Press ROOT to Continue: Detecting OSX and Windows Bootkits with RDFU

Presented at Black Hat USA 2013, Aug. 1, 2013, 2:15 p.m. (60 minutes)

UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare's insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared.

To combat this new threat, we developed a Rootkit Detection Framework for UEFI ("RDFU") that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the OSX kernel utilizing a UEFI "rootkit" technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality: Sniffing FileVault passwords (sniffing keys while booting) Privilege escalation (to root) Hiding PIDs, files, and directories with selected patterns Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.

Presenters:

• Tomislav Pericin - ReversingLabs
  Tomislav Pericin has analyzed and developed software packing and protection methods for the last 12 years. He is one of the founders of ReversingLabs and the chief software architect behind such projects as TitaniumCore, TitanEngine, NyxEngine and RLPack. He has presented new open source projects at the last 4 Black Hat Conferences and also presented at ReCon, CARO Workshop, SAS and TechnoSecurity conferences.
• Mario Vuksan - ReversingLabs
  Mario Vuksan co-founded ReversingLabs. He leads there the development of advanced analysis and detection tools and threat services. Previously, Mario was the Director of Research at Bit9, where he built at the time the world's largest collection of intelligence about software. He has presented new open source projects at the last 4 Black Hat Conferences and has also spoken at CEIC, RSA, Defcon, Caro Workshop, Virus Bulletin and AVAR Conferences.

Links:

• https://www.blackhat.com/us-13/archives.html#Vuksan
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Press ROOT to Continue - Detecting OSX and Windows Bootkits with RDFU.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Press ROOT to Continue - Detecting OSX and Windows Bootkits with RDFU.srt (subtitles)
• https://www.youtube.com/watch?v=7UsdRzsue-g
• https://media.blackhat.com/us-13/US-13-Vuksan-Press-ROOT-to-Continue-Detecting-MacOS-and-Windows-Bootkits-with-RDFU-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Vuksan-Press-ROOT-to-Continue-Detecting-MacOS-and-Windows-Bootkits-with-RDFU-WP.pdf

Similar Presentations:

• 31C3 (2014) / Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer
• 32C3 (2015) / Reversing UEFI by execution
• ToorCon San Diego 20 (2018) / UEFI is Scary: Pre-kernel attacks are getting easier