WEBVTT 1 00:00:00.040 --> 00:00:03.439 All right, So today we're going deep into root kits 2 00:00:03.439 --> 00:00:07.519 and boot kits. Oh yeah, and into fun stuff, fun stuff, right, 3 00:00:07.519 --> 00:00:09.080 We're not just going to talk about what they are, 4 00:00:09.119 --> 00:00:11.679 but how they actually work. You know, those sneaky tricks 5 00:00:11.679 --> 00:00:14.240 they use, the kind of damage they can do. We've 6 00:00:14.240 --> 00:00:16.760 got a whole stack of research here. Oh nice, some 7 00:00:16.960 --> 00:00:22.480 real deep dives into some specific malware examples. Awesome, Ready 8 00:00:22.480 --> 00:00:23.199 to get technical? 9 00:00:23.559 --> 00:00:27.519 Absolutely, I think we'll be able to break down these 10 00:00:27.559 --> 00:00:31.600 complex concepts, make sure you walk away knowing what the 11 00:00:31.679 --> 00:00:34.679 key takeaways are, and maybe even throw in some surprises 12 00:00:34.719 --> 00:00:35.320 along the way. 13 00:00:36.679 --> 00:00:40.399 I like surprises. So imagine this. You boot up your computer. 14 00:00:42.600 --> 00:00:48.359 Everything seems fine, But hiding just beneath the surface is 15 00:00:48.359 --> 00:00:53.240 a root kit, a program silently pulling the strings. Maybe 16 00:00:53.240 --> 00:00:57.840 it's stealing your data. Yeah, maybe it's giving someone else control. 17 00:00:58.560 --> 00:01:03.679 Pretty creepy. But that's just the start. We're going even deeper, okay, 18 00:01:03.719 --> 00:01:04.760 into bootkits. 19 00:01:04.879 --> 00:01:08.840 All right. So bootkits, yeah, these take control at an 20 00:01:08.840 --> 00:01:13.680 even earlier stage. Oh wow, infecting the very process that 21 00:01:13.760 --> 00:01:16.959 starts your computer. Okay, you can think of it like this, 22 00:01:17.760 --> 00:01:22.159 someone changing the locks on your house before you even 23 00:01:22.239 --> 00:01:22.640 move in. 24 00:01:22.799 --> 00:01:25.439 Oh that's sneaky, right, So how do they pull this off? Yeah, 25 00:01:25.560 --> 00:01:29.319 let's start with rootkits okay, using a real world example, right, 26 00:01:29.359 --> 00:01:33.640 TDL three. TDL three, this thing was a master of disguise, 27 00:01:34.200 --> 00:01:38.760 hiding deep within the operating system. Our sources dig into 28 00:01:38.840 --> 00:01:42.879 how it targeted those bootstar drivers, right, the ones that 29 00:01:43.000 --> 00:01:44.519 load when your computer starts up. 30 00:01:44.599 --> 00:01:47.359 Makes sense. Yeah, what's fascinating about TDL three is that 31 00:01:47.400 --> 00:01:50.040 it didn't just like disable these drivers or block them. 32 00:01:50.439 --> 00:01:55.439 It actually modified their code. Oh where imagine a spy, okay, 33 00:01:55.439 --> 00:01:59.239 slipping a secret message into a courier's bag without them 34 00:01:59.319 --> 00:01:59.959 ever noticed. 35 00:02:00.200 --> 00:02:03.120 Oh that's a good analogy. But how does it change 36 00:02:03.159 --> 00:02:06.480 the code without setting off any alarms? It seems like 37 00:02:06.480 --> 00:02:07.680 it'd be pretty hard to pull off. 38 00:02:08.159 --> 00:02:12.919 So TDL three uses this technique called hooking, And essentially 39 00:02:12.960 --> 00:02:16.919 what it does is it intercepts specific commands going to 40 00:02:16.960 --> 00:02:21.479 the operating system and redirects them to its own malicious code. 41 00:02:21.680 --> 00:02:24.199 So it's like setting up a detour on a busy road. 42 00:02:24.599 --> 00:02:27.800 Yeah, thing of it like that, it's redirecting traffic. 43 00:02:27.960 --> 00:02:31.199 So it's hijacking those commands before the operating system can 44 00:02:31.240 --> 00:02:33.240 even see them exactly. Oh wow. 45 00:02:33.319 --> 00:02:36.719 And TDL three was actually very strategic about where it 46 00:02:36.800 --> 00:02:40.840 placed these detours, so it actually targeted the software that 47 00:02:41.120 --> 00:02:44.759 controlled your hard drive, and it was intercepting those read 48 00:02:44.800 --> 00:02:48.479 and write operations at a very low level, which allowed 49 00:02:48.520 --> 00:02:52.240 it to hide from any security software that was operating 50 00:02:52.240 --> 00:02:53.120 at a higher level. 51 00:02:53.520 --> 00:02:56.400 So if security software is trying to scan for problems, 52 00:02:57.560 --> 00:03:00.599 TDL three has already manipulated things behind the scenes, right, 53 00:03:00.919 --> 00:03:04.360 and the scanner just sees normal activity exactly. Wow, that's 54 00:03:04.400 --> 00:03:06.280 not all. There's more, Okay. 55 00:03:06.280 --> 00:03:10.199 TDL three didn't just hide itself. It created its own 56 00:03:10.280 --> 00:03:11.360 hidden file system. 57 00:03:11.639 --> 00:03:13.680 Wait a minute, a secret. 58 00:03:13.319 --> 00:03:15.319 File system, Yeah, you can think of it like that. 59 00:03:15.439 --> 00:03:19.000 So it's not enough to just hide the malicious code itself. 60 00:03:19.439 --> 00:03:22.479 It needs a whole secret storage space pretty much. What's 61 00:03:22.520 --> 00:03:23.199 the advantage of that. 62 00:03:23.360 --> 00:03:27.560 So this hidden file system, it's essentially a separate encrypted 63 00:03:27.599 --> 00:03:31.280 area on the hard drive. This is where TDL three 64 00:03:31.439 --> 00:03:35.759 kept all of its configuration files okay, malicious payloads and 65 00:03:35.800 --> 00:03:40.360 even stolen data, oh, completely invisible to the operating system 66 00:03:40.960 --> 00:03:44.000 and any security software scanning for problems. 67 00:03:44.000 --> 00:03:45.599 So it's like having a secret room in your house. 68 00:03:45.680 --> 00:03:47.879 You get it that only you know how to access. 69 00:03:47.639 --> 00:03:51.680 Exactly, And This technique, pioneered by TDL three, has since 70 00:03:51.719 --> 00:03:55.479 been adopted by other sophisticated threats. Okay, it really speaks 71 00:03:55.520 --> 00:03:59.360 to how these rootkits are evolving and constantly upping their 72 00:03:59.439 --> 00:04:02.599 game right in terms of evasion and concealment. 73 00:04:02.719 --> 00:04:06.000 Speaking of evolution, our sources also dig into another roode 74 00:04:06.039 --> 00:04:11.080 kit called FESTI. Oh festy, This one seems almost paranoid 75 00:04:11.159 --> 00:04:16.160 in its efforts to avoid detection. Yeah, like really security conscious. Yeah. 76 00:04:16.160 --> 00:04:19.759 Festi is a fascinating case. It had this modular design, 77 00:04:20.120 --> 00:04:24.959 which means it was super flexible, adaptable. Attackers could easily 78 00:04:25.000 --> 00:04:28.720 add new functionality by plugging in new modules. Okay, but 79 00:04:28.800 --> 00:04:32.040 what really stands out is it's anti virtual machine. 80 00:04:31.639 --> 00:04:34.800 Tricks anti virtual machine? What's that all about? 81 00:04:35.079 --> 00:04:41.399 So security researchers they often use virtual machines to analyze 82 00:04:41.399 --> 00:04:45.959 malware in a safe environment. Festi was designed to actually 83 00:04:46.000 --> 00:04:48.560 detect if it was running inside a virtual machine. 84 00:04:48.720 --> 00:04:48.920 Wow. 85 00:04:49.120 --> 00:04:51.879 And if it was, it would essentially shut down to 86 00:04:51.959 --> 00:04:53.360 avoid being analyzed. 87 00:04:53.600 --> 00:04:57.319 So it's trying to outsmart the security researchers. Yeah, that's 88 00:04:57.319 --> 00:04:59.480 pretty clever it is. How does it even know it's 89 00:04:59.480 --> 00:05:00.720 in virtual machine? 90 00:05:00.920 --> 00:05:03.639 So it looks for clues Okay. Think of it like 91 00:05:03.839 --> 00:05:07.639 Neo from the Matrix, suddenly realizing that things aren't quite 92 00:05:07.639 --> 00:05:11.879 as they seem. So it checks for specific software components 93 00:05:12.240 --> 00:05:16.360 hardware characteristics that are unique to virtual machines. 94 00:05:16.639 --> 00:05:16.959 Okay. 95 00:05:17.000 --> 00:05:21.199 If it finds any of these telltale signs, it assumes 96 00:05:21.240 --> 00:05:24.959 it's in a hostile environment and just ceases operations. 97 00:05:25.120 --> 00:05:29.160 Wow. Talk about security conscious. But Festi's tricks don't stop there. 98 00:05:29.319 --> 00:05:29.879 Oh no. 99 00:05:30.399 --> 00:05:32.759 It also had a very clever way of hiding its 100 00:05:32.800 --> 00:05:34.920 malicious driver on the hard drive. 101 00:05:35.279 --> 00:05:39.879 Remember how TDL three targeted that storage driver stack to 102 00:05:40.040 --> 00:05:43.560 intercept commands. Yeah, FESTI took it a step further by 103 00:05:43.560 --> 00:05:46.639 actually hooking into the filesystem driver itself. 104 00:05:46.759 --> 00:05:47.319 Oh wow. 105 00:05:47.439 --> 00:05:49.920 This gave it even more control over what was visible 106 00:05:49.959 --> 00:05:50.639 on the hard drive. 107 00:05:50.959 --> 00:05:54.519 So it's manipulating the operating system's own file management system 108 00:05:54.519 --> 00:05:56.639 to protect itself exactly. Wow. 109 00:05:56.879 --> 00:06:01.000 And it would constantly monitor network traffic looking for signs 110 00:06:01.000 --> 00:06:05.480 of security software. If it detected anything suspicious, it would 111 00:06:05.480 --> 00:06:06.519 again go into hiding. 112 00:06:06.639 --> 00:06:09.439 Oh my god. Yeah, FESTI was playing a serious game 113 00:06:09.480 --> 00:06:14.120 of hide and seek. Absolutely, But even Festi's complexity pales 114 00:06:14.160 --> 00:06:17.680 in comparison to bootkits kids, which operate at an even 115 00:06:17.800 --> 00:06:18.480 deeper level. 116 00:06:18.560 --> 00:06:23.079 Yeah. Remember root kits, they work within the operating system. 117 00:06:23.560 --> 00:06:26.439 Boot kits infect the boot process itself. 118 00:06:26.680 --> 00:06:30.720 Right, that's where things get really interesting. Yeah, bootkits hijacking 119 00:06:30.800 --> 00:06:36.199 the startup process, taking control before the operating system even loads, 120 00:06:36.920 --> 00:06:39.639 like rewriting the rule book before the game even starts. 121 00:06:40.040 --> 00:06:43.519 But to really understand how they do this, we need 122 00:06:43.560 --> 00:06:45.800 to delve into the boot process itself. 123 00:06:45.519 --> 00:06:48.319 Exactly, and that means starting with the master boot Record 124 00:06:48.399 --> 00:06:51.480 or MBR. Okay, it's the very first sector on your 125 00:06:51.519 --> 00:06:55.279 hard drive, and it contains the code that kicks off 126 00:06:55.319 --> 00:06:58.360 the whole process of loading the operating system. 127 00:06:58.519 --> 00:07:00.439 So if the operating system is like the engine of 128 00:07:00.439 --> 00:07:04.399 your computer, uh huh, the NBR is the ignition. 129 00:07:04.120 --> 00:07:08.120 Switch a perfect analogy. It's the first piece of code that. 130 00:07:08.040 --> 00:07:11.680 Gets executed when you turn on your computer, and boot 131 00:07:11.759 --> 00:07:16.560 kits can actually infect the MBR. Oh wow, replacing that 132 00:07:16.680 --> 00:07:20.040 legitimate boot code with their own malicious code. 133 00:07:20.199 --> 00:07:22.720 So they're taking control right from the start, right from 134 00:07:22.759 --> 00:07:26.920 the very beginning. That's some serious low level hacking, it is. 135 00:07:27.160 --> 00:07:31.160 But wait, didn't we talk about another boot component, the VBR. 136 00:07:31.079 --> 00:07:32.120 The Volume boot record? 137 00:07:32.160 --> 00:07:32.920 Where does that fit in? 138 00:07:33.120 --> 00:07:36.319 So that comes into play after the NBRK. Think of 139 00:07:36.360 --> 00:07:40.199 it like this. The NBR points to the VBR, which 140 00:07:40.199 --> 00:07:44.279 then points to the operating system. It's a chain of events. 141 00:07:43.920 --> 00:07:47.199 And bootkits can target any point in that chain to 142 00:07:47.240 --> 00:07:48.720 gain control exactly. 143 00:07:48.959 --> 00:07:51.639 Oh wow, But there's one more crucial component we need 144 00:07:51.680 --> 00:07:56.040 to talk about, okay, and that's the Boot Configuration Data 145 00:07:56.160 --> 00:07:56.800 or BCD. 146 00:07:57.399 --> 00:07:57.560 Right. 147 00:07:57.639 --> 00:08:01.319 It's basically a settings file for the boot process. Okay, 148 00:08:01.399 --> 00:08:04.839 and guess what, right, boot kits can manipulate that BCD 149 00:08:05.519 --> 00:08:07.920 to disable security features or. 150 00:08:07.920 --> 00:08:12.160 Even redirect the boot process to their own malicious code. 151 00:08:12.240 --> 00:08:14.800 So it's like they're not just hijacking the car, they're 152 00:08:14.800 --> 00:08:17.160 also disabling the alarm system exactly. 153 00:08:18.000 --> 00:08:21.480 And to really understand how all of this works in practice, okay, 154 00:08:21.600 --> 00:08:24.399 let's look at a specific example, TDL four. 155 00:08:24.600 --> 00:08:26.759 TDL four the successor. 156 00:08:26.240 --> 00:08:29.480 To the TDL three rootkit we discussed earlier. 157 00:08:29.879 --> 00:08:31.759 Okay, so it sounds like they just decided to stick 158 00:08:31.800 --> 00:08:34.799 with what works, right. So what's TDL four's tactic. 159 00:08:35.080 --> 00:08:40.440 So TDL four actually exploits of vulnerability, a weakness in 160 00:08:40.519 --> 00:08:44.600 the Windows Task Scheduler service. This allows it to gain 161 00:08:44.840 --> 00:08:47.039 administrative privileges on the system. 162 00:08:47.240 --> 00:08:49.080 Oh so, like the keys to the kingdom. 163 00:08:49.320 --> 00:08:50.320 Yeah, you could say that. 164 00:08:50.559 --> 00:08:50.799 Okay. 165 00:08:50.919 --> 00:08:55.960 Once it has those privileges, TDL four can modify the MBR, 166 00:08:56.960 --> 00:09:01.159 replacing the legitimate boot code with its own. Yeah. So 167 00:09:01.240 --> 00:09:04.519 this allows it to load its own malicious code during 168 00:09:04.559 --> 00:09:08.600 that boot process, effectively taking control before the operating system 169 00:09:08.759 --> 00:09:09.919 and has a chance to start. 170 00:09:10.159 --> 00:09:16.279 So TDL four gets administrative privileges through a vulnerability and 171 00:09:16.320 --> 00:09:19.840 then modifies the NBR to load its own code. Right, 172 00:09:20.000 --> 00:09:21.639 But what does it do once it's in control? 173 00:09:21.840 --> 00:09:24.879 Well, one of its main goals is to disable security 174 00:09:24.919 --> 00:09:28.120 features that could detect it or remove it. Makes sense, 175 00:09:28.320 --> 00:09:32.799 and it does this by manipulating the boot configuration data 176 00:09:32.919 --> 00:09:36.240 or BCD that we talked about earlier. It disables things 177 00:09:36.320 --> 00:09:41.480 like safe mode, oh wow, driver's signature enforcement, effectively crippling 178 00:09:41.600 --> 00:09:42.759 the system's defaces. 179 00:09:43.200 --> 00:09:47.159 So it's not just hijacking the boot process, it's sabotaging 180 00:09:47.200 --> 00:09:49.679 the security system precisely. Oh my goodness. 181 00:09:49.720 --> 00:09:53.039 And to make matters worse, oh no, TDL four also 182 00:09:53.159 --> 00:09:57.679 infects the VBR, providing a backup infection mechanism. 183 00:09:57.240 --> 00:10:00.240 So if one part of its attack is removed, it 184 00:10:00.279 --> 00:10:03.879 has another way to maintain control exactly double trouble. Ye, 185 00:10:04.159 --> 00:10:06.799 are all bootkits this sophisticated. 186 00:10:06.320 --> 00:10:11.279 Not necessarily. Some take a much simplier approach, lying on 187 00:10:11.399 --> 00:10:14.279 directly modifying the NBR or the VBR. 188 00:10:14.639 --> 00:10:16.320 Without exploiting vulnerabilities. 189 00:10:16.360 --> 00:10:18.480 Really, how is that even possible? 190 00:10:18.639 --> 00:10:22.559 Well, in the early days of bootkits, some operating systems 191 00:10:23.039 --> 00:10:27.960 didn't really have strong security measures in place to protect 192 00:10:28.000 --> 00:10:31.440 the boot process. It was actually relatively easy to slip 193 00:10:31.440 --> 00:10:32.799 in unnoticed. 194 00:10:32.879 --> 00:10:33.440 Oh wow. 195 00:10:33.879 --> 00:10:38.600 But as security has improved, bootkits have had to evolve, right, 196 00:10:38.840 --> 00:10:43.360 and that's where we see techniques like exploiting vulnerabilities becoming 197 00:10:43.399 --> 00:10:43.919 more common. 198 00:10:44.000 --> 00:10:46.720 It's a constant arms race, isn't it. It is always 199 00:10:46.720 --> 00:10:51.240 trying to stay one step ahead. But speaking of evolving tactics, 200 00:10:52.039 --> 00:10:56.879 our sources highlight a particularly interesting variant of TDL four 201 00:10:57.159 --> 00:11:01.240 okay called ol Moscow ol Moscow. It took a different 202 00:11:01.240 --> 00:11:03.120 approach to NBR infection. 203 00:11:03.600 --> 00:11:07.000 So ol Moscow is interesting because it modifies the NBR 204 00:11:07.240 --> 00:11:08.159 partition table. 205 00:11:08.399 --> 00:11:11.039 The partition table, Yeah, remind me what that is again. 206 00:11:11.159 --> 00:11:13.240 To think of your hard drive like a filing cabinet 207 00:11:13.480 --> 00:11:16.360 with multiple drawers. The partition table. 208 00:11:16.639 --> 00:11:20.639 Is like the label that tells you what each drawer contains. 209 00:11:21.240 --> 00:11:25.200 It defines how your hard drive is divided into partitions, 210 00:11:25.440 --> 00:11:28.360 like your C drive, your D drive and so on. 211 00:11:28.440 --> 00:11:32.240 Okay, so ol Moscow messes with these labels, Ah, how 212 00:11:32.279 --> 00:11:33.600 does that help it take over? 213 00:11:34.120 --> 00:11:38.120 So instead of modifying the NBR code itself, Oh, Moscow 214 00:11:38.200 --> 00:11:41.759 creates a hidden partition on the hard drive, like a 215 00:11:41.799 --> 00:11:46.759 secret drawer, and then modifies that partition table to point 216 00:11:46.840 --> 00:11:50.600 to this hidden partition during the boot process. 217 00:11:50.759 --> 00:11:54.320 So it's like creating a secret compartment and then tricking 218 00:11:54.360 --> 00:11:58.240 the system into booting from that compartment. Exactly. Wow. 219 00:11:58.360 --> 00:12:02.480 And this hidden partition, uh huh contains all Mascow's malicious 220 00:12:02.519 --> 00:12:06.240 code okay, which then gets loaded, giving it control of 221 00:12:06.279 --> 00:12:06.759 the system. 222 00:12:07.000 --> 00:12:10.000 That's incredibly sneaky, it is, why go through all this trouble. 223 00:12:10.399 --> 00:12:12.799 Why not just modify the NBR code directly? 224 00:12:12.879 --> 00:12:17.480 It's all about evading detection. By modifying the partition table 225 00:12:18.200 --> 00:12:22.159 instead of that MBR code, Well, Moscow is less likely 226 00:12:22.240 --> 00:12:26.399 to be detected by security software looking for those specific 227 00:12:27.200 --> 00:12:28.639 MBR modifications. 228 00:12:28.840 --> 00:12:30.159 It's a stealthier approach. 229 00:12:30.279 --> 00:12:30.799 Exactly. 230 00:12:31.000 --> 00:12:31.519 Oh my god. 231 00:12:31.639 --> 00:12:36.679 And this highlights an important point. Bootkits are constantly evolving, 232 00:12:37.080 --> 00:12:42.360 becoming more sophisticated more evasive, always looking for new ways 233 00:12:42.960 --> 00:12:48.480 to bypass security measures and gain control of the boot. 234 00:12:48.200 --> 00:12:50.840 Process, like in Never Evening Cat and Mouse kit. It is, 235 00:12:51.240 --> 00:12:53.519 but our sources point out that boot kits don't always 236 00:12:53.559 --> 00:12:56.919 target the NBR. Some of them go after the VBR instead. 237 00:12:57.000 --> 00:13:01.720 You're absolutely right, and in fact out to explore two 238 00:13:01.919 --> 00:13:06.440 fascinating bootkits that target the VBR, Rovnicks and gaps. 239 00:13:06.519 --> 00:13:10.240 Ooh, this sounds juicy, it is. Let's dive into these 240 00:13:10.240 --> 00:13:11.759 stealthy VBR infectors. 241 00:13:11.879 --> 00:13:13.919 Let's do it. So we left off talking about those 242 00:13:13.960 --> 00:13:17.159 bootkits that target the volume boot record or the VBR. 243 00:13:17.320 --> 00:13:19.279 Right, those stealthy VBR infectors. 244 00:13:19.480 --> 00:13:22.799 You're ready to unpack some specific examples, absolutely all right, 245 00:13:22.840 --> 00:13:25.399 So let's start with rovnicks. Okay, Well it makes this 246 00:13:25.480 --> 00:13:26.279 one stand out? 247 00:13:26.399 --> 00:13:27.519 Yeah? What makes it special? 248 00:13:27.840 --> 00:13:30.320 Well, romnicks is fascinating for a few reasons. 249 00:13:30.399 --> 00:13:31.000 Okay. 250 00:13:31.039 --> 00:13:35.320 It uses this technique called VBRIPL. 251 00:13:34.399 --> 00:13:39.759 Infection VBRIPL infection. Yeah, okay, I'm intrigued, but lost. Okay, 252 00:13:39.799 --> 00:13:40.679 break that down for me. 253 00:13:40.919 --> 00:13:44.399 So IPL stands for initial Program Loader, okay, and it's 254 00:13:44.440 --> 00:13:48.200 the code within the VBR that's responsible for loading the 255 00:13:48.240 --> 00:13:53.919 operating system kernel. Right, Rovnicks infects the IPL, replacing that 256 00:13:54.120 --> 00:13:56.840 legitimate code with its own malicious code. 257 00:13:56.879 --> 00:13:58.960 So it's taking control right from the get go. 258 00:13:59.159 --> 00:14:00.480 Yeah, right from the very beginning. 259 00:14:00.639 --> 00:14:01.039 Wow. 260 00:14:01.240 --> 00:14:02.960 But Romnicks doesn't stop there. 261 00:14:03.080 --> 00:14:03.399 Oh no. 262 00:14:03.519 --> 00:14:05.799 It also creates a hidden partition on the. 263 00:14:05.759 --> 00:14:07.799 Hard drive, another secret compartment. 264 00:14:07.960 --> 00:14:11.200 Yeah, they love their hidden spaces, they do. This hidden 265 00:14:11.240 --> 00:14:14.360 partition is where it stores its malicious code and other data. 266 00:14:14.519 --> 00:14:14.799 Okay. 267 00:14:15.159 --> 00:14:18.200 Then during the boot process, it modifies the VBR to 268 00:14:18.320 --> 00:14:19.799 point to this hidden partition. 269 00:14:20.159 --> 00:14:20.600 Oh wow. 270 00:14:20.679 --> 00:14:24.000 So it's like redirecting the train to a secret underground 271 00:14:24.000 --> 00:14:26.759 station before it can reach its destination precisely. 272 00:14:26.799 --> 00:14:29.519 And this hidden station contains a modified IPL. 273 00:14:29.639 --> 00:14:30.240 Uh huh. 274 00:14:30.279 --> 00:14:33.519 But this ALPL is not there to help. Oh, it's 275 00:14:33.639 --> 00:14:37.600 carefully crafted by Rovnicks to load the boot kit's own 276 00:14:38.080 --> 00:14:39.639 malicious kernel mode driver. 277 00:14:39.960 --> 00:14:41.960 Hang on, a kernel mode driver. Didn't we talk about 278 00:14:41.960 --> 00:14:44.639 those with root kits, right? What are the implications of that? 279 00:14:45.120 --> 00:14:48.720 So they operate at the very core of the operating system, right, 280 00:14:48.879 --> 00:14:53.039 with very high privileges. Okay, And by loading its own 281 00:14:53.240 --> 00:14:59.080 malicious kernel mode driver, Ravnicks gains deep control over the system. 282 00:14:59.320 --> 00:15:03.360 So it's not hijacking the boot process. It's also like 283 00:15:03.519 --> 00:15:05.639 installing its own agent deep within. 284 00:15:05.480 --> 00:15:07.159 The operating system. Exactly. 285 00:15:07.320 --> 00:15:08.759 Oh my gosh, this is starting to sound like a 286 00:15:08.799 --> 00:15:09.559 spy thriller. 287 00:15:09.720 --> 00:15:11.600 It does, a little bit, doesn't it. It does. But 288 00:15:11.759 --> 00:15:14.080 Romnicks's stealth techniques go even further. 289 00:15:14.279 --> 00:15:15.240 Okay, I'm hooked. 290 00:15:15.360 --> 00:15:17.720 What else? What other tricks does it have up its sleep? 291 00:15:17.879 --> 00:15:18.279 Yeah? 292 00:15:18.440 --> 00:15:23.519 One fascinating technique is its use of debugging registers. 293 00:15:23.519 --> 00:15:27.639 Debugging registers. Yeah, those sound like something developers use to 294 00:15:27.720 --> 00:15:29.600 find and fix bugs in software. 295 00:15:30.000 --> 00:15:33.720 You're exactly right, But Rovnicks cleverly abuses them for its 296 00:15:33.799 --> 00:15:34.600 own purposes. 297 00:15:34.679 --> 00:15:35.519 So how does it do that? 298 00:15:36.440 --> 00:15:41.039 So, debugging registers allow you to set break points in code, 299 00:15:42.000 --> 00:15:46.039 points where execution will pause, allowing you to inspect what's happening. 300 00:15:46.080 --> 00:15:47.840 So it's like setting a trap to catch a bug 301 00:15:47.879 --> 00:15:48.399 in the act. 302 00:15:48.600 --> 00:15:52.559 Exactly. Okay, And Romnicks uses debugging registers to set break 303 00:15:52.639 --> 00:15:57.639 points in critical system functions. This allows it to intercept 304 00:15:57.759 --> 00:16:02.840 and modify system calls. Okay, those requests programs make to 305 00:16:02.879 --> 00:16:06.320 the operating system without actually having to change the code itself. 306 00:16:06.360 --> 00:16:08.279 Wow, that's incredibly sneaky. 307 00:16:08.759 --> 00:16:09.159 It is. 308 00:16:09.279 --> 00:16:12.480 It's like setting up an invisible surveillance system to monitor 309 00:16:12.519 --> 00:16:15.080 and manipulate traffic without anyone knowing it's there. 310 00:16:15.480 --> 00:16:18.080 Yeah, it's all about being stealthy and avoiding detection. 311 00:16:18.639 --> 00:16:22.039 Yeah, but why go through all that trouble. Wouldn't it 312 00:16:22.080 --> 00:16:24.799 be easier to just modify the code directly. 313 00:16:24.919 --> 00:16:27.320 Remember, it's all about stealth and avoiding detection. 314 00:16:27.799 --> 00:16:33.559 So by using debugging registers, Rovnicks can manipulate system behavior 315 00:16:34.080 --> 00:16:36.879 without leaving any traces in the code itself. 316 00:16:37.000 --> 00:16:39.559 Oh so it makes it super hard to detect. 317 00:16:39.240 --> 00:16:43.039 Very difficult for security software to detect its presence. 318 00:16:42.759 --> 00:16:43.879 Like a ghost in the machine. 319 00:16:44.039 --> 00:16:45.879 A very apt description. 320 00:16:45.639 --> 00:16:48.480 Pulling the strings but leaving no fingerprints. 321 00:16:47.840 --> 00:16:49.799 And to further enhance its stealth. 322 00:16:50.720 --> 00:16:51.519 Okay, there's more. 323 00:16:51.840 --> 00:16:54.440 Rovnicks uses another technique we've encountered before. 324 00:16:54.679 --> 00:16:55.360 Oh what is it? 325 00:16:55.480 --> 00:16:57.399 Filesystem driver hooking. 326 00:16:57.840 --> 00:16:59.440 Did we see that with FESTI as well? 327 00:16:59.559 --> 00:17:02.759 Yes, right, it's a common tactic for both root kits 328 00:17:02.759 --> 00:17:05.920 and bootkits. Right. By hooking into that file system driver, 329 00:17:06.480 --> 00:17:09.839 robnicks can intercept and modify any requests to read or 330 00:17:09.880 --> 00:17:14.240 write files. This ensures that it's hidden partition remains hidden. 331 00:17:14.599 --> 00:17:16.960 It's like having a secret agent working in the library, 332 00:17:17.599 --> 00:17:21.119 making sure no one accidentally stumbles upon the restricted section exactly. 333 00:17:21.160 --> 00:17:23.160 And as if that wasn't enough, Oh there's more. 334 00:17:23.920 --> 00:17:28.920 Rovnicks encrypts it's hidden partition, adding yet another layer of protection. 335 00:17:29.400 --> 00:17:32.079 So even if you managed to find that hidden partition, 336 00:17:33.240 --> 00:17:35.079 you can't access the data without. 337 00:17:34.839 --> 00:17:39.920 The key precisely. Wow, it uses strong encryption algorithms to 338 00:17:40.000 --> 00:17:41.079 protect its secrets. 339 00:17:41.160 --> 00:17:45.039 But even with all these sophisticated techniques, yeah, Romnicks doesn't 340 00:17:45.039 --> 00:17:46.559 always operate in isolation. 341 00:17:47.119 --> 00:17:49.680 Sometimes it uses a dropper to gain a foothold on 342 00:17:49.720 --> 00:17:53.160 the system. A dropper, Yeah, Alling'sabelle. We've talked about droppers before. 343 00:17:53.440 --> 00:17:57.400 They're essentially programs that are designed to deliver malware onto 344 00:17:57.480 --> 00:18:00.480 a system, right, Okay, So in the case Ofrovnicks, the 345 00:18:00.519 --> 00:18:03.480 dropper is used to deliver the bootkit onto the hard drive. 346 00:18:03.640 --> 00:18:06.279 So the dropper is like the delivery truck that brings 347 00:18:06.279 --> 00:18:07.200 the bootkit to your. 348 00:18:07.119 --> 00:18:09.759 Doorstep another perfect analogy. 349 00:18:09.319 --> 00:18:11.519 But it's the bootkit itself that breaks in and takes 350 00:18:11.519 --> 00:18:12.799 over exactly. 351 00:18:12.960 --> 00:18:17.640 The dropper might arrive disguised as a legitimate program or file, 352 00:18:18.160 --> 00:18:22.440 but once it's executed, it releases the Robnick's bootkit onto 353 00:18:22.440 --> 00:18:23.039 the system. 354 00:18:23.440 --> 00:18:26.839 So we have the dropper, installing the bootkit, the bootkit, 355 00:18:27.519 --> 00:18:32.039 infecting the VBR, and then loading its malicious kernel mode driver. 356 00:18:32.400 --> 00:18:32.640 Right. 357 00:18:32.759 --> 00:18:33.759 That's a lot of steps. 358 00:18:34.079 --> 00:18:36.960 It is a complex chain of events, it is. And 359 00:18:37.000 --> 00:18:40.559 to make things even more complicated, No, some variants of 360 00:18:40.640 --> 00:18:42.920 robnicks actually incorporate other malware. 361 00:18:43.160 --> 00:18:46.960 Oh wow, like the carbon banking trojan, the banking trojan. Yeah, 362 00:18:47.000 --> 00:18:50.680 so this bookkit isn't just about stealth and control. It's 363 00:18:50.720 --> 00:18:52.960 also about stealing money unfortunately. 364 00:18:53.039 --> 00:18:56.039 Yes, Oh my gosh, some variants of robnicks have been 365 00:18:56.119 --> 00:18:59.759 used to deploy these banking trojans, right, which are designed 366 00:18:59.759 --> 00:19:02.240 to steal sensitive financial information. 367 00:19:02.519 --> 00:19:05.559 Wow, this is getting scary. It's like a criminal gang 368 00:19:05.920 --> 00:19:09.559 breaking into your house, installing hidden cameras and microphones, and 369 00:19:09.559 --> 00:19:11.480 then robbing your bank account while you're sleeping. 370 00:19:11.759 --> 00:19:14.480 Yeah. It's a very accurate comparison, it is, and it 371 00:19:14.519 --> 00:19:16.400 really underscores the danger of boot kits. 372 00:19:16.559 --> 00:19:16.880 Yeah. 373 00:19:16.920 --> 00:19:21.319 They're not just theoretical threats. They are real world malware 374 00:19:22.000 --> 00:19:24.160 that can have devastating consequences. 375 00:19:24.279 --> 00:19:26.359 Okay, I think I've had enough for robnicks for now. 376 00:19:26.680 --> 00:19:30.480 My head is spinning. Okay, let's move on to gaps. Okay, gaps, 377 00:19:30.920 --> 00:19:33.960 how does this one stack up against Robnicks in terms 378 00:19:33.960 --> 00:19:35.359 of complexity and stealth? 379 00:19:35.720 --> 00:19:38.640 Believe it or not, GAPS is even more complex than Robnicks. 380 00:19:38.640 --> 00:19:40.559 Oh wow, really it uses a. 381 00:19:40.559 --> 00:19:44.240 Whole arsenal of advanced techniques. Okay, like what, including shell 382 00:19:44.279 --> 00:19:48.440 code injection, return oriented programming, and even its own custom 383 00:19:48.559 --> 00:19:50.319 TCPIP network stack. 384 00:19:50.559 --> 00:19:54.200 WHOA hold on, Yeah, that's a lot to process it is. Okay, 385 00:19:54.319 --> 00:19:55.839 let's start with shell code injection. 386 00:19:55.920 --> 00:19:56.279 All right? 387 00:19:56.400 --> 00:19:57.160 What is that? 388 00:19:57.279 --> 00:20:00.279 So? Shell code is a small piece of code that's 389 00:20:00.319 --> 00:20:03.440 typically used to exploit a vulnerability and gain control of 390 00:20:03.480 --> 00:20:03.960 a system. 391 00:20:04.279 --> 00:20:04.599 Okay. 392 00:20:04.680 --> 00:20:08.279 Shell code injection is the process of injecting this malicious 393 00:20:08.279 --> 00:20:12.799 code into the memory of a running process, essentially hijacking 394 00:20:12.839 --> 00:20:14.920 the process for its own evil purposes. 395 00:20:15.319 --> 00:20:17.920 So it's like injecting a virus into a healthy cell 396 00:20:17.920 --> 00:20:19.200 and turning it into a zombie. 397 00:20:19.319 --> 00:20:19.839 You got it? 398 00:20:20.039 --> 00:20:22.559 Forcing it to do the virus is bidding exactly. Okay. 399 00:20:22.759 --> 00:20:26.359 GAPS uses shell code injection to inject its malicious code 400 00:20:26.359 --> 00:20:29.960 into a crucial system process called explorer dot ex. 401 00:20:30.559 --> 00:20:32.839