction to OSPF TE Express Path Background Problem Protocol overview

382 views • 14 slides
DMTCP Transparent Checkpointing for Cluster Computations and the Desktop Jason Ansel 1 Kapil Arya

DMTCP Transparent Checkpointing for Cluster Computations and the Desktop Jason Ansel 1 Kapil Arya

DMTCP Transparent Checkpointing for Cluster Computations and the Desktop Jason Ansel 1 Kapil Arya 2 Gene Cooperman 2 1 MIT 2 Northeastern University May 26, 2009 Jason Ansel (MIT) DMTCP May 26, 2009 1 / 39 Introduction Outline Introduction

1.49k views • 114 slides
Repeating Boom and Bust Cycles Characterize Oil Source: Medlock, K.B., Amy Jaffe, The price of

Repeating Boom and Bust Cycles Characterize Oil Source: Medlock, K.B., Amy Jaffe, The price of

H 2 Sustainable Transportation Energy Pathways (STEPS) Natural Gas in Transportation Webinar Amy Myers Jaffe, Executive Director, Energy and Sustainability Rosa Dominquez-Faus, Post Doctoral Fellow www.steps.ucdavis.edu Repeating Boom

177 views • 15 slides
Disclosures Clinical trials research funding support from: Bristol-Meyer Squibb Recent

Disclosures Clinical trials research funding support from: Bristol-Meyer Squibb Recent

2/15/2019 Disclosures Clinical trials research funding support from: Bristol-Meyer Squibb Recent Advances in Agios Neurology Abbvie Neuro-Oncology Case Presentation NEUROLOGY AND NEUROLOGICAL SURGERY Jennie W Taylor, MD, MPH

148 views • 11 slides
Interprocess Communication Primitives Message Passing: issues Communication

Interprocess Communication Primitives Message Passing: issues Communication

CPSC-662 Distributed Computing Interprocess Communication Interprocess Communication Primitives Message Passing: issues Communication Schemes Reading: Colouris, Chapter 4 Interprocess Communication (IPC) communicate by

372 views • 6 slides

More recommend